Edit tour

Windows Analysis Report
preliminary drawing.pif.exe

Overview

General Information

Sample name:	preliminary drawing.pif.exe
Analysis ID:	1590588
MD5:	ecad35aa0a2834edde088dba8063486d
SHA1:	f09ff2154b1542326d63c1eae67a1db0d5dd3571
SHA256:	f4da65fff4d9b2420e2375ce736d02b0dab3e4776115346c5219891ea8fc3c97
Tags:	exeuser-lowmal3
Infos:

Detection

Remcos, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

preliminary drawing.pif.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: ECAD35AA0A2834EDDE088DBA8063486D)

powershell.exe (PID: 7536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

preliminary drawing.pif.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\preliminary drawing.pif.exe" MD5: ECAD35AA0A2834EDDE088DBA8063486D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["87.120.127.120:2404:1"], "Assigned name": "Rm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NWAKMX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x32c98:$a1: Remcos restarted by watchdog! 0x33210:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1677652020.0000000008B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b928:$a1: Remcos restarted by watchdog! 0x6bea0:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x133e60:$a1: Remcos restarted by watchdog! 0x1343d8:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1670769078.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7336	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7336	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7336	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7336	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xad78:$a1: Remcos restarted by watchdog! 0x5cf55:$a1: Remcos restarted by watchdog! 0xe814e:$a1: Remcos restarted by watchdog! 0xb2d5:$a3: %02i:%02i:%02i:%03i 0xb68d:$a3: %02i:%02i:%02i:%03i 0x5d4b2:$a3: %02i:%02i:%02i:%03i 0x5d86a:$a3: %02i:%02i:%02i:%03i 0xe86ab:$a3: %02i:%02i:%02i:%03i 0xe8a63:$a3: %02i:%02i:%02i:%03i
Process Memory Space: preliminary drawing.pif.exe PID: 7544	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7544	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: preliminary drawing.pif.exe PID: 7544	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x145e7:$a1: Remcos restarted by watchdog! 0x14b44:$a3: %02i:%02i:%02i:%03i 0x14efc:$a3: %02i:%02i:%02i:%03i
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.preliminary drawing.pif.exe.8b80000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.preliminary drawing.pif.exe.8b80000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.preliminary drawing.pif.exe.2f51610.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.preliminary drawing.pif.exe.2f51610.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
0.2.preliminary drawing.pif.exe.4683c20.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
0.2.preliminary drawing.pif.exe.3c40158.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
3.2.preliminary drawing.pif.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
3.2.preliminary drawing.pif.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
3.2.preliminary drawing.pif.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
3.2.preliminary drawing.pif.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\preliminary drawing.pif.exe", ParentImage: C:\Users\user\Desktop\preliminary drawing.pif.exe, ParentProcessId: 7336, ParentProcessName: preliminary drawing.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", ProcessId: 7536, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\preliminary drawing.pif.exe", ParentImage: C:\Users\user\Desktop\preliminary drawing.pif.exe, ParentProcessId: 7336, ParentProcessName: preliminary drawing.pif.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe", ProcessId: 7536, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 9A 34 8B 88 96 0E F6 CC 6A 86 94 A9 0E 62 F7 82 17 53 9F 8A 0D F5 C1 88 F3 87 42 0A 82 6C 5F 47 5A FD 8B FA E5 5B 27 6D 08 12 69 6B 5F 45 07 03 AF 5F 47 AB 52 5A 1E 6D DA 9D 29 C0 2B B4 E8 32 9E 02 78 6B FA 0E 55 7C D7 8F 6D D5 E0 42 78 7D 17 D0 03 1A 87 F3 DC 0D 14 6F 0F 08 0A 49 83 DA FE D9 4C 6C A5 1F , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\preliminary drawing.pif.exe, ProcessId: 7544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-NWAKMX\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T10:17:56.924722+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49732	87.120.127.120	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T10:17:58.370406+0100	2803304	3	Unknown Traffic	192.168.2.4	49734	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["87.120.127.120:2404:1"], "Assigned name": "Rm", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NWAKMX", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for submitted file

Source: preliminary drawing.pif.exe	Virustotal: Detection: 35%			Perma Link
Source: preliminary drawing.pif.exe	ReversingLabs: Detection: 28%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: preliminary drawing.pif.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

3_2_00432B45

Source: preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a77eb853-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00406764 _wcslen,CoGetObject,

3_2_00406764

Source: preliminary drawing.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: preliminary drawing.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040B335
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040B53A
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	3_2_0041B63A
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	3_2_004089A9
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,	3_2_00406AC2
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	3_2_00407A8C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	3_2_00408DA7
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00418E5F

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49732 -> 87.120.127.120:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 87.120.127.120

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 87.120.127.120:2404

Source: global traffic

TCP traffic: 192.168.2.4:60680 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.127.120
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00426302 recv,

3_2_00426302

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: preliminary drawing.pif.exe, preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001022000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.000000000103B000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpV
Source: preliminary drawing.pif.exe, 00000000.00000002.1670769078.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: preliminary drawing.pif.exe, 00000000.00000002.1675233182.0000000005474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comnetf
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

3_2_004099E4

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00415B5E

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00415B5E

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00415B5E

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

3_2_00409B10

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0041BD82 SystemParametersInfoW,

3_2_0041BD82

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,

3_2_00415A51

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_00FDE0CC	0_2_00FDE0CC
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FA510	0_2_074FA510
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F5D40	0_2_074F5D40
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F68B0	0_2_074F68B0
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FD522	0_2_074FD522
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FDD99	0_2_074FDD99
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FDDA8	0_2_074FDDA8
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F4B30	0_2_074F4B30
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FD960	0_2_074FD960
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074FF9C8	0_2_074FF9C8
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F683F	0_2_074F683F
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F689F	0_2_074F689F
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_08BB0006	0_2_08BB0006
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_08BB0040	0_2_08BB0040
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_08BC75E8	0_2_08BC75E8
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_08BC4590	0_2_08BC4590
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_08BC9F50	0_2_08BC9F50
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043D04B	3_2_0043D04B
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0042707E	3_2_0042707E
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0041301D	3_2_0041301D
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00441030	3_2_00441030
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00453110	3_2_00453110
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004271B8	3_2_004271B8
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0041D27C	3_2_0041D27C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004522E2	3_2_004522E2
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043D2A8	3_2_0043D2A8
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00437360	3_2_00437360
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004363BA	3_2_004363BA
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0042645F	3_2_0042645F
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00431582	3_2_00431582
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043672C	3_2_0043672C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0041E7EA	3_2_0041E7EA
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0044C949	3_2_0044C949
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004269D6	3_2_004269D6
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004369D6	3_2_004369D6
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043CBED	3_2_0043CBED
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00432C54	3_2_00432C54
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00436C9D	3_2_00436C9D
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043CE1C	3_2_0043CE1C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00436F58	3_2_00436F58
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00434F32	3_2_00434F32

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: String function: 004341C0 appears 55 times

Source: preliminary drawing.pif.exe, 00000000.00000000.1645222174.00000000007B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexwuz.exe< vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1669702002.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1677889826.0000000008FB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1670769078.0000000002B91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1677652020.0000000008B80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe, 00000000.00000002.1670769078.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs preliminary drawing.pif.exe
Source: preliminary drawing.pif.exe	Binary or memory string: OriginalFilenamexwuz.exe< vs preliminary drawing.pif.exe

Source: preliminary drawing.pif.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: preliminary drawing.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/7@2/2

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

3_2_00416C9D

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

3_2_0040E2F1

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

3_2_0041A84A

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_00419DBA

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\preliminary drawing.pif.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-NWAKMX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2qxnqcn.1jb.ps1

Jump to behavior

Source: preliminary drawing.pif.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: preliminary drawing.pif.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: preliminary drawing.pif.exe	Virustotal: Detection: 35%
Source: preliminary drawing.pif.exe	ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: preliminary drawing.pif.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: preliminary drawing.pif.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

3_2_0041BEEE

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_0504E0EB push eax; ret	0_2_0504E0F5
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_0504D513 push eax; mov dword ptr [esp], ecx	0_2_0504D51C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 0_2_074F4236 push dword ptr [ebp+01h]; ret	0_2_074F423B
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004560BF push ecx; ret	3_2_004560D2
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00434206 push ecx; ret	3_2_00434219
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0045C9DD push esi; ret	3_2_0045C9E6
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004569F0 push eax; ret	3_2_00456A0E

Source: preliminary drawing.pif.exe

Static PE information: section name: .text entropy: 7.830494119333022

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,

3_2_00406128

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_00419DBA

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

3_2_0041BEEE

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0040E627 Sleep,ExitProcess,

3_2_0040E627

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: 9170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: A170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: A390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Memory allocated: B390000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

3_2_00419AB8

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5913	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3903	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Window / User API: threadDelayed 9689	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

API coverage: 10.0 %

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7672	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7592	Thread sleep count: 304 > 30	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7592	Thread sleep time: -912000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7592	Thread sleep count: 9689 > 30	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe TID: 7592	Thread sleep time: -29067000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040B335
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040B53A
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	3_2_0041B63A
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	3_2_004089A9
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,	3_2_00406AC2
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	3_2_00407A8C
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	3_2_00408DA7
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00418E5F

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00406F06

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: preliminary drawing.pif.exe, 00000000.00000002.1669702002.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|y&

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

API call chain: ExitProcess graph end node

graph_3-48064

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0043A86D

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

3_2_0041BEEE

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00442764 mov eax, dword ptr fs:[00000030h]

3_2_00442764

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0044EB3E GetProcessHeap,

3_2_0044EB3E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00434378
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043A86D
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00433D4F
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: 3_2_00433EE2 SetUnhandledExceptionFilter,	3_2_00433EE2

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Memory written: C:\Users\user\Desktop\preliminary drawing.pif.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

3_2_0041100E

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0041894A mouse_event,

3_2_0041894A

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"			Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Process created: C:\Users\user\Desktop\preliminary drawing.pif.exe "C:\Users\user\Desktop\preliminary drawing.pif.exe"			Jump to behavior

Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerm
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerj
Source: preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001022000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116857570.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00434015 cpuid

3_2_00434015

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoA,	3_2_0040E751
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_0045107A
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoW,	3_2_004512CA
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: EnumSystemLocalesW,	3_2_004472BE
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_004513F3
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoW,	3_2_004514FA
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_004515C7
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: GetLocaleInfoW,	3_2_004477A7
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00450C8F
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: EnumSystemLocalesW,	3_2_00450F52
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: EnumSystemLocalesW,	3_2_00450F07
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: EnumSystemLocalesW,	3_2_00450FED

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Users\user\Desktop\preliminary drawing.pif.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00404915 GetLocalTime,CreateEventA,CreateThread,

3_2_00404915

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_0041A9AD GetComputerNameExW,GetUserNameW,

3_2_0041A9AD

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: 3_2_00448267 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

3_2_00448267

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.8b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.8b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.2f51610.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.2f51610.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1677652020.0000000008B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1670769078.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

3_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		3_2_0040B335
Source: C:\Users\user\Desktop\preliminary drawing.pif.exe	Code function: \key3.db		3_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-NWAKMX

Jump to behavior

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.8b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.8b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.2f51610.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.2f51610.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1677652020.0000000008B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1670769078.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.preliminary drawing.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.4683c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.preliminary drawing.pif.exe.3c40158.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: preliminary drawing.pif.exe PID: 7544, type: MEMORYSTR

Source: C:\Users\user\Desktop\preliminary drawing.pif.exe

Code function: cmd.exe

3_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	2 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	122 Process Injection	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Bypass User Account Control	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	122 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
preliminary drawing.pif.exe	36%	Virustotal		Browse
preliminary drawing.pif.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
preliminary drawing.pif.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.sakkal.comnetf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high
198.187.3.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpSystem32	preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, preliminary drawing.pif.exe, 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gpV	preliminary drawing.pif.exe, 00000003.00000002.4116857570.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	preliminary drawing.pif.exe, 00000000.00000002.1670769078.0000000002B7D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	preliminary drawing.pif.exe, 00000000.00000002.1675666047.0000000006C92000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comnetf	preliminary drawing.pif.exe, 00000000.00000002.1675233182.0000000005474000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.127.120	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590588
Start date and time:	2025-01-14 10:17:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	preliminary drawing.pif.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@6/7@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 164 Number of non-executed functions: 190
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 20.3.187.198, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:17:54	API Interceptor	4778399x Sleep call for process: preliminary drawing.pif.exe modified
04:17:56	API Interceptor	8x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	documents.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	documents.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	5tCuNr661k.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	shaLnqmyTS.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	zAGUEDGSTM.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	WtZl31OLfA.exe	Get hash	malicious	Remcos, GuLoader	Browse	87.120.116.187
	C5Zr4LSzmp.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	C5Zr4LSzmp.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
	2XnMqJW0u1.exe	Get hash	malicious	XWorm	Browse	87.120.120.15
	VmoLw6EKj5.exe	Get hash	malicious	RedLine	Browse	87.120.120.86
ATOM86-ASATOM86NL	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	documents.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\preliminary drawing.pif.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\user\Desktop\preliminary drawing.pif.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.018722888793802
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7XcV7Wro
MD5:	267F9EC6CC4E12E1C5709DF015F4696F
SHA1:	D9A4A1DB44DB5776CA5821E37206665999BFC558
SHA-256:	8DB7063EB28EBF372CB46CDE7B85DCC719076BDD3A2DCA3CCF7E3881355AED3A
SHA-512:	0907B58486F974BCD909ECA874F0A93E33DB534DEAA32EA3F332752C3D8CF284901187D642B22FE6718A8D98087D39BEE91317989AA62B3D1B0EA20D0CC8630A
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7126",. "geoplugin_longitude":"-74.0066",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	92C17FC0DE8449D1E50ED56DBEBAA35D
SHA1:	A617D392757DC7B1BEF28448B72CBD131CF4D0FB
SHA-256:	DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
SHA-512:	603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gszmag2m.3sh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_infewk4n.l50.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2qxnqcn.1jb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wibeid03.n4p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.825530505125583
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	preliminary drawing.pif.exe
File size:	996'915 bytes
MD5:	ecad35aa0a2834edde088dba8063486d
SHA1:	f09ff2154b1542326d63c1eae67a1db0d5dd3571
SHA256:	f4da65fff4d9b2420e2375ce736d02b0dab3e4776115346c5219891ea8fc3c97
SHA512:	0aea41973d5ec10e93d423985ef5a4376c43efe8eaf3b9bc353decddb62339b1f1d9e962eafa53809a75a5e2be43fdfb432f81a5a9556cdb826a440e7f33174e
SSDEEP:	24576:EReyAYaI69Kl3u2FRFhlF4guHGTpSD4wHCKywRmOD:EReyAk3uGTvluupQ4wHChnc
TLSH:	C52512553459D803C1921BB41E72E3F953786EC9AA11C3879FE63EFFBCA6B422540392
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(..g..............0......&.......,... ...@....@.. ....................................@................................

File Icon


Icon Hash:	f0aea8aaaa8ee80f

Static PE Info

General

Entrypoint:	0x4f2cb2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785C028 [Tue Jan 14 01:38:48 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
and dword ptr [eax], eax
inc eax
add byte ptr [ebx], ah
add byte ptr [eax+eax], ah
and eax, 26005E00h
add byte ptr [edx], ch
add byte ptr [eax], ch
add byte ptr [ecx], ch
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [edx+003E9999h], bl
add byte ptr [eax], al
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf2c60	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x22d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf0ce0	0xf0e00	80888df617365aee698f8f25b0a09fb7	False	0.9365634730150493	OpenPGP Secret Key	7.830494119333022	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf4000	0x22d4	0x2400	d2a77aa96f4fcf8aab34efd86bdb4428	False	0.8776041666666666	data	7.375541428860378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf8000	0xc	0x200	b481ae60064c9ba77d35d6b31b1fcf5a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xf40c8	0x1e50	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9755154639175257
RT_GROUP_ICON	0xf5f28	0x14	data	1.05
RT_VERSION	0xf5f4c	0x384	data	0.43444444444444447

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T10:17:56.924722+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49732	87.120.127.120	2404	TCP
2025-01-14T10:17:58.370406+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49734	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 10:17:56.235318899 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:56.240196943 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:56.240262032 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:56.244632006 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:56.250097990 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:56.884969950 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:56.924721956 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:57.019973993 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.022934914 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:57.027812004 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.029119968 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:57.033879042 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.405163050 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.408642054 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:57.413506031 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.698976994 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:57.752635956 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:57.757344961 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:17:57.762254000 CET	80	49734	178.237.33.50	192.168.2.4
Jan 14, 2025 10:17:57.762332916 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:17:57.762469053 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:17:57.767250061 CET	80	49734	178.237.33.50	192.168.2.4
Jan 14, 2025 10:17:58.366965055 CET	80	49734	178.237.33.50	192.168.2.4
Jan 14, 2025 10:17:58.370405912 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:17:58.382721901 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:17:58.387521029 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:17:59.366558075 CET	80	49734	178.237.33.50	192.168.2.4
Jan 14, 2025 10:17:59.366873980 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:18:23.860033035 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:18:23.861370087 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:18:23.866137028 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:18:26.588932991 CET	60680	53	192.168.2.4	162.159.36.2
Jan 14, 2025 10:18:26.593828917 CET	53	60680	162.159.36.2	192.168.2.4
Jan 14, 2025 10:18:26.593900919 CET	60680	53	192.168.2.4	162.159.36.2
Jan 14, 2025 10:18:26.598767996 CET	53	60680	162.159.36.2	192.168.2.4
Jan 14, 2025 10:18:27.038311958 CET	60680	53	192.168.2.4	162.159.36.2
Jan 14, 2025 10:18:27.043402910 CET	53	60680	162.159.36.2	192.168.2.4
Jan 14, 2025 10:18:27.043463945 CET	60680	53	192.168.2.4	162.159.36.2
Jan 14, 2025 10:18:53.873423100 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:18:53.874586105 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:18:53.879625082 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:19:23.874120951 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:19:23.902673960 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:19:23.907516956 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:19:47.721712112 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:19:48.158982992 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:19:48.783898115 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:19:50.159004927 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:19:52.659043074 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:19:53.888801098 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:19:53.890547037 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:19:53.895447969 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:19:57.471527100 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:20:07.159022093 CET	49734	80	192.168.2.4	178.237.33.50
Jan 14, 2025 10:20:23.901573896 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:20:23.903022051 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:20:23.919199944 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:20:53.902170897 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:20:53.903662920 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:20:53.908473969 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:21:23.918642998 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:21:23.923666954 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:21:23.928500891 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:21:53.979195118 CET	2404	49732	87.120.127.120	192.168.2.4
Jan 14, 2025 10:21:53.983930111 CET	49732	2404	192.168.2.4	87.120.127.120
Jan 14, 2025 10:21:53.990003109 CET	2404	49732	87.120.127.120	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 10:17:57.742933989 CET	57525	53	192.168.2.4	1.1.1.1
Jan 14, 2025 10:17:57.751853943 CET	53	57525	1.1.1.1	192.168.2.4
Jan 14, 2025 10:18:26.588083982 CET	53	55136	162.159.36.2	192.168.2.4
Jan 14, 2025 10:18:27.050466061 CET	57161	53	192.168.2.4	1.1.1.1
Jan 14, 2025 10:18:27.057825089 CET	53	57161	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 10:17:57.742933989 CET	192.168.2.4	1.1.1.1	0x4a33	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jan 14, 2025 10:18:27.050466061 CET	192.168.2.4	1.1.1.1	0x968e	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 10:17:57.751853943 CET	1.1.1.1	192.168.2.4	0x4a33	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 14, 2025 10:18:27.057825089 CET	1.1.1.1	192.168.2.4	0x968e	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	178.237.33.50	80	7544	C:\Users\user\Desktop\preliminary drawing.pif.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 10:17:57.762469053 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 14, 2025 10:17:58.366965055 CET	1171	IN	HTTP/1.1 200 OK date: Tue, 14 Jan 2025 09:17:58 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7126", "geoplugin_longitude":"-74.0066", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	04:17:53
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\preliminary drawing.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\preliminary drawing.pif.exe"
Imagebase:	0x6c0000
File size:	996'915 bytes
MD5 hash:	ECAD35AA0A2834EDDE088DBA8063486D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1672329934.0000000003B39000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1677652020.0000000008B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1672329934.0000000004683000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1672329934.0000000003B77000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1670769078.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:17:55
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\preliminary drawing.pif.exe"
Imagebase:	0x2f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:17:55
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\preliminary drawing.pif.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\preliminary drawing.pif.exe"
Imagebase:	0x990000
File size:	996'915 bytes
MD5 hash:	ECAD35AA0A2834EDDE088DBA8063486D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4116857570.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:17:55
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	239
Total number of Limit Nodes:	14

Executed Functions

Function 08BC75E8 Relevance: 6.9, Strings: 5, Instructions: 628
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 08BCA783
Hbq, xrefs: 08BCA63B
Hbq, xrefs: 08BCA521
Hbq, xrefs: 08BCA5B4
Hbq, xrefs: 08BCA6C5

Memory Dump Source

Source File: 00000000.00000002.1677752321.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bc0000_preliminary drawing.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 56e715390672e703ed44abac8203d8d1963c98c63db986f3a2143b186591303d
Instruction ID: e16ad1c6cd74c22cd963b93953e3dd94b912722677b07451a23f0cf64a5657b7
Opcode Fuzzy Hash: 56e715390672e703ed44abac8203d8d1963c98c63db986f3a2143b186591303d
Instruction Fuzzy Hash: 0E326D70A002688FDB54DFA9C8907AEBBF2FF84301F1485AED449AB395DB349D46CB51

Function 074F683F Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b296af4eb84d3dcd1ee36f452d9fe2a6bb6c25afad810d9aeabfb99e78de2d
Instruction ID: c5560d7acdd6d1fba1ce2cb20fd29ad4062fc2a2d9a29de6a92349e92d727277
Opcode Fuzzy Hash: 52b296af4eb84d3dcd1ee36f452d9fe2a6bb6c25afad810d9aeabfb99e78de2d
Instruction Fuzzy Hash: 25D1F5B0D05219CFDB14CFAAC884AEEBBF2BF4A300F1595AAD509A7251D7345986CF12

Function 074F68B0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f868ae8bf971fa225da09c8b8b8e18013a4c4fb425a62e0f76423561b21cc1a
Instruction ID: 8ee5888dd868af66852aa5188f74da01cae8b67c52f3cee81f1c3e0d66c9d4c8
Opcode Fuzzy Hash: 0f868ae8bf971fa225da09c8b8b8e18013a4c4fb425a62e0f76423561b21cc1a
Instruction Fuzzy Hash: A0C1B2B0D04219CFDB14CFAAC884AEEBBF2FF4A300F1595AAD509A7251D7745986CF12

Function 08BC9F50 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677752321.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bc0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1d142c8149ce47aec145ea04bddba9a6939385d16798a18960a9a8c38c77f1
Instruction ID: 224bc34cb83781787457be4d51247f7b79ba0dd386741532bd0b51f2f640d820
Opcode Fuzzy Hash: 7c1d142c8149ce47aec145ea04bddba9a6939385d16798a18960a9a8c38c77f1
Instruction Fuzzy Hash: 8AC16CB4E002288FDF15CFA9C88079DBBB2EF89311F14D5AAD449AB255DB30E985CF51

Function 074F689F Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f3e1c75fcca5815a3df4848f46ca90fbe48312601c6dc6a73375a88ef98cb0
Instruction ID: c54e42d783d20a8aeb97768ee07d5e73b977967275df8f6df8f577cc0c91a6c4
Opcode Fuzzy Hash: 78f3e1c75fcca5815a3df4848f46ca90fbe48312601c6dc6a73375a88ef98cb0
Instruction Fuzzy Hash: 0FC1D3B0D04219CFDB14CFAAC884BEDBBF2BF8A300F1595AAD509A7251D7745986CF11

Function 074F5D40 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00e8fc99f4e06d00e41d8bc965812bb119ec6066d7d3afde632b8b4e18ad128
Instruction ID: 7a5717fbef88558a96e2f99008f2787495b21dd843cf5c7fc915f9d0a17682d6
Opcode Fuzzy Hash: e00e8fc99f4e06d00e41d8bc965812bb119ec6066d7d3afde632b8b4e18ad128
Instruction Fuzzy Hash: A49104B0D06219DFDB14CFAAD4487EDFBB6BF4A300F10846AE629A7251DB744995CF40

Function 074FA510 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89be2fed115831051dcdf11df76baa68f3bea7ec709a2f19bfd445d08ef9186
Instruction ID: a72c24268f9a1b93cb85777e14432aa5c53244403ccdcee2b07054a7e05aeee8
Opcode Fuzzy Hash: c89be2fed115831051dcdf11df76baa68f3bea7ec709a2f19bfd445d08ef9186
Instruction Fuzzy Hash: 60211DB1D056189FEB18CFA7D8457DEFFF6AFC9300F04C06AD40866254DB75094A8B91

Function 00FDD551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDD5DE
GetCurrentThread.KERNEL32 ref: 00FDD61B
GetCurrentProcess.KERNEL32 ref: 00FDD658
GetCurrentThreadId.KERNEL32 ref: 00FDD6B1

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa83da974400ca9ccaeb33eb56a1bfcfe699a169b2c8d8c407888ced68fd2121
Instruction ID: 150667d168f3e2b732d665995b9dd70035e09491fae15322d9a3f6908bf18415
Opcode Fuzzy Hash: aa83da974400ca9ccaeb33eb56a1bfcfe699a169b2c8d8c407888ced68fd2121
Instruction Fuzzy Hash: 025165B09003098FDB04CFAAD588BDEBBF1AB48314F248459D018A73A1DB34A889CF65

Function 00FDD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDD5DE
GetCurrentThread.KERNEL32 ref: 00FDD61B
GetCurrentProcess.KERNEL32 ref: 00FDD658
GetCurrentThreadId.KERNEL32 ref: 00FDD6B1

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4aa86e14e51fd9da1dc3b783d263d3cdfd9de056217afabbf754096562d9fc33
Instruction ID: f3bc32112805980ba7bfaf90d5793b774b0caf924d09003d04f197d8b7eba0f1
Opcode Fuzzy Hash: 4aa86e14e51fd9da1dc3b783d263d3cdfd9de056217afabbf754096562d9fc33
Instruction Fuzzy Hash: 1C5167B0D002098FDB04DFAAD588BDEBBF1EB48314F248459D018A73A1DB34A988CF65

Function 05042514 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 050439EE
, xrefs: 050439E7

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 90f49b2282ca907ebd9acb4aa4886265be8ca21530db4e7eefa6dabb62d7438a
Instruction ID: 09d974026807564b5986a31be4adbfa8a6e75669c3483557f93d56a2ff88d18c
Opcode Fuzzy Hash: 90f49b2282ca907ebd9acb4aa4886265be8ca21530db4e7eefa6dabb62d7438a
Instruction Fuzzy Hash: 6271D431940601CFDB10EF29D4C5969B7F5FF85304B418AA8E949AB726EB31F999CF80

Function 050439AB Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 050439EE
, xrefs: 050439E7

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: b28bfc595086df4bea0fc5d4cadca71020b69337afd89b7fa629aa6d1ec3bc07
Instruction ID: 7095ec485d802897795a0a269f3f1848a8ae169654234835b3be5fd3a22e5998
Opcode Fuzzy Hash: b28bfc595086df4bea0fc5d4cadca71020b69337afd89b7fa629aa6d1ec3bc07
Instruction Fuzzy Hash: 3161D331940701CFDB10EF29D485969B7F5FF85304B418AA8E949AB716EB31F999CF80

Function 050483E0 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0504850E
Hbq, xrefs: 050484A8

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 9c551a447023eb81fbc1ef61f6a26253481b096929c2b3c5b4d206cf7e749304
Instruction ID: 5d565cf3bea00202bc5c0d825acc5426c5114ffa1430f9aafd44813986648cd5
Opcode Fuzzy Hash: 9c551a447023eb81fbc1ef61f6a26253481b096929c2b3c5b4d206cf7e749304
Instruction Fuzzy Hash: BD418270B002198FCB45EFB984555AE7AF7FFC9240B14846AD405E7395EF389D0687A1

Function 08BB07B5 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08BB09F6

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: da1fb424f2b6d395bbe85f7d31769ccf398c7d854b91dce097dbffba89305ac4
Instruction ID: cd9557464ee5ac9a217654e928734a92305f9c8fb3b9301ca69447f6e5788342
Opcode Fuzzy Hash: da1fb424f2b6d395bbe85f7d31769ccf398c7d854b91dce097dbffba89305ac4
Instruction Fuzzy Hash: 17A15B71D00619DFDB24DFA8C841BEEBBB2FF44310F1485A9E849A7250DBB49986CF91

Function 08BB07C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08BB09F6

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d4a78c490330bca647ed2a46e58c341d323aff882369e144ee5f63e0d7516be6
Instruction ID: d6b39b80c89dab3f175f4349f5d3f63ca70d5a11017bfbab72d741085725847f
Opcode Fuzzy Hash: d4a78c490330bca647ed2a46e58c341d323aff882369e144ee5f63e0d7516be6
Instruction Fuzzy Hash: 5E915C71D00619DFDB20DFA8C8417EEBBB2FF44311F1485A9E849A7290DBB49986CF91

Function 00FDB2B9 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDB51E

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f25d36d76eec8ab28dbcc077fe3d82b17d7db29c91c0dd0c7a11b8410e98f8a9
Instruction ID: 73ce7f8fe80ae73ad07085f222a58195cc9bafe6aad6a4f3651c995dd4546230
Opcode Fuzzy Hash: f25d36d76eec8ab28dbcc077fe3d82b17d7db29c91c0dd0c7a11b8410e98f8a9
Instruction Fuzzy Hash: B4813370A00B058FD724DF69D44175ABBF2FF88310F148A2AE08AD7B50DB35E94ADB91

Function 00FD4538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5DA9

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1e54f8e89b722fd8473acc8d9c048ed485330e5ccfd949021cb8930d41b90445
Instruction ID: 29dba9fac9300bea13270003bd9f055ef4055c268dd69e0ded55727ec4eb5f7f
Opcode Fuzzy Hash: 1e54f8e89b722fd8473acc8d9c048ed485330e5ccfd949021cb8930d41b90445
Instruction Fuzzy Hash: CA41E3B0C04719CFDB24DFA9C844B9EBBF6BF48704F24806AD408AB255DB75694ACF90

Function 00FD5CEC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5DA9

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: da2b352cc77f59c9c69dab7eaa53916ace0a0019ca459af35157833c6def4721
Instruction ID: 843adbfe35f84f9fafdf09650de1899155ab7b9d833e114eeb70f503c4325d20
Opcode Fuzzy Hash: da2b352cc77f59c9c69dab7eaa53916ace0a0019ca459af35157833c6def4721
Instruction Fuzzy Hash: 2341C2B0C04619CEDB24DFA9C8847DEFBF6BF48704F24806AD408AB255DB75694ACF90

Function 08BCA888 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677752321.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bc0000_preliminary drawing.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d4497aa8b87812d8f653699cbef3216fb312ab925a35172152850da99b39975d
Instruction ID: d7c2f7cc44c46888935142def07b1eae3f52f3e9d657eabf60b2039882438599
Opcode Fuzzy Hash: d4497aa8b87812d8f653699cbef3216fb312ab925a35172152850da99b39975d
Instruction Fuzzy Hash: 0F31BAB2904358DFCB12CFA9D840ADEBFF4EF09320F14849AE654AB261C3359854CFA0

Function 074FF8E9 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074FF96E

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 041f7df9246ae8e8c358d32bd47a77bcb5311bdf40a80b3673afea083510c95a
Instruction ID: 53d1bdf828967ce9e1c6e26abc20452d7233514532cb5af8e9df31018825673e
Opcode Fuzzy Hash: 041f7df9246ae8e8c358d32bd47a77bcb5311bdf40a80b3673afea083510c95a
Instruction Fuzzy Hash: 98215EB29002099FDB10DFAAD485BEFFBF4EF49324F10842AD559A7250C778A544CFA5

Function 08BB0531 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08BB05C8

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7b3bcceb77608b60c75ee00de7a9a35db376ed74cad2cabf74d4c3027893891f
Instruction ID: 35bf18bb4c1a54a07c3c721edf50e35edac4c873a75de7a54f1a5ea1eb523a05
Opcode Fuzzy Hash: 7b3bcceb77608b60c75ee00de7a9a35db376ed74cad2cabf74d4c3027893891f
Instruction Fuzzy Hash: 4A215AB19003099FCB10DFA9D885BEEBBF5FF48310F10842AE559A7650C778A944CBA5

Function 08BB0620 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08BB06A8

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1f8b41546a48d16c7a797cc38415f3bffaf63e12ed2a03d46938e7b012d0e7d7
Instruction ID: 4aef5e8a4e860b52806a1fd2892030d3c62e2f61256add052831ac098d53adca
Opcode Fuzzy Hash: 1f8b41546a48d16c7a797cc38415f3bffaf63e12ed2a03d46938e7b012d0e7d7
Instruction Fuzzy Hash: 7D217AB18003099FCB10DFA9C845AEEFBF5FF48320F10842AE559A3250C7749541CBA4

Function 08BB0538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08BB05C8

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6a02b49a037f4a6b8867a8f27494899447d162c5ddb0c6a180e129ee7197dc7b
Instruction ID: 5d69d06412623f1b7a2080ff26d3cd33637ff45890e88e2716ed347f40feec9e
Opcode Fuzzy Hash: 6a02b49a037f4a6b8867a8f27494899447d162c5ddb0c6a180e129ee7197dc7b
Instruction Fuzzy Hash: 7C2139B19003599FCB10DFA9C885BEEBBF5FF48310F10842AE959A7250C778A955CBA4

Function 00FDD7A0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDD82F

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 659379f509cc9c4c62522a0f45ebc795da2c19d3da5c23e433c6de07763c05cf
Instruction ID: 1144639eb916fd6b105c26ad1badbc05b9a9be7475345e4bfdad4113b85cd59a
Opcode Fuzzy Hash: 659379f509cc9c4c62522a0f45ebc795da2c19d3da5c23e433c6de07763c05cf
Instruction Fuzzy Hash: 3B2103B5D002489FDB10CFA9D485ADEBFF5EB48320F14842AE958A7321D379A945CFA1

Function 074FF8F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074FF96E

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 536331d110211aa9cafa31e48203b6b21999053da99db465a03f96286bacb88d
Instruction ID: 78571c3516341a98bfca44ff604d2cd11e3cbbf0a73baac77425868f02dbf5d3
Opcode Fuzzy Hash: 536331d110211aa9cafa31e48203b6b21999053da99db465a03f96286bacb88d
Instruction Fuzzy Hash: 152138B19003099FDB10DFAAC485BEEBBF4EF49324F10842AD559A7250CB78A944CFA5

Function 08BB0628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08BB06A8

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4601efb24630bb8f5ed3a966d5190f1256b8eaae2f57c405f0feb6d0b56b825c
Instruction ID: 821d68790494b11513a98769b456686de06b76e38ca15c6884b88bd5362c1089
Opcode Fuzzy Hash: 4601efb24630bb8f5ed3a966d5190f1256b8eaae2f57c405f0feb6d0b56b825c
Instruction Fuzzy Hash: D12128B18003599FCB10DFAAC845AEEFBF5FF88310F10842AE559A7250C7799545CBA5

Function 00FDD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDD82F

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 709657fbe320043a00f3e5048a441f8982b8f8bf6cfe8e41e3b4a6e2b8a1b7af
Instruction ID: 4a85665b44bfd9e4b92bdc05b18b28d209a864b13a7c10654ed609b2d0685813
Opcode Fuzzy Hash: 709657fbe320043a00f3e5048a441f8982b8f8bf6cfe8e41e3b4a6e2b8a1b7af
Instruction Fuzzy Hash: A221E4B5D002089FDB10CF9AD584ADEBFF5FB48320F14841AE918A3350D375A944DFA5

Function 08BB0471 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08BB04E6

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf567aeb894cfe64f84fb3ff565c330cca976bcd96efa836deb94b2c7e6ed8ab
Instruction ID: 2ba0eb22ea44b26b2ca93334b1144504e38affdd8b4b5815c0d14ce6a8036cad
Opcode Fuzzy Hash: cf567aeb894cfe64f84fb3ff565c330cca976bcd96efa836deb94b2c7e6ed8ab
Instruction Fuzzy Hash: 021189728002099FCB20DFA9C845BEFBFF5EF88320F108819E419A7250CB75A544CFA1

Function 08BC7624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,08BCA8A2,?,?,?,?,?), ref: 08BCA947

Memory Dump Source

Source File: 00000000.00000002.1677752321.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bc0000_preliminary drawing.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3f8875c95b1dadd9c6411adbc4af1eba92992d48ec2a7896e9778698f38fe147
Instruction ID: 71059d3dc53656dd92e39ecbe72d7550249be0c3136eb7233cd496d744f58ceb
Opcode Fuzzy Hash: 3f8875c95b1dadd9c6411adbc4af1eba92992d48ec2a7896e9778698f38fe147
Instruction Fuzzy Hash: 531167B180025DDFDB10CF9AD844BDEBFF8EB48320F14845AE554A7260C375A950CFA4

Function 08BB0478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08BB04E6

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c06c57aff774643154b3ce6ca17115eca924fbe1da5d132b26be1c08e71e2397
Instruction ID: 0d114b7f27454782d684616280fc6a1b05161c497718b0bd11a4721ff498454b
Opcode Fuzzy Hash: c06c57aff774643154b3ce6ca17115eca924fbe1da5d132b26be1c08e71e2397
Instruction Fuzzy Hash: 771137729002499FCB10DFAAC844BEFBFF5EF88320F108419E559A7250CB75A554CFA5

Function 08BB30C8 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08BB312D

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 743c6801d06a0b106c4b205ebf392bcb585220220b5e787f1f0eb07284e90d5a
Instruction ID: 4d4ca60939040f1868ee914ed798cd6bf1f85c655243db6de70ada32dd000706
Opcode Fuzzy Hash: 743c6801d06a0b106c4b205ebf392bcb585220220b5e787f1f0eb07284e90d5a
Instruction Fuzzy Hash: B211F5B69002489FDB10DF99D885BEFFFF8EB58320F10845AE954A7210D375A544CFA1

Function 074FF838 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074FF8A2

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: be80e79b1e7b0b1847bd181edeb8fdabd6db3d644a2f1ef6f4cc1bb290457299
Instruction ID: 68db0483417639d182d4dcb2ea23556eba580875a9b2a89fad1a38a24e1631fb
Opcode Fuzzy Hash: be80e79b1e7b0b1847bd181edeb8fdabd6db3d644a2f1ef6f4cc1bb290457299
Instruction Fuzzy Hash: 3E116DB1D042488FDB10DFA9C4447EEFBF5EF88324F20842AD519A7250C7355944CF95

Function 074FF840 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 074FF8A2

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d9098739f222678204bf5d91f559fc3dc20a6fc490b9940cbc791cb0e6fbbdc0
Instruction ID: 018b28477ea6115af281ec5d284127e557109ab74b7e04fc9800e9dd0f0e442f
Opcode Fuzzy Hash: d9098739f222678204bf5d91f559fc3dc20a6fc490b9940cbc791cb0e6fbbdc0
Instruction Fuzzy Hash: FF1158B1D002488BDB10DFAAC4447DEFBF4EF88324F20842AC519A7250CB35A544CB95

Function 00FDB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDB51E

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 396fbc993b810806f715905c0bec529a86dbf3a3d1a3d00f621950532c6fdc8d
Instruction ID: a2450c8e2817c9101865e5866446003bdfd415d465ab67d4430be45163670e44
Opcode Fuzzy Hash: 396fbc993b810806f715905c0bec529a86dbf3a3d1a3d00f621950532c6fdc8d
Instruction Fuzzy Hash: 251110B5C00249CFCB10CF9AD444BDEFBF5AB88324F18842AD418A7310D379A545CFA1

Function 08BB30D0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08BB312D

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 82a1d7070e5a41704b58bbeb1a4f039c6247c20a1a15e52105175ff76184b056
Instruction ID: e0a9d4be5bb9824df32f5a673e6e37f4a47d40178557a4c09b651a0b886afce1
Opcode Fuzzy Hash: 82a1d7070e5a41704b58bbeb1a4f039c6247c20a1a15e52105175ff76184b056
Instruction Fuzzy Hash: 8111D0B58003499FDB10DF9AD885BDEBBF8EB48320F10845AE558A7250C375A984CFA5

Function 0504EBF0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

@, xrefs: 0504EDC7

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e33683fb09e87168abf17712f8b68c060fe5ac750081ad700c513904d3f6687b
Instruction ID: 3d96fb90317055ce6d8c1cd4c21ed9c36d1a5dc1e3fd80f6bdd436050eee2162
Opcode Fuzzy Hash: e33683fb09e87168abf17712f8b68c060fe5ac750081ad700c513904d3f6687b
Instruction Fuzzy Hash: 21D12B75D0060ACFCF04DFA8D4848EDB7B5FF48314B258A69D8466B259DB30BA89CF81

Function 0504EBE3 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

, xrefs: 0504ED93

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6c010b1af0a63958e1b193b6a637e8792f71bccb7a96536410537ac899f5f894
Instruction ID: 31f1d5947b5c9534ed59aa09afe0e8c83be441a04e23b697ee6a499298a12552
Opcode Fuzzy Hash: 6c010b1af0a63958e1b193b6a637e8792f71bccb7a96536410537ac899f5f894
Instruction Fuzzy Hash: E6A1EB7590064ACFCF04DFA8D4848EDB7B1FF98314B258A55E846AB259DB30B999CF80

Function 0504F0C0 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927b117b4444904db3ee50a56e157d98e0cb224f3bb624e837b03eb41a1a3b04
Instruction ID: 081ee421a08d31dc9b4ef0f2c12f6d94d118face0012995f2c7eca65a1fc605d
Opcode Fuzzy Hash: 927b117b4444904db3ee50a56e157d98e0cb224f3bb624e837b03eb41a1a3b04
Instruction Fuzzy Hash: 3462FA31D106098FCB14EF68D8946EDB7B1FF55300F0186A9D58AA7265EF30AAD9CF81

Function 0504BF48 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b490cf77cb70765eb42cada3697243ffff92ebb59f50e98798d281ed6d8e988
Instruction ID: 58c35611cc3b9a8c2be5a1c4020b9b6e5d8285f386c5148ef338aa475e6b3656
Opcode Fuzzy Hash: 4b490cf77cb70765eb42cada3697243ffff92ebb59f50e98798d281ed6d8e988
Instruction Fuzzy Hash: 9C42F771E00619CBDB64DFA8D8946EDB7B1BF99300F1086A9D449B7221EB30AE85CF40

Function 0504F0BB Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215f10156e91b0fb93b136c902aa1cfe34e48cd694bba67d233400bc34bc913c
Instruction ID: 1caca20d378c311db56c9b2a687c98b0f410d50d70c44f6b62486706c8c6820e
Opcode Fuzzy Hash: 215f10156e91b0fb93b136c902aa1cfe34e48cd694bba67d233400bc34bc913c
Instruction Fuzzy Hash: 4C121C31D006198FDB14EF28D8946EDB7B1BF54304F0586A9D58AA7265EF30AEC9CF81

Function 0504BF43 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d364490dcc02cd409ebf6ecde42bee5d295cf2717cc6e0db11e557b39bf4503
Instruction ID: 3c8a92f8cbc7279032ce9ef3f73bb34c741d32bc93c7ad87e9cb0c394340b9f0
Opcode Fuzzy Hash: 5d364490dcc02cd409ebf6ecde42bee5d295cf2717cc6e0db11e557b39bf4503
Instruction Fuzzy Hash: C8E10B71E016198FDF64DFA8D9846EDB7B2BF49300F1086A9D459BB251EB70AD81CF40

Function 0504E920 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efc26c1f77fa5470688fb7b9ff62920d90efed7f1ed777be6addf9743c2f05d
Instruction ID: ac70c6af6be77ef7cc752df3c1c46a86a1003651abed38338588ca3c57b2596a
Opcode Fuzzy Hash: 6efc26c1f77fa5470688fb7b9ff62920d90efed7f1ed777be6addf9743c2f05d
Instruction Fuzzy Hash: 5691077190060ACFCB41DF68D884999FBF5FF49310B14C79AE819AB256EB30E985CF80

Function 0504DCA8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8942ce36a0ab8414c9b7ef7bcd3778ea0c5477ad72fc617f33799d4b174c52a4
Instruction ID: 0ea8c95b92092250585922ae25a1e1c8a0981717e91241946a7675bc3a2aee46
Opcode Fuzzy Hash: 8942ce36a0ab8414c9b7ef7bcd3778ea0c5477ad72fc617f33799d4b174c52a4
Instruction Fuzzy Hash: 8171BAB9300A008FC758DF29C588959BBF2FF8921471589A9E54ACB372DB72EC41CF50

Function 0504DC98 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f75ac5460575ee330ae48fd29eb286d79ae05abb2bdc783c543d2e9fcd0a2b
Instruction ID: 410c36a37e98924a802f71108ab924434b620a2080e227abef0af67794cd9617
Opcode Fuzzy Hash: 21f75ac5460575ee330ae48fd29eb286d79ae05abb2bdc783c543d2e9fcd0a2b
Instruction Fuzzy Hash: 9471CCB5600A008FC758DF29C488A59BBF2FF99304B158AA9E54ACB772DB71EC41CF50

Function 0504DAB8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd8c1f9ea0db6cf493123d0def3ba0f6d4e829ffd54743377e00c545cdba265
Instruction ID: 0c68e12ee147cfd7f195217f6fbb252632b36523cfca8f6da292ba60a6414424
Opcode Fuzzy Hash: 0fd8c1f9ea0db6cf493123d0def3ba0f6d4e829ffd54743377e00c545cdba265
Instruction Fuzzy Hash: 7E71A1B5A04206CFCB44CF69D584999FBF1BF48314B0986AAE84ADB712D774E885CF90

Function 05042979 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9762c73c052be273e12bff3713a6967445d97a70fe64c557f659a1c0ceb81a
Instruction ID: 8aa4bf374340ac7bfdfc137904c89c8e3678088ab6c6cff88b908ab14a54af90
Opcode Fuzzy Hash: 0f9762c73c052be273e12bff3713a6967445d97a70fe64c557f659a1c0ceb81a
Instruction Fuzzy Hash: 2451D434B106058FCB04EF68D8989ADBBF6FF89704F1585A9E5069B361EB70E945CF40

Function 0504E91B Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d738306945e81b4102a873eac20dbf28b0e650c7661024a6ba9b9a1dd5cde5c
Instruction ID: 936232ee9434078c67f406e72fef3ba9d78fd6dab5c6aa1c0e7ae2a2282a781f
Opcode Fuzzy Hash: 6d738306945e81b4102a873eac20dbf28b0e650c7661024a6ba9b9a1dd5cde5c
Instruction Fuzzy Hash: 0951277191070ACFCB51DF68C884999FBB4FF49310B14879AE859AB256EB70E985CF80

Function 05042988 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fa54990e98f3a2d6f1cc648276e04e37f23d8cb4c5c15e05aa21f0d32738a4
Instruction ID: d86f2bd92c059dd63230e49f7a16374675341a3c8f703ad7b86f547142104c1b
Opcode Fuzzy Hash: 80fa54990e98f3a2d6f1cc648276e04e37f23d8cb4c5c15e05aa21f0d32738a4
Instruction Fuzzy Hash: C551D234B106098FCB04EF68D8989ADBBB6FF89704F1585A9E5069B361EB70A945CF40

Function 05044658 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2596aba04f2db2524c3fcc99ec6e869a1934235c490f939bddfad3c524bef5a2
Instruction ID: 6a2be98e178e1f5978b698a540ad99f9cc10cb7dee97d79f6ea2745f847fec03
Opcode Fuzzy Hash: 2596aba04f2db2524c3fcc99ec6e869a1934235c490f939bddfad3c524bef5a2
Instruction Fuzzy Hash: 4C416CB5A002298FCF11DF69EA44AAEBBFABF89314F144035D401E7354EB359945CF91

Function 05043280 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4412fb53f9579030b23405982756bb095a7fdfe47d629fa556f59ff5908d2c
Instruction ID: 0d5be74958bf4a359649fe6b10d046f512be3f5219bc23dbc7d0acccdffc9a1b
Opcode Fuzzy Hash: 8e4412fb53f9579030b23405982756bb095a7fdfe47d629fa556f59ff5908d2c
Instruction Fuzzy Hash: 114148B4B002199FCF69DBADE4846EDB7F2AF88204F104939E406E7341DB749981CB80

Function 0504CBD0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab5ff7efc51b8a8a63a37b26cc173757d510d1401bd0c8b9b52b70196e423f1
Instruction ID: 0537713fc95a1d5151764f2400020f63303ffd12aa98f1078a26a224e1c0aa45
Opcode Fuzzy Hash: 6ab5ff7efc51b8a8a63a37b26cc173757d510d1401bd0c8b9b52b70196e423f1
Instruction Fuzzy Hash: 67414F34A10709CFCB04EF68D8849EDBBB6FF99304F118569E115AB325EB70A946CF81

Function 05047F60 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e059f0175d5a640242af9c3e265851c4fdf4b33642e5410f04df74f2c09fe2d
Instruction ID: 2632b6b1db48859b050ad71fdbf08082a9f40dde15b393ef4485ed2e6ddd7c57
Opcode Fuzzy Hash: 9e059f0175d5a640242af9c3e265851c4fdf4b33642e5410f04df74f2c09fe2d
Instruction Fuzzy Hash: B23165B1F102559BCF54ABB9A8189BFBFFAEFD8300B148829E515D3255EF7099018B90

Function 05040F08 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b97674cf5cb9142a5042afcc58e7bf04bbef88b7d396fd80ba2193a4ca5b1da
Instruction ID: cdde8378431a4b15e1d2aee7af20ab5e3676280be1c60594d23cda3b527c12f1
Opcode Fuzzy Hash: 3b97674cf5cb9142a5042afcc58e7bf04bbef88b7d396fd80ba2193a4ca5b1da
Instruction Fuzzy Hash: 66413C34A10709CFCB04EF68D9849EDBBB6FF89304F018569E515AB325EB71A946CF81

Function 05043130 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddb6aef7ab90ad4c641e17c018c5a0d01a47fc1361653d3f6a616ab47bc5b78
Instruction ID: 75432f1d193b4302829fd1385366d083c1864b9a728e94edd986c20972a898be
Opcode Fuzzy Hash: 6ddb6aef7ab90ad4c641e17c018c5a0d01a47fc1361653d3f6a616ab47bc5b78
Instruction Fuzzy Hash: F841AE74B04706CFCB24DF68D4444AEBBB2FF893047248A6DD44AAB751EB31A942CB90

Function 0504882F Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0b8ff0f7653e5075a0e4be2cee4e22341f9587feb976b029f0ee2a464bb189a
Instruction ID: 452630b7927c7fb995c96064d22faf9dee72e47fbb1f5744a30914b3b4aff44b
Opcode Fuzzy Hash: f0b8ff0f7653e5075a0e4be2cee4e22341f9587feb976b029f0ee2a464bb189a
Instruction Fuzzy Hash: 9A41E0B1D00609DFDB20DFA9C984ADEFBB5BF49304F288429D408BB251D7756A4ACF91

Function 05047F9C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4088e69dc984adf1bb0e22b43c6ffa9a8f6a45fe2d92a92e8198e4d5f7c66d82
Instruction ID: 659bbe709c74af34dfd557db2c9c3659a3272b95eca27b44f456e38ab1981ff2
Opcode Fuzzy Hash: 4088e69dc984adf1bb0e22b43c6ffa9a8f6a45fe2d92a92e8198e4d5f7c66d82
Instruction Fuzzy Hash: D441EFB1D01609DBDB20DFE9C584ADEFBB5BF48304F24842AD408BB251D7756A4ACF91

Function 050477B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc835ee708e1c45cfbd6f7fb2f21776c17339ad4203cac479895b301d888d89
Instruction ID: 1659cf94ccdd3f4b2f1ba537ab001944056a8e5efd83dc71bb6076e8cfbdfd57
Opcode Fuzzy Hash: fcc835ee708e1c45cfbd6f7fb2f21776c17339ad4203cac479895b301d888d89
Instruction Fuzzy Hash: 6E41CEB0D003589FDB14CFAAD888A9EFBB1BF48714F20852AE418AB254D7746845CF91

Function 0504DAAB Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e5ed9cda7754014edf459a22cfe37d110cb1e7d288e3e61cb05c9540b50427
Instruction ID: 56e3595f1290fd0720367a50b53a61a196eb6c4ed63366fe98f6d0b130ad103a
Opcode Fuzzy Hash: 02e5ed9cda7754014edf459a22cfe37d110cb1e7d288e3e61cb05c9540b50427
Instruction Fuzzy Hash: D041C3B5A04206CFC754CF68D584A99FBF1BF49300B1986A9E84ADB751D730E885CF90

Function 05048553 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad82dc7d0b99ad970a6f71697a355dab434073302c265e818ad60ce7e6b13129
Instruction ID: 2c14b497cb79c305e759ce40361e4a74fae0549f48c5ffc50fc769182574a457
Opcode Fuzzy Hash: ad82dc7d0b99ad970a6f71697a355dab434073302c265e818ad60ce7e6b13129
Instruction Fuzzy Hash: 1A41BEB0D003589FDB14CFAAD984A8EFBB5BF48714F20852AE418AB254D7756845CF91

Function 050424B4 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30553eb5de0484eb6ed3e009869e00fb82b6c7acf8ed0f58da9ed31f6e737d4b
Instruction ID: a9fe3d75fa2cb105e61297a36b29d6461f4259eee86518606bfa95ba5a9780e4
Opcode Fuzzy Hash: 30553eb5de0484eb6ed3e009869e00fb82b6c7acf8ed0f58da9ed31f6e737d4b
Instruction Fuzzy Hash: A031A775E04341CBEB14EF69E8947A9B7B6FF88314F098979D8096B245EF30A494CF60

Function 0504A863 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc773001e4c5a055aeca72d120a3681815bae3088918160cf2dd2092cd958ff
Instruction ID: de73977144a57efd195773ba406f255af64c67604fd22afb96d59af697a73da9
Opcode Fuzzy Hash: edc773001e4c5a055aeca72d120a3681815bae3088918160cf2dd2092cd958ff
Instruction Fuzzy Hash: AB410775A0020ADFCB40DF69D88499EFBB6FF49310B15C669E918AB315E730E985CF90

Function 0504A868 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142c9c6734ddb68091297293d0475cf2c59a08219f6b965bce13bafbdb994a5d
Instruction ID: b2e73d2fa107665e75216666b8375c8f98f710deafabf7889ac33f100179180f
Opcode Fuzzy Hash: 142c9c6734ddb68091297293d0475cf2c59a08219f6b965bce13bafbdb994a5d
Instruction Fuzzy Hash: F841F775A0020ADFCB40DF69D88499EFBB6FF49310B15C669E918AB315E730E985CF90

Function 0504CAD8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f828201785ee8661c81c824ca9f94340e8cb9a75f08e090652af5af4a133e1a2
Instruction ID: af484fb54088729f3f4b713cb6175ce950e2e423342ea97a7a80344e583c965e
Opcode Fuzzy Hash: f828201785ee8661c81c824ca9f94340e8cb9a75f08e090652af5af4a133e1a2
Instruction Fuzzy Hash: 20316D75B012159FCF04EB64E8588DDB7B6FF89210B058579E906AB351EB31AD46CF80

Function 0504A0B4 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635ac1eebf3112c7e5f850e633fb50a9e2c50a1007b1b670b2f61823bf1104bb
Instruction ID: f3eff6b783faf9b44d6d5d1c14b0cad0dea9874e6b77d39465e18123abde0886
Opcode Fuzzy Hash: 635ac1eebf3112c7e5f850e633fb50a9e2c50a1007b1b670b2f61823bf1104bb
Instruction Fuzzy Hash: 6621D6723542008FCB149F2CE88966D7BE2FF89311B1984B5E14ACF3A6DE35DC048B90

Function 050437A3 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149521e70c134e238dd8ba326bed7a40497cb997b12c41422aa8097602ff881a
Instruction ID: fe6d2730c709480498698f718024378598778d7b6fbd1b78cbad1847186f29ac
Opcode Fuzzy Hash: 149521e70c134e238dd8ba326bed7a40497cb997b12c41422aa8097602ff881a
Instruction Fuzzy Hash: 6031A575E04341CBEB14EF69E8847A9B7A6FF88314F098979D8096B346EF309494DB60

Function 0504326F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5695b796a3d3e76d200096c566de01b6f8c3f2538a2a1daafd4da1df23fbde5c
Instruction ID: 80374fbfb378720a09df1a19077fee8544991796145f5c8a6860f051c673446e
Opcode Fuzzy Hash: 5695b796a3d3e76d200096c566de01b6f8c3f2538a2a1daafd4da1df23fbde5c
Instruction Fuzzy Hash: B6319FB1B00209DFCF68DB69E4846EDB7F2BF89201F04543AE406E7350EB74A981CB80

Function 050489BB Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c2d78286741c7e98f5a694c0e6e3499554645458ac48e2a0b72615d8a933da
Instruction ID: 1a17207ebab0cb303d7248dd933b4709a251078901f32fa89f3ae63665ba6c4b
Opcode Fuzzy Hash: b6c2d78286741c7e98f5a694c0e6e3499554645458ac48e2a0b72615d8a933da
Instruction Fuzzy Hash: 532141B1B001155BDB50EB59DD449FFBBFAEFD8200B14C926E615D3254EB709A018B90

Function 00D6D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669507245.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b4763f22c80c6ecbddc379aa22d6fee8b8497e80ffd41773fee86c7b336215
Instruction ID: 59e7c332fa1e62a42f2e5b0ea0ccceb87a3b01a2cb84639bf2f7d668bd700f45
Opcode Fuzzy Hash: 24b4763f22c80c6ecbddc379aa22d6fee8b8497e80ffd41773fee86c7b336215
Instruction Fuzzy Hash: 63212571A00244DFDB05DF14E9C0B26BF66FB98324F24C169E9094B25AC736FC56CAB2

Function 00D6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669507245.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428792d3ce0876344459068973f4a7e65ec61375ad562962ca9e458faa4e7fb5
Instruction ID: 578bef2445d15ed72d9afd4ef79b19407bfec6bf00aa6392f1ac97df933069f9
Opcode Fuzzy Hash: 428792d3ce0876344459068973f4a7e65ec61375ad562962ca9e458faa4e7fb5
Instruction Fuzzy Hash: 4B212571A04240DFCB05DF14E9C0B26BF66FB98318F24C569E84A4B656C336D856CAB1

Function 05042F98 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad22e260cff9d2dc1fa3764063f412072ff4d7e1bd9901376a6e590558b18ba
Instruction ID: d3f3e18f3a74517e85ca4054287988529f01196407db4edc35fc1ccc7a56c490
Opcode Fuzzy Hash: fad22e260cff9d2dc1fa3764063f412072ff4d7e1bd9901376a6e590558b18ba
Instruction Fuzzy Hash: 59215E703002118FCB58DB28D454A6D77EAEF85714B14847DE506CB3A1DB72EC46CF50

Function 00D8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669583491.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3107b4077c35d737145ae694679d91f14f2c5b730ecfa36b072b8151131a90
Instruction ID: 2b37dc45413648738619d5983e632c06611d937836be0ffd3bb4feb6584ffe0c
Opcode Fuzzy Hash: 9c3107b4077c35d737145ae694679d91f14f2c5b730ecfa36b072b8151131a90
Instruction Fuzzy Hash: F121F271604204EFDB14EF14D984B26BBA6EB84314F24C569E84A4B2D6C33AD847CB71

Function 00D8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669583491.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13053859810697d60e2b3fd942bc1544a3e74b371fa5f15fdb5ee1b4aa80949
Instruction ID: 8f2d385ab87ab33474e547ae17b1ef17363024b9168b638482aa0df7a854e544
Opcode Fuzzy Hash: b13053859810697d60e2b3fd942bc1544a3e74b371fa5f15fdb5ee1b4aa80949
Instruction Fuzzy Hash: EC210471504204EFDB05EF14D9C4B2ABBA6FB84314F24C66DE8494B2D6C336D846CB75

Function 05042F91 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833048f257cdf9a69cd909a90bb8f5f0fdd6b28a2e394c12ef32e1e1fa52ac0b
Instruction ID: b81254a0c47eb2c5960b1006e649e7059e337fdff3763dc9ca30d1edd652bdc0
Opcode Fuzzy Hash: 833048f257cdf9a69cd909a90bb8f5f0fdd6b28a2e394c12ef32e1e1fa52ac0b
Instruction Fuzzy Hash: A9215B743002118FCB68DB28D454A6DB7E6EF85714B2485BEE506CB3A1DB72EC46CF50

Function 0504FAD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f51d3d7c5274396d16fac279cf6b443b6a5a488e76c839528099368c99109b4
Instruction ID: b4fdb2c2e715b38484b97cf3445f6919a9e7a69f240d8959396d4cf8c17b6fd5
Opcode Fuzzy Hash: 2f51d3d7c5274396d16fac279cf6b443b6a5a488e76c839528099368c99109b4
Instruction Fuzzy Hash: B42141319106199FCB10EF69D84099EFBF5FF4A311B50C26AE958A7300EB31A998CBD1

Function 050483DB Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c392a098b670bd64fe000f99f496b854c94415d1ad097e4d65c53e30176467b
Instruction ID: 28785e51c9abb052284fd2a3ac5e13b922c2062e0a82b837611f3fad8af0d3ce
Opcode Fuzzy Hash: 7c392a098b670bd64fe000f99f496b854c94415d1ad097e4d65c53e30176467b
Instruction Fuzzy Hash: 08219375E0021A9BDF04DBA9D9809FEB7F6FF88300B14443AD405E7350EB349A418BA1

Function 05042CC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee396dcb6f4c4c54b27f1fad44251870a2567b7859e13160a8a3d8df135104b
Instruction ID: 38f771d63ea03cf0cd967cdacf30f48072d2cb87ed696dfa362575d5cc722841
Opcode Fuzzy Hash: eee396dcb6f4c4c54b27f1fad44251870a2567b7859e13160a8a3d8df135104b
Instruction Fuzzy Hash: B311B475F00B168BDB21EFA9A8416BEB7F2FFC4710F14853AE506A7314DB7899418B81

Function 0504312B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9755a76460f891f277c6fbf1d5fc91c525b7bb6f1284785d095c761937ac406
Instruction ID: ae7f8ce01fcdfcfdc8f5f122650f64f2c14235be747e3a94790b3343b813a62f
Opcode Fuzzy Hash: a9755a76460f891f277c6fbf1d5fc91c525b7bb6f1284785d095c761937ac406
Instruction Fuzzy Hash: 08210A74B0070ACF8B24DF65D5848AEB7F2FF853047108929E55AA7651DB31B946CF90

Function 05048730 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4a01b2e3744c26a12b236d9a04deb94e5c46f07bd9252af1388ddc0746737d
Instruction ID: f60a2ab887aa044dfe5a6b1317a6ab1cb98df9f8ebfae64ab865039702853247
Opcode Fuzzy Hash: ef4a01b2e3744c26a12b236d9a04deb94e5c46f07bd9252af1388ddc0746737d
Instruction Fuzzy Hash: 73119DB17002048FCB14EB78D5599AFB7E6EF84310B108869E9069B355EF70E9098FA0

Function 05042CB0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffbc3ead8881373d44148fec3bb72715329cfbf978d34de90cbd374d96d8eba8
Instruction ID: c694b7eb368ab6d608017c752065439030edb02bb5112b2eee6010ae891fc660
Opcode Fuzzy Hash: ffbc3ead8881373d44148fec3bb72715329cfbf978d34de90cbd374d96d8eba8
Instruction Fuzzy Hash: A2110AB6F00A164BDB21DE69A8417BFB7F2FBC4710F18443AE506E7315D63899014BD1

Function 00D8D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669583491.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd551ad3d472c22632ba2c52db458434db258cebd14c70b33938a428e757c07
Instruction ID: 183c7da80bbcbb34b7bf47d479c6382d66b0b8e66d09709f8aabba08728c2bbb
Opcode Fuzzy Hash: edd551ad3d472c22632ba2c52db458434db258cebd14c70b33938a428e757c07
Instruction Fuzzy Hash: DA2180755093808FDB12DF24D994715BF72EB46314F28C5EAD8498F2E7C33A980ACB62

Function 05048723 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c082977c0578f0e76c74002fe7c48ec55deeccca4e829b9e57ab0cc2f8801f
Instruction ID: a25ceeff3b7c0aca8086be0d5f43cbd2d53b9f9771db384b99ac96cc7d950540
Opcode Fuzzy Hash: d9c082977c0578f0e76c74002fe7c48ec55deeccca4e829b9e57ab0cc2f8801f
Instruction Fuzzy Hash: 8711B1B16002018FC700DB68D949BAFB7F6EF80315F0488A9E546DB355EF70E9098FA1

Function 05042484 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5938fd5a6d5caff779e13e096342db00199c6b417168551d4e9c2086b76cef9
Instruction ID: d8aea6817ad55df064421390184516d5649d111ae8f0aae70a4750ceb52dc15b
Opcode Fuzzy Hash: e5938fd5a6d5caff779e13e096342db00199c6b417168551d4e9c2086b76cef9
Instruction Fuzzy Hash: 0B214A746007058FCB68EB38D454AEEB3A6EFC5315F01887DD45A5B265DF31A88ACB81

Function 050436D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ff77aeb64a5f2b82f849b26b8dacc56ba4e03237d58a51b8148c5312431b57
Instruction ID: b76bcf803495f6b6372bb3ef33f77cfeb716753bb910840a4dadbf7bc35549d8
Opcode Fuzzy Hash: 85ff77aeb64a5f2b82f849b26b8dacc56ba4e03237d58a51b8148c5312431b57
Instruction Fuzzy Hash: F2116A74600705CFCB68EB38D444AEAB3B6EFC5215F01887DD4591B261DF31A88ACF81

Function 00D6D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669507245.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4e339a574aadd6c483135ab89fad8d098c35055b454507818499163d726d9eec
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: AD110372904240CFCB02CF00D5C4B16BF72FB94324F28C2A9D8090B256C33AE85ACBA1

Function 00D6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669507245.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 1a401bb2287d2da130b23acbf9884f837d99b200a1df7f0944a7e2f39fb48a0f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E311D376904280CFCB16CF14D5C4B16BF72FB94318F28C6AAD84A0B656C336D85ACBA1

Function 050497AA Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d1ef11b3f1c01e360f7b6362183834660419f7cc43505cb1805a7b09dbe63
Instruction ID: ede0f2411e6eea2c2abeb38491fd4da1ebfe40e1daeee41d227d0ca4f6a816ba
Opcode Fuzzy Hash: ab3d1ef11b3f1c01e360f7b6362183834660419f7cc43505cb1805a7b09dbe63
Instruction Fuzzy Hash: 692127B0E02618EFCB14DFA0E6885DEFBB2FF44310F208969E49176295CB315865CF50

Function 05044C18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c55fa415bbf905aeb37803428899833b4ab2b6fb69fab8d4c36979243fb9f2
Instruction ID: a3af900481e1eee863cea0fb578a6ba44f8e108354bd1ec44ba953bdd844478b
Opcode Fuzzy Hash: f6c55fa415bbf905aeb37803428899833b4ab2b6fb69fab8d4c36979243fb9f2
Instruction Fuzzy Hash: 6E119E70A40209DBCB14EFA5E5557EEB7F2EF88305F108869D546A7280CF756D09CFA1

Function 0504B5A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3742502a88ab65010b0991e9a93cc773240d44a6eb8567ef20126bf661cf9c
Instruction ID: 5f681b90650b2d646d9897127bf48f6f89a912ff04203841fc40693458b6e5ce
Opcode Fuzzy Hash: 4e3742502a88ab65010b0991e9a93cc773240d44a6eb8567ef20126bf661cf9c
Instruction Fuzzy Hash: 4901B5763442104FDB248A2DDC8966E7BD6EFC9310F1984B5E04ACF3A6DA39DC048B94

Function 00D8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1669583491.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3683c90d87f87cdd084ae0d7c68c46443c9d4edd6d81c64eb64aa81a78beb019
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: EA11BB75504280DFCB02DF14C5C4B15BBA2FB84314F28C6AAD8494B296C33AD80ACB61

Function 050482A1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a69dd24de4f0074855f5b44fa78145e55b3845a0fb2bbc2c45fbc8cb4811088
Instruction ID: 686a3fa5a45bf62d6cd1e3d30cd8c3ef174ae9f561f2dfd62534446a274b162a
Opcode Fuzzy Hash: 4a69dd24de4f0074855f5b44fa78145e55b3845a0fb2bbc2c45fbc8cb4811088
Instruction Fuzzy Hash: 101120B1C046488FDB10DFAAD448A9EFBF4EF58320F14C86AD859A7220D378A545CFA1

Function 050480F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42497619085a3afdd08ab3b30c2d2cf27de8e98c15070f7f72c1f4c4deb4b75
Instruction ID: 72a80d88806c065e0f5ba4728fffb123cbce6ea5cac83b5469c52fa352ae5f9c
Opcode Fuzzy Hash: d42497619085a3afdd08ab3b30c2d2cf27de8e98c15070f7f72c1f4c4deb4b75
Instruction Fuzzy Hash: 871102B1D046488FCB10DF9AD444A9EFBF4EF48320F14C82AE859A7310D378A945CFA1

Function 050482A4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08cdb7cf27a3fcbf3ac4d61a2cc46ee7ecb0046823ebff78621ad148559410d
Instruction ID: 413c8e51b97ebcdab4c00d17c78dd6d9d94c04c7ff6ba291119e2c976bb7b58a
Opcode Fuzzy Hash: d08cdb7cf27a3fcbf3ac4d61a2cc46ee7ecb0046823ebff78621ad148559410d
Instruction Fuzzy Hash: B51102B1D046488FCB10DF9AD444A9EFBF4EF48320F14C82AE859A7310D378A945CFA1

Function 05048CD3 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dde63a2e4e978166eb9aad639a876cb79db372b90d2f16472ecf4de60c913c9
Instruction ID: d5980949b6b2d39402468eba68fed3e2899c0bebaa61ede2a89ef299d48349da
Opcode Fuzzy Hash: 4dde63a2e4e978166eb9aad639a876cb79db372b90d2f16472ecf4de60c913c9
Instruction Fuzzy Hash: F91102B5C046088FCB10DF9AD444A9EFBF4EF88320F14C42AD859A7320D378A545CFA1

Function 050483C4 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dff1d4fb7e595366eb52d6b72769461eb8ffad2371a8c963bc19a5056d103bd
Instruction ID: 2cf4d1a8bfbdd0aacb9834b9c985a5f5e55cfa40c4fe70cbc58d71c77c76c07b
Opcode Fuzzy Hash: 3dff1d4fb7e595366eb52d6b72769461eb8ffad2371a8c963bc19a5056d103bd
Instruction Fuzzy Hash: 461133B19042088FCB20DF9AD544BDEFBF5EB48320F20842AE519A7350D375A944CFA5

Function 0504A2E9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da30f563c76e67e409233a337f5f3a558933be2607ec201f0e4a241cbcbd3028
Instruction ID: 487d3593d61695cc2672660f6454a0933cdeee7f331e70b690afa639c09fccb5
Opcode Fuzzy Hash: da30f563c76e67e409233a337f5f3a558933be2607ec201f0e4a241cbcbd3028
Instruction Fuzzy Hash: 071133B19042488FCB20DF9AD484BDEFBF4EB48320F24841AE519A7350D375A544CFA5

Function 05044C0B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe71466a6d6a0b52094a4d06af818113270090888788af8e3010e3f999c69f9
Instruction ID: a1115518666f2e4671d03a9ff24fa6a55ca9d9d48cb47d7a8964f1905227fd9d
Opcode Fuzzy Hash: 0fe71466a6d6a0b52094a4d06af818113270090888788af8e3010e3f999c69f9
Instruction Fuzzy Hash: D50122B0A002048BDB14EFA4E4593AEBBF2EF84301F048879D546AB2C4CF745909CFA1

Function 050454FF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8030e7b38b2bd2e6c0c13c4c7220b4ac1a1d5a38e19e79541aabd9fe2fdc73
Instruction ID: c73f4cfcb7f426c718d5082f1c6cae73674634050ae910baa14a82b6e49c82bc
Opcode Fuzzy Hash: be8030e7b38b2bd2e6c0c13c4c7220b4ac1a1d5a38e19e79541aabd9fe2fdc73
Instruction Fuzzy Hash: 8D01B5B1A001159FDB14DF64EA9ABAF7BF2EF88315F144469F502AB348CE759C01CBA0

Function 05045508 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6547cd3e6c202786155398b21113aa8e214fa7d5642c3bb89818501e8557c0c9
Instruction ID: 3078c6f9107039a8190b0fe77aff1992bf7b4fd843622413154f4667d5d46da0
Opcode Fuzzy Hash: 6547cd3e6c202786155398b21113aa8e214fa7d5642c3bb89818501e8557c0c9
Instruction Fuzzy Hash: AC01B170A002149FDB14DF59D95AAAFBBF6EF88714F144069F402AB348CE35AC00CBB0

Function 0504CE18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2398ae4c8079a5f650b9c4dcc81e73263482d069b609909581a20264aaa7532
Instruction ID: eebfe2ad9a523c411bb3609821ab2ba9fc1cc8765825a56298a9b413b24c0a74
Opcode Fuzzy Hash: c2398ae4c8079a5f650b9c4dcc81e73263482d069b609909581a20264aaa7532
Instruction Fuzzy Hash: 5F0105706017048FD724EF2AD4445AA77B6BF96340B50C57ED4468B261EB31E981CF80

Function 05049233 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d000e82eee38091a48cdb40c0b76a8432b51fa650e318a228bd8ef51bd9c361
Instruction ID: 493d5b2b0af8c0251e67c6df2918e6b5c762215331880fd39ad36d441e5d2950
Opcode Fuzzy Hash: 8d000e82eee38091a48cdb40c0b76a8432b51fa650e318a228bd8ef51bd9c361
Instruction Fuzzy Hash: 8FF0C8B1B001559BCF45F6A8EC456FEBABEDF89510F08483AE609A7390CB345E01CBD5

Function 0504CE08 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11303b492583c9129344c2ca3d9976e1ac84df29a87302f3df4f8be5d4e27cf3
Instruction ID: e3a1b7429c85a662afb78c858621ab914d862c71d4371e1119885d8b9e148666
Opcode Fuzzy Hash: 11303b492583c9129344c2ca3d9976e1ac84df29a87302f3df4f8be5d4e27cf3
Instruction Fuzzy Hash: FB011AB16466048ED764EF25E40467D77B2BF95300F44C67ED4468B261EB31D941CF40

Function 05049D10 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cca8f8f885376c9a5c524bbdba97bcfe854bf4fa3f3a1b054d8d97f85fd0d8f
Instruction ID: 8272b4480a05f09f8f5f276641259dbbc4c3c5b095b2c7699e94aa7d85676fc8
Opcode Fuzzy Hash: 9cca8f8f885376c9a5c524bbdba97bcfe854bf4fa3f3a1b054d8d97f85fd0d8f
Instruction Fuzzy Hash: DBF02872B083540FCB19DBB568184EE7FEA8F85111B1884FFD40DC7242ED308C028751

Function 0504B3E9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d49bf40613756ca29811350a2b61910ed68dbc5071a736ac56196465362a20
Instruction ID: fdd7d8928f4dd0e82c37f963c698fcc9469ca23993958fac31c27d61de5edd6a
Opcode Fuzzy Hash: e0d49bf40613756ca29811350a2b61910ed68dbc5071a736ac56196465362a20
Instruction Fuzzy Hash: 21F04FB13046504BCF5EAB24B16867D7BAAAFD5650B15407AE9068B3A1DF39C802CB91

Function 0504A094 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28678336bf13735a19328965bd34a8ab51758a521b33d0bd8e46469b1c122453
Instruction ID: f211a97bd017d1ce5328843d595587caf319dc996ce79a0e9503d42bc66afbac
Opcode Fuzzy Hash: 28678336bf13735a19328965bd34a8ab51758a521b33d0bd8e46469b1c122453
Instruction Fuzzy Hash: C1F0E9743442118BCF64DA3AB484E3E73DFAFC8621704407AED07C3250DE20DC418E61

Function 05042C21 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90f38ae0305b84cb3c9a9dd45ac24a03930ebc1635cf6017d8b03333922a16c
Instruction ID: 6bc4e434ce90c2ef0aefca704999cb80f94a735ce044c479598370cd76b8f292
Opcode Fuzzy Hash: a90f38ae0305b84cb3c9a9dd45ac24a03930ebc1635cf6017d8b03333922a16c
Instruction Fuzzy Hash: DAF081757406108FC7648718D858A6937EAEFC9611F1940BAE50AC7375CE60EC01CB90

Function 0504D1D8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3d3d85c40018251c17a74956a276413b7d08ea90a791903e9b3aeffe122a4b
Instruction ID: 02f80f75d48e4ac2c68bdc4a5c9d91b5080b0640bc8e71fd85a3c8894eb66fea
Opcode Fuzzy Hash: ab3d3d85c40018251c17a74956a276413b7d08ea90a791903e9b3aeffe122a4b
Instruction Fuzzy Hash: 03F06972B006008BCB156A78A4146EEBB76AFE5310F14467ED84597244EB71E642CED1

Function 05049240 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c465e996c600733fb613149fc6e9de4fbc428a3f17b438423aa442aec006b85
Instruction ID: 89dceca3b40133edfb9aa4912db12cf1fe32c91d4f82de722c8140a9a20b9761
Opcode Fuzzy Hash: 6c465e996c600733fb613149fc6e9de4fbc428a3f17b438423aa442aec006b85
Instruction Fuzzy Hash: 23F096B1B001155B8F45E6A8AC545FEBABEAFC9510B04483AE605A7350CB301A01CBE5

Function 0504D1E3 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82563068efe8f053f96d257fa85071daa7787b0587ee66da1dc352f8638f2d2
Instruction ID: 4eca5a4a8ad529ab41c7cce3eabbea952d235035b7327021a24edce8c12b557f
Opcode Fuzzy Hash: b82563068efe8f053f96d257fa85071daa7787b0587ee66da1dc352f8638f2d2
Instruction Fuzzy Hash: 3CF03C72B007048BDB157AB9A4045EEB775EFE5210F05466ED84567240EF70E542CED1

Function 0504A7BB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3d3132b93f93b318382232767ad164b754538b29c68cd9f3e1c66204b6b5f4
Instruction ID: c26d4525ee03770a4686fb998c57f0239f08be9090065329d97298ac387a6663
Opcode Fuzzy Hash: 0b3d3132b93f93b318382232767ad164b754538b29c68cd9f3e1c66204b6b5f4
Instruction Fuzzy Hash: 8101D631D00209DFCB40EFA8C54599DBBF4FF48310F1085AAE858E7321E7709A44CB91

Function 0504D5F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4f074d3da55f8fefae372e8edf985f941f7750c4a7911b261425da710f49d6
Instruction ID: a949086a85b936d7e39d070003725e21703fbfca44eca48da510734ad2c0ff69
Opcode Fuzzy Hash: fb4f074d3da55f8fefae372e8edf985f941f7750c4a7911b261425da710f49d6
Instruction Fuzzy Hash: 08F05E723416114FC7249E6EF88885EBBEAEFC4225340463AE10AC7761CF71DC4A8BA0

Function 0504D1E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452bd149f1de30774b964e5834864ccbc0fa4950d322e3257e1c5e4f8c32404c
Instruction ID: 2f644cd3a55f1ef5d87520b4f39e83193949ce528b8c21acc20cdd7c8bd6f992
Opcode Fuzzy Hash: 452bd149f1de30774b964e5834864ccbc0fa4950d322e3257e1c5e4f8c32404c
Instruction Fuzzy Hash: B7F03C72B007048BCB157A78A4045AEB775AFE5210F05466ED84557240EF70E542CED1

Function 0504CE16 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465e3c88b5af31241e5eb1d532f3395db9fb1ee0ad1b987880e23e5085c4f018
Instruction ID: 6a43f3ca214d0808dd635727e6cbbb3632701bffa0a7146b927071b5dfd53fd3
Opcode Fuzzy Hash: 465e3c88b5af31241e5eb1d532f3395db9fb1ee0ad1b987880e23e5085c4f018
Instruction Fuzzy Hash: 490124B0642B048EE724EF25E0445AA77B2BF96300B40C97ED8868B261EB30D982CF40

Function 050430C6 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac24a6bb89f1c19f3af6005fa473c7a7143da10edde3a5de1c7d39f6b255932
Instruction ID: 44c2f1651f2a9240914749bbe8e4c7553f9e8e4c4636e7bd1614cdd136243ffa
Opcode Fuzzy Hash: 0ac24a6bb89f1c19f3af6005fa473c7a7143da10edde3a5de1c7d39f6b255932
Instruction Fuzzy Hash: 8DF09075B402149FCB48FB7894604AE3BA6EF8531071044BAE106DB391DF358D82C7A0

Function 0504B3F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00ced84f32b3ced0c12bfcf92bd833d170c5191dc7d5e373251fbe114ba4d58
Instruction ID: 011d29cca84da33b0e8fd97eae7172c595733394f523906759e9309ba36083d9
Opcode Fuzzy Hash: e00ced84f32b3ced0c12bfcf92bd833d170c5191dc7d5e373251fbe114ba4d58
Instruction Fuzzy Hash: F7F082B5340510478F59BA39B01867D73EBAFD4650B14407DE906CB391DF3AC802DB95

Function 0504B48B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875e43e7c8d09938b0efbcd8df335db7bd730e226a90904d9b50efeaf443e68a
Instruction ID: 1bf9b248ae87629167e49a9d75a475b05e1612c0e6d386f65cddc2ed7de56517
Opcode Fuzzy Hash: 875e43e7c8d09938b0efbcd8df335db7bd730e226a90904d9b50efeaf443e68a
Instruction Fuzzy Hash: 77F08C753442218BCE249A2AB484E7E37EEAFC8A61708007AA902C7690DE24D841CFA0

Function 0504D648 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbaa0faef38f142ae24e1f006a46fceab6601a983e8b8f58e40e14df0a463d8
Instruction ID: 1bedfa39381b8b18e007ce52e78a1b158dceb0ce1e95d103c1c1eb8bc4c882ee
Opcode Fuzzy Hash: 7fbaa0faef38f142ae24e1f006a46fceab6601a983e8b8f58e40e14df0a463d8
Instruction Fuzzy Hash: C1F0F4722016108FC714DB2CE998E6977E5FF49709B1545A9E10ACB372DB72EC81CB80

Function 0504D263 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc028f9eb9da29b0b69048667d6a8ce4dcbb18d0d3c12151cf711f43560973f
Instruction ID: 6de3daba24bfbac5fba508d5fcc594aef6dee38436a9b56500cff7473e1737db
Opcode Fuzzy Hash: acc028f9eb9da29b0b69048667d6a8ce4dcbb18d0d3c12151cf711f43560973f
Instruction Fuzzy Hash: 45F090323006008FC624AB1AE88491EB7FBFFC8321704056AE40687761DF71EC42CA94

Function 050498F0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dd3573517c7116c662a1a89e1b395e8afa69c6f8123be779e9a6537a8e4cfe
Instruction ID: 8594fdacf09aecb3d35f602eef3c9a2aed181069cd3d5f9619d8095072a36dc8
Opcode Fuzzy Hash: 08dd3573517c7116c662a1a89e1b395e8afa69c6f8123be779e9a6537a8e4cfe
Instruction Fuzzy Hash: 94F0A0A1B142586FCB08EFB9AC188AF7FEADF84140B14C8BA9505C3292ED309C418B90

Function 0504A7C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 0504D5EB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfb0750e13e3cbec9494b81da35f559a9d39153d30c078497e36becdbab930e
Instruction ID: 72ff79ca0913abecac22b457ae7175c5122d1371453f9125298d204e1984b013
Opcode Fuzzy Hash: 5bfb0750e13e3cbec9494b81da35f559a9d39153d30c078497e36becdbab930e
Instruction Fuzzy Hash: 84F030723516115FC7145A6DE88981EBBE9EFC52253405539F10AC77A2CFA0DC4A8B90

Function 050498E3 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98495c3443d16e36ae007187c0bb94e22a177be059a357711b286ff4468dc9d
Instruction ID: a6a6dd7311df969a5a58c56e5341d443c244c24ab9214c2fa1146a644c1a3958
Opcode Fuzzy Hash: a98495c3443d16e36ae007187c0bb94e22a177be059a357711b286ff4468dc9d
Instruction Fuzzy Hash: 57E065A2B111046BD704DAA9DC4069F7EEECF80250F04C4799504D7251E93099404790

Function 05042801 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2ab4f916d21f6e169a009b3630eb4b08687930794228b0283a2ede8659c94d
Instruction ID: 5e1cd1b006214d517e1800618ed64dd505411d5174e5268fc805e1f7bad39c8e
Opcode Fuzzy Hash: fa2ab4f916d21f6e169a009b3630eb4b08687930794228b0283a2ede8659c94d
Instruction Fuzzy Hash: 24F06D363600118FC704DB2DD844D5AB7E9EF89A2131640FAF209CB332DA61DC01CB90

Function 05042850 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a908486adfd86a26ed2f39649c559072f20481bea9a39765cafbba224c3b88d1
Instruction ID: 630ecda18dbdf3f01b34f98f90bad9ae3d5b2d2dd656f9ef852416ed83871273
Opcode Fuzzy Hash: a908486adfd86a26ed2f39649c559072f20481bea9a39765cafbba224c3b88d1
Instruction Fuzzy Hash: 18E06D71B04A140B5748EB6EA80086AB7DBAFC8610318C17FE40D8B726ED349C0186D0

Function 0504D658 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7cb8d20867db84c1834c77040bba433f72e17989c9de93e6bf2537bb1a80163
Instruction ID: 25293d79e98a871f8f8ca0b6b50f1588088f7d535e9b13dc869d37009ae861a4
Opcode Fuzzy Hash: a7cb8d20867db84c1834c77040bba433f72e17989c9de93e6bf2537bb1a80163
Instruction Fuzzy Hash: 02F0DF31240610CFC718DB2CE598C59BBE6FF49B1971149A9E10ACB372CB72EC80CB80

Function 05042808 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction ID: f06c52d6607ca6c15785d69bb82f05540cce7f6814731a3354e0f6f9efa78156
Opcode Fuzzy Hash: ab9667396a62f5ec7388eac8ad916d32927dae2263cf5ad9d22d4e997f3e3306
Instruction Fuzzy Hash: 14E0E5353604158FC754DB2ED848D59B7E9EF89A2171640BAF609CB372DA62EC02CB90

Function 0504B3B0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9873251444f11e0aa081a205c219db277f352837c9e441ee6a38ce904cb65d
Instruction ID: 63a21a3cebdaf1c9ab86b188c20c8d86b110493fac4a4c975ba33272bae918d0
Opcode Fuzzy Hash: ab9873251444f11e0aa081a205c219db277f352837c9e441ee6a38ce904cb65d
Instruction Fuzzy Hash: FBE026317443045FC728CA1CF88099AB3E9EF4831171942BBF005CB3A1DE50FC054740

Function 050424F4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928d56d88e151d8fa5168d6e4fe6d09f030e0f8ed1c3d9018d7f826751d6cea
Instruction ID: 50586f3b714b054c1cd76f25ac0a93a6dca94622b6ca9a9768330f69d7be835c
Opcode Fuzzy Hash: 7928d56d88e151d8fa5168d6e4fe6d09f030e0f8ed1c3d9018d7f826751d6cea
Instruction Fuzzy Hash: 9CE08C303547049F8B28DB1DE88086EF7EAEF883113108ABAF00AC3364CE60EC044A88

Function 05042840 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cadf58d35e50294befe77748c8cf35440aebd624db39a3a1cfe7b50b9498a53
Instruction ID: 12d06d61e16a00c5c7de272b087e2164e232ed563d8437e5a06b47d409dae817
Opcode Fuzzy Hash: 4cadf58d35e50294befe77748c8cf35440aebd624db39a3a1cfe7b50b9498a53
Instruction Fuzzy Hash: D4E08662B046501B9619A62A9CA18ABBBEAAED5610308856AE04987617E92198058794

Function 0504BE40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b3b1b541e279a0533dad5a3a9b24bf1fe5ddc035fb2ea44cdbd4e96ad73f9f
Instruction ID: fc8bf937ee3fd95029ccde28960f8e427255ffa15cfdcd490a55de0586503baa
Opcode Fuzzy Hash: e0b3b1b541e279a0533dad5a3a9b24bf1fe5ddc035fb2ea44cdbd4e96ad73f9f
Instruction Fuzzy Hash: 79E0D83224C7811FC312D65DA84048EF792DED5214709467BE4558FB66DE64EC0F43D1

Function 0504989E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6438d7aa9db247d75246e8178295f78abae313a2bdf5ae417712fdb75b0dfeda
Instruction ID: 414781098a8e249a856e1be9ed0ff149eec39470fb51d4bdf7ef8d9314b4370f
Opcode Fuzzy Hash: 6438d7aa9db247d75246e8178295f78abae313a2bdf5ae417712fdb75b0dfeda
Instruction Fuzzy Hash: 27E01AB5D5021DEACB109F95F5487EEBBB1FB45256F20483AD116B1551C7710944CEA0

Function 05044CE4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897a9a1baf3f95676e96f39706fda8da53c6a43a0299bb4e1017d969567e5a7d
Instruction ID: 21b467f8e6deb61c35d4e216f0adf3c1348f01f2e02d6c1dd9ac7ec1d20f106f
Opcode Fuzzy Hash: 897a9a1baf3f95676e96f39706fda8da53c6a43a0299bb4e1017d969567e5a7d
Instruction Fuzzy Hash: 70F0A575A01109CBCF55EFA4F6456ECB7F2FB88216F2000AAD505A7250DB325E01CF60

Function 050486D3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e329e849ad8736c73ffecaf62e511744606defa57bc670eadc0af6ca476a8d
Instruction ID: 8849887e30f89c510ce48dd1c270f9c45e1b1022692d56bad22e1e597ed7a8a4
Opcode Fuzzy Hash: b7e329e849ad8736c73ffecaf62e511744606defa57bc670eadc0af6ca476a8d
Instruction Fuzzy Hash: 01E04FB1A42218EFCB00EFE8EA4565CBBB5EB44204B609169E80593749EF726F049B61

Function 050486D8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ae2a5b65d9cf2c5d8fa2fef9d1d0f19e16ffde660c97ac1f8d6c5387bb0870
Instruction ID: be74b4cbd7b9c2eaf95ffa678ea3b0d4e4a24d46a6560925f7eee5a0e2cd06ca
Opcode Fuzzy Hash: b5ae2a5b65d9cf2c5d8fa2fef9d1d0f19e16ffde660c97ac1f8d6c5387bb0870
Instruction Fuzzy Hash: DFE086B0A02208EFCB00EFE4E64155CBBB5EB44304B109159EC0593748EF726F049B61

Function 05043061 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4ac532d21b5336216201af387f88b9336477e1868898ba875fab04520fe5dd
Instruction ID: b9baa55b12256a5df1e95394501cd7fdc55273bd2196f202e6424a6eec960657
Opcode Fuzzy Hash: ce4ac532d21b5336216201af387f88b9336477e1868898ba875fab04520fe5dd
Instruction Fuzzy Hash: DBD0C7BA6050148FC3018B38E22886C3FF2DB1831130A80A6E948CB722CA30CC018B81

Function 05043070 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9b4f1da5a01820bc47bd42995f214086bca80e9c48fc75732960c58e2d027f
Instruction ID: 0f0d2f5b783b325fe3cc4c3de27d3535ad2d9e7b6592f62a8c36398ba5e73474
Opcode Fuzzy Hash: 2c9b4f1da5a01820bc47bd42995f214086bca80e9c48fc75732960c58e2d027f
Instruction Fuzzy Hash: 33D0C93A3105249F87049B68E508CA97BEAEF5D761311C066F909CB321CE71EC118BD4

Non-executed Functions

Function 08BC4590 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

Xbq, xrefs: 08BC4848

Memory Dump Source

Source File: 00000000.00000002.1677752321.0000000008BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bc0000_preliminary drawing.jbxd

Similarity

API ID:
String ID: Xbq
API String ID: 0-63242295
Opcode ID: 02d15df8f9398e2ad7d902b0224bba47aeeeb56a38344acbfcfde08d2e73a9c6
Instruction ID: 13ff816e428aaf52d1603742b3484743b595e1041985bc56a5087e5b4e984b09
Opcode Fuzzy Hash: 02d15df8f9398e2ad7d902b0224bba47aeeeb56a38344acbfcfde08d2e73a9c6
Instruction Fuzzy Hash: 93C19E347002148FDB14DF2AC9A8A6E7BB6EF89711F1580ADE906DB3A5CB30DD41CB64

Function 074F4B30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'^q, xrefs: 074F4C02

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 64113b60c733a0d52ee0508eafdcf27876574cab792dec9c0321c180119c2b1e
Instruction ID: fce182055104064ba30bad882e00f8e05feb45c6cb75d57126414f3d34108657
Opcode Fuzzy Hash: 64113b60c733a0d52ee0508eafdcf27876574cab792dec9c0321c180119c2b1e
Instruction Fuzzy Hash: 48613AB0E402588FEB49EF6AE95269EBFF7BB88304F04C529D1049B269EF315905CB54

Function 074FD522 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30df43ba2ca16c95ec218c6c7770ac3846fc3a27b9e5e8a4f7f4235d41170c12
Instruction ID: 96deafe82e772d173422cdaf22bf4d62935dab2afe57a98048b806e38c14ccac
Opcode Fuzzy Hash: 30df43ba2ca16c95ec218c6c7770ac3846fc3a27b9e5e8a4f7f4235d41170c12
Instruction Fuzzy Hash: 8BE14EB4E042598FCB14DFA9C5909AEFBF2FF49304F24816AE515AB356DB30A941CF60

Function 074FD960 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e985e0fa915d61d192cdd09484013788864b4ea93e34dd359f82a77f2611b44b
Instruction ID: 038b969873e8d82b6e8cf46663e72e912369f63a4a685c645932ab14208bac37
Opcode Fuzzy Hash: e985e0fa915d61d192cdd09484013788864b4ea93e34dd359f82a77f2611b44b
Instruction Fuzzy Hash: 2EE13DB4E041598FCB14DFA9C5909AEFBB2FF89304F24816AE515A7359DB30AD41CF60

Function 074FDDA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421fb1d3957b6abdac216eafaa224071fd19ae43d66ec8d1858248bb02d58317
Instruction ID: bc68f60bf971c8d5f90d6c302c03d12b413f90f392795fa035232ae4d398dc71
Opcode Fuzzy Hash: 421fb1d3957b6abdac216eafaa224071fd19ae43d66ec8d1858248bb02d58317
Instruction Fuzzy Hash: C7E11DB4E001698FCB14DF99C5909AEFBF2FF89305F24816AE515A735ADB30A941CF60

Function 074FF9C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c4340682690ef43a659df472dfb3156dbb107f2cf86428258fabe1b4cd6724
Instruction ID: 31d41363b223a8211297591998e354e08a67fa9e9052b57ad330b196beae48c3
Opcode Fuzzy Hash: e7c4340682690ef43a659df472dfb3156dbb107f2cf86428258fabe1b4cd6724
Instruction Fuzzy Hash: 75E11DB4E001598FCB14DFA9C5909AEFBF2FF49304F24816AE515AB356DB30A946CF60

Function 08BB0040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c090947f484228db064e6a3befad01fe8f4b2bafc8996ee31eef9d7e1295e750
Instruction ID: 340c7f423971f7ddb534f10a2e524d158b0c5cd77f2b2a3c18f3b5850bde9a9b
Opcode Fuzzy Hash: c090947f484228db064e6a3befad01fe8f4b2bafc8996ee31eef9d7e1295e750
Instruction Fuzzy Hash: D7E10874E00659CFCB14DFA9C5809AEBBF2FF89305F248169E415AB356DB70A942CF60

Function 00FDE0CC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670287577.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b971de89a6c478ab0b0cca68e42c7d82634f65333af8b3969a54302879858ab
Instruction ID: 718c2f8d9a4bcf0d4f55eda8cdebdf1ff4408e598cd3e6c04d02780d1a215d47
Opcode Fuzzy Hash: 4b971de89a6c478ab0b0cca68e42c7d82634f65333af8b3969a54302879858ab
Instruction Fuzzy Hash: 22A14C32E002198FCF15DFB4C8809AEB7B3FF85304B19456AE806AB365DB35E959DB40

Function 08BB0006 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1677731350.0000000008BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8bb0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb426a440a01cd3389a84a2092691ed3443789cdc3bdffb3d3ceb9cd8a20d82f
Instruction ID: 3459d48230e0443d3ba07d4c1bc278167b1d5503f99b7332ea9b3fd8d64e889d
Opcode Fuzzy Hash: eb426a440a01cd3389a84a2092691ed3443789cdc3bdffb3d3ceb9cd8a20d82f
Instruction Fuzzy Hash: 1D517E70D052598FCB14DF69C9905AEFBF2FF89305F14C1AAE448AB256DB309942CF61

Function 074FDD99 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1676885231.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74f0000_preliminary drawing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3503ce8bc84c00e974d669be9c14e472aeb1440e9d9276fa48c11840723c6ae4
Instruction ID: 68184fc7482ce27c3c13b90ae90867625fc4a3274016b9886850b847b26b5f7c
Opcode Fuzzy Hash: 3503ce8bc84c00e974d669be9c14e472aeb1440e9d9276fa48c11840723c6ae4
Instruction Fuzzy Hash: 37510BB4E042198BCB14CFA9C5509EEFBF2FF89304F24816AE518A7356DB315942CFA1

Function 05043C93 Relevance: 41.7, Strings: 33, Instructions: 435COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05043E19
4'^q, xrefs: 05044213
4'^q, xrefs: 05043E5F
4'^q, xrefs: 050440DF
4'^q, xrefs: 05043D6A
4'^q, xrefs: 050441E7
4'^q, xrefs: 05043F31
4'^q, xrefs: 0504405B
4'^q, xrefs: 05043D8D
4'^q, xrefs: 05043DD3
4'^q, xrefs: 0504423F
4'^q, xrefs: 050441BB
4'^q, xrefs: 0504402F
4'^q, xrefs: 05043EC8
4'^q, xrefs: 0504418F
4'^q, xrefs: 05043FE0
4'^q, xrefs: 05043EEB
4'^q, xrefs: 05044163
4'^q, xrefs: 05043DF6
4'^q, xrefs: 05043E3C
4'^q, xrefs: 05043F77
4'^q, xrefs: 05043DB0
4'^q, xrefs: 05044003
4'^q, xrefs: 05043EA5
4'^q, xrefs: 050440B3
4'^q, xrefs: 05044137
4'^q, xrefs: 05043E82
4'^q, xrefs: 05044087
4'^q, xrefs: 05043F9A
4'^q, xrefs: 0504410B
4'^q, xrefs: 05043F0E
4'^q, xrefs: 05043F54
4'^q, xrefs: 05043FBD

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: 0c554437b872aa9d7780846dd598e31da07b3b8c36fd1eab37e8af8fa8934b1e
Instruction ID: 0dee2060e76e5eed3349fdf15c57e594657f0e8bcb92caf4b36c159967595509
Opcode Fuzzy Hash: 0c554437b872aa9d7780846dd598e31da07b3b8c36fd1eab37e8af8fa8934b1e
Instruction Fuzzy Hash: 11122E30E812198FCB18EF7AE95169DB7B2FB84304F5049A9D009AB765DF30698DCF91

Function 05043C98 Relevance: 41.7, Strings: 33, Instructions: 434COMMON

Download Yara Rule

Strings

4'^q, xrefs: 05043E19
4'^q, xrefs: 05044213
4'^q, xrefs: 05043E5F
4'^q, xrefs: 050440DF
4'^q, xrefs: 05043D6A
4'^q, xrefs: 050441E7
4'^q, xrefs: 05043F31
4'^q, xrefs: 0504405B
4'^q, xrefs: 05043D8D
4'^q, xrefs: 05043DD3
4'^q, xrefs: 0504423F
4'^q, xrefs: 050441BB
4'^q, xrefs: 0504402F
4'^q, xrefs: 05043EC8
4'^q, xrefs: 0504418F
4'^q, xrefs: 05043FE0
4'^q, xrefs: 05043EEB
4'^q, xrefs: 05044163
4'^q, xrefs: 05043DF6
4'^q, xrefs: 05043E3C
4'^q, xrefs: 05043F77
4'^q, xrefs: 05043DB0
4'^q, xrefs: 05044003
4'^q, xrefs: 05043EA5
4'^q, xrefs: 050440B3
4'^q, xrefs: 05044137
4'^q, xrefs: 05043E82
4'^q, xrefs: 05044087
4'^q, xrefs: 05043F9A
4'^q, xrefs: 0504410B
4'^q, xrefs: 05043F0E
4'^q, xrefs: 05043F54
4'^q, xrefs: 05043FBD

Memory Dump Source

Source File: 00000000.00000002.1674047170.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5040000_preliminary drawing.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
API String ID: 0-2697097662
Opcode ID: 347f7f817f18ad4fd62a368522c4013dd46ff23c4dac2d62f9899697256c276c
Instruction ID: 2c90b6c99d9d80af24b09788ef7d199ebb53510149f2791492cb1c021fe0d804
Opcode Fuzzy Hash: 347f7f817f18ad4fd62a368522c4013dd46ff23c4dac2d62f9899697256c276c
Instruction Fuzzy Hash: A4122E30E812198FCB18EF7AE95169DB7B2FB84304F5049A9D009AB765DF30698DCF91

Analysis Process: preliminary drawing.pif.exePID: 7544, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.4%
Total number of Nodes:	1237
Total number of Limit Nodes:	53

Executed Functions

Function 0041BEEE Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
GetProcAddress.KERNEL32(00000000), ref: 0041BF26
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
GetProcAddress.KERNEL32(00000000), ref: 0041BF63
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
GetProcAddress.KERNEL32(00000000), ref: 0041BF73
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
GetProcAddress.KERNEL32(00000000), ref: 0041BF83
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
GetProcAddress.KERNEL32(00000000), ref: 0041BF93
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
GetProcAddress.KERNEL32(00000000), ref: 0041C003
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
GetProcAddress.KERNEL32(00000000), ref: 0041C014
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D856), ref: 0041C021
GetProcAddress.KERNEL32(00000000), ref: 0041C024
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D856), ref: 0041C036
GetProcAddress.KERNEL32(00000000), ref: 0041C039
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D856), ref: 0041C046
GetProcAddress.KERNEL32(00000000), ref: 0041C049
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D856), ref: 0041C05B
GetProcAddress.KERNEL32(00000000), ref: 0041C05E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D856), ref: 0041C06B
GetProcAddress.KERNEL32(00000000), ref: 0041C06E

Strings

SetProcessDpiAwareness, xrefs: 0041BF2D, 0041BF32, 0041BF46
SetProcessDEPPolicy, xrefs: 0041BFA9
GetSystemTimes, xrefs: 0041BFF5
Shlwapi, xrefs: 0041C007
IsUserAnAdmin, xrefs: 0041BF95
shcore, xrefs: 0041BF33
NtUnmapViewOfSection, xrefs: 0041BF56
user32, xrefs: 0041BF47, 0041BFBE, 0041BFD2, 0041BFE6
NtResumeProcess, xrefs: 0041C03B
kernel32, xrefs: 0041BF6A, 0041BF6F, 0041BF7A, 0041BF8A, 0041BFAE, 0041BFFA, 0041C01B
ntdll, xrefs: 0041BF5B, 0041C02B, 0041C035, 0041C045
Shell32, xrefs: 0041BF9A
GetComputerNameExW, xrefs: 0041BF85
GetConsoleWindow, xrefs: 0041C016
GlobalMemoryStatusEx, xrefs: 0041BF65
GetProcessImageFileNameW, xrefs: 0041BEF8, 0041BEFD, 0041BF1D
Iphlpapi, xrefs: 0041C050, 0041C05A, 0041C065
GetMonitorInfoW, xrefs: 0041BFE1
Kernel32, xrefs: 0041BF1E
NtSuspendProcess, xrefs: 0041C026
EnumDisplayMonitors, xrefs: 0041BFCD
IsWow64Process, xrefs: 0041BF75
Psapi, xrefs: 0041BEFE
GetExtendedTcpTable, xrefs: 0041C04B
EnumDisplayDevicesW, xrefs: 0041BFB9
GetExtendedUdpTable, xrefs: 0041C060

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction ID: 91c85bc0cfa8e625a7056272f5779649be84715ca0db9f9d819234a6a75bf275
Opcode Fuzzy Hash: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction Fuzzy Hash: 4C31E2A0E8035C7ADB207BB69CC9F3B7E6DD9847953510427B54893190EB7DEC408EAE

Function 0040E627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8

Sleep.KERNEL32(00000BB8), ref: 0040E6DB
ExitProcess.KERNEL32 ref: 0040E74A

Strings

pth_unenc, xrefs: 0040E63D, 0040E684, 0040E6F1
override, xrefs: 0040E64C
6.0.0 Pro, xrefs: 0040E6B6, 0040E723

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 6.0.0 Pro$override$pth_unenc
API String ID: 2281282204-4012039065
Opcode ID: 57c6abc9e73d3e45e695ea7af74c9a42750d4b6b2078e22a00081877f5d5c8b6
Instruction ID: 41eca1b412dc6cb4cbd69e66e1420b1d2a9bda06de9f36a729d5cd10817e4b5d
Opcode Fuzzy Hash: 57c6abc9e73d3e45e695ea7af74c9a42750d4b6b2078e22a00081877f5d5c8b6
Instruction Fuzzy Hash: A821D131F1420027D60876778857B6F399A9B81719F90052EF819A72E7EEBD9E1083DF

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: d7f19eb9b568965e52b888cabfc4dbfacb06391f3a0e3c58d26d5b7eb7d17a4c
Instruction ID: 334fa9fd2124ebc6c4f40b6d461b17bc354faf393a4ed588a06a33f3771f6744
Opcode Fuzzy Hash: d7f19eb9b568965e52b888cabfc4dbfacb06391f3a0e3c58d26d5b7eb7d17a4c
Instruction Fuzzy Hash: 1611E3B19052547ACB10A7BA8849BDB7F9CAB86364F00007FF50462292DA789845CBFA

Function 00432B45 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004328CD,00000024,?,?,?), ref: 00432B57
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CDC9,?), ref: 00432B6D
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CDC9,?), ref: 00432B7F

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction ID: 69441ad90531868046e0b1178e1924530c202fcb63ed7aa5228c64bcbe668f15
Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction Fuzzy Hash: ADE09231608350FFFB300F25AC08F177B94EB89B65F21063AF155E40E4CAA59805961C

Function 0041A9AD Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750FC), ref: 0041A9CA
GetUserNameW.ADVAPI32(?,0040E096), ref: 0041A9E2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: af73b27c5b7895e97fccf069427e61623dc6d7266bb43b71ec1f01a5fa1c8bc7
Instruction ID: dd4171341b6269d20eef4dfb17ad31a68228dcd82fcdc0eb213b330dd994abd5
Opcode Fuzzy Hash: af73b27c5b7895e97fccf069427e61623dc6d7266bb43b71ec1f01a5fa1c8bc7
Instruction Fuzzy Hash: 16014F7290011CAADB00EB90DC49ADDBB7CEF44315F10016AB502B3195EFB4AB898A98

Function 0040E751 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004146BA,00474EE0,00475A38,00474EE0,00000000,00474EE0,?,00474EE0,6.0.0 Pro), ref: 0040E765

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 29043a0bc8eb3eaf309ffcb04ebfef395357eacca52e3239c4850690b560bd56
Instruction ID: 426317967f55bc2b8d076a22fb2a8dcf1c85f3a8f112093483d3870effb55d88
Opcode Fuzzy Hash: 29043a0bc8eb3eaf309ffcb04ebfef395357eacca52e3239c4850690b560bd56
Instruction Fuzzy Hash: A6D05E607002197BEA109691CC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF048AE1

Function 00426302 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0042630C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
Instruction ID: 85cd51724732601f8c8003b199973b8832ebbe95acea7078dd2fcbbf2f3153fb
Opcode Fuzzy Hash: e479f6d312995adc38c95d140b7cef8bd4a3583c6482d3884fe68aabfa392038
Instruction Fuzzy Hash: FCB09279118202FFCA051B60CC0887ABEB6ABCC381F108D2DB986A01B0DE37C451AB26

Function 0040D83A Relevance: 60.3, APIs: 13, Strings: 21, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF26
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF63
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF73
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF83
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF93
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041C003
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000104), ref: 0040D863

Part of subcall function 0040FD92: __EH_prolog.LIBCMT ref: 0040FD97

Strings

PSG, xrefs: 0040DD91
licence, xrefs: 0040DDF8
User, xrefs: 0040E10B
license_code.txt, xrefs: 0040D8C2
Software\, xrefs: 0040D938
8SG, xrefs: 0040D97A
exepath, xrefs: 0040DD07, 0040DDB1
hSG, xrefs: 0040E097
del, xrefs: 0040E14B
Exe, xrefs: 0040D984
PSG, xrefs: 0040DCDA
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 0040D85B, 0040DC84
dMG, xrefs: 0040E01B
SG, xrefs: 0040DBDD
0TG, xrefs: 0040D9E7
Administrator, xrefs: 0040E0FF
Remcos Agent initialized, xrefs: 0040DE5F
Inj, xrefs: 0040DA4A, 0040DA61
Access Level: , xrefs: 0040E11A
del, xrefs: 0040E167, 0040E1C7
8SG, xrefs: 0040D9D7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$0TG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\preliminary drawing.pif.exe$Exe$Inj$PSG$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$hSG$licence$license_code.txt
API String ID: 2830904901-1422536100
Opcode ID: bdfbb758975e78e0c483df2cc7f566d7ac02049141bc4f9530fef77d768fc918
Instruction ID: b96e9d53b64ce9762df997b7c443b274fb73bccd3fe431706256fac2145036cf
Opcode Fuzzy Hash: bdfbb758975e78e0c483df2cc7f566d7ac02049141bc4f9530fef77d768fc918
Instruction Fuzzy Hash: 2E32C760B043406ADA14B776DC57BBE259A9F81748F00483FB9467B2E2DEBC9D44C39E

Function 004140AC Relevance: 46.4, APIs: 5, Strings: 21, Instructions: 855
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,00475308,?,00000000), ref: 00414100
WSAGetLastError.WS2_32 ref: 00414321
Sleep.KERNEL32(00000000,00000002), ref: 00414D1A

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

Disconnected, xrefs: 00414C8A
PSG, xrefs: 004144CC
Connected | , xrefs: 004143E3
| , xrefs: 004142A2, 004143E8
VG, xrefs: 00414695
TLS Off, xrefs: 0041426B, 0041427E
6.0.0 Pro, xrefs: 00414689
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 0041454C
name, xrefs: 004144F2
Connecting | , xrefs: 00414298
Connection Error: Unable to create socket, xrefs: 0041437C
NG, xrefs: 004145E4
NG, xrefs: 004145A6
TLS On , xrefs: 00414279
dMG, xrefs: 00414657
UG, xrefs: 00414230
hlight, xrefs: 0041451F
Connection Error: , xrefs: 00414332
hSG, xrefs: 004146BC
%I64u, xrefs: 00414485
PhNG, xrefs: 0041456F

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$6.0.0 Pro$C:\Users\user\Desktop\preliminary drawing.pif.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$PhNG$TLS Off$TLS On $dMG$hSG$hlight$name$NG$NG$UG$VG
API String ID: 524882891-3173762295
Opcode ID: 93c8b0b2732e087284312ee61134b929975f56d81569ceb5395de4fd46d84fd9
Instruction ID: c3263a97f07b8ae9d11225c8127e62ab27a72c03ae3a8f764161ebb565a1ac44
Opcode Fuzzy Hash: 93c8b0b2732e087284312ee61134b929975f56d81569ceb5395de4fd46d84fd9
Instruction Fuzzy Hash: EE625E71A001145ACB18F771DDA6AEE73659FA0308F1041BFB80A771E2EF785E85CA9D

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

TLS Error 2, xrefs: 0040431A
TLS Authentication Failed, xrefs: 0040435E
TLS Error 1, xrefs: 004042FC
Connection Failed: , xrefs: 0040440C
TLS Error 3, xrefs: 0040439D
TLS Handshake... | , xrefs: 004042C9
Connection Refused, xrefs: 0040443E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 25f9bf30bf626f86bdd6a347c785a4e20f452bbc9465e5e05d83602412ebd986
Instruction ID: 8d860672b69a19ae3c360ccb47b0a38bc4e99592ce22fc56bfe6acc5d0e7da0a
Opcode Fuzzy Hash: 25f9bf30bf626f86bdd6a347c785a4e20f452bbc9465e5e05d83602412ebd986
Instruction Fuzzy Hash: D54109B0B0020277CA04B77A884766E7A55AB85314B80012FE901A7AD3FE3DAD2587DF

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

Temp, xrefs: 0040C8D0
\SysWOW64, xrefs: 0040C96A
UserProfile, xrefs: 0040C9C2
AppData, xrefs: 0040C9BB
ProgramData, xrefs: 0040C9C9
\system32, xrefs: 0040C918
ProgramFiles, xrefs: 0040C9D8
WinDir, xrefs: 0040C905, 0040C927, 0040C979
SystemDrive, xrefs: 0040C8FB

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 40ac70827e352cad8a6fefd4e628786bc9d8abfa81fe8194897abce743817356
Instruction ID: f058a63a2e06dcb2b247864a9289bab0e783a4957c20bc3838a58b63f1508e50
Opcode Fuzzy Hash: 40ac70827e352cad8a6fefd4e628786bc9d8abfa81fe8194897abce743817356
Instruction Fuzzy Hash: F0415C721482009AC214F721DC97DAFB7A4AE90759F10063FF546720E2EE7CAA59C69F

Function 0041A66E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0041A6E4

Strings

8ZG, xrefs: 0041A69D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A682, 0041A68C, 0041A6CA
CurrentBuildNumber, xrefs: 0041A6C5
(64 bit), xrefs: 0041A711, 0041A71B
(32 bit), xrefs: 0041A70C
ProductName, xrefs: 0041A67D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$8ZG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-1475859423
Opcode ID: 5784b5a3661dafe5a0949290669d0d1970df3def71ca85450bedfa9f19c711aa
Instruction ID: 1adcdd06a104af508aeef54d465e0c78d2d81651f2e3fe11076ab4bcd17b792f
Opcode Fuzzy Hash: 5784b5a3661dafe5a0949290669d0d1970df3def71ca85450bedfa9f19c711aa
Instruction Fuzzy Hash: 1811C660A001012AC704B3A6DCDBDBF765A9B91304F44413FB856A71E2FB6C9D9583EE

Function 0041A726 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A749
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A75F
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A778
InternetCloseHandle.WININET(00000000), ref: 0041A7BE
InternetCloseHandle.WININET(00000000), ref: 0041A7C1

Strings

http://geoplugin.net/json.gp, xrefs: 0041A759

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: d1e56e5642db4f729b977238499a769e8a72a0eadc696aaad50a2222564c20ae
Instruction ID: dd066ffe0ad47051801ff1a9504fa95a24023bf504f9cdcf24902ddc36d2e50e
Opcode Fuzzy Hash: d1e56e5642db4f729b977238499a769e8a72a0eadc696aaad50a2222564c20ae
Instruction Fuzzy Hash: C311947110A3126BD624EB169C85DBF7BECEF86765F00043EF845A2191DF68D848C6BA

Function 004127AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC

Strings

pth_unenc, xrefs: 004127AE
XwF, xrefs: 004127DB

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: XwF$pth_unenc
API String ID: 1818849710-1649331827
Opcode ID: 8c129d0422e0ee681a9ee05f61952d32254553b43d369c3a5d873ba7ac95b266
Instruction ID: b42ea712bc7a6ff48bd64609183fdbccf638e423d93a2202917fd6756948167f
Opcode Fuzzy Hash: 8c129d0422e0ee681a9ee05f61952d32254553b43d369c3a5d873ba7ac95b266
Instruction Fuzzy Hash: 27F06D32140204BBCB00AFA1DD45AEF3768EF00751B108169B916B60A1EE759E04EBA4

Function 004128AD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

Strings

TeF, xrefs: 004128B1, 004128D3, 004128B4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TeF
API String ID: 1818849710-331424825
Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction ID: 5082c9e4fe043c0a9a82c1e0a3a4def458545ef8caf92c2e29ea1f35f3ad8a86
Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction Fuzzy Hash: C9E03971640308BFDF119B919C05FDB3BA8EB04B95F004165FA05F61A1DAB1DE18EBA8

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 13bfb93908a7a1a196b89a4135110c3ed9e38599449258332ed8a5e31dc09809
Instruction ID: 5371640f48c6a0368c7cea64887978d4ac2a240c02499e3407376e9d4191e8ff
Opcode Fuzzy Hash: 13bfb93908a7a1a196b89a4135110c3ed9e38599449258332ed8a5e31dc09809
Instruction Fuzzy Hash: 10417171504301ABC700FB61CC55D7FBBE9AFD5315F00093EF892A32E2EE389909866A

Function 00414D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?), ref: 00414D52
GetTickCount.KERNEL32 ref: 00414DCE

Strings

NG, xrefs: 00414D81

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: NG
API String ID: 180926312-1651712548
Opcode ID: 594d90fcbcc125ce78d8867d87774d1134eb35d199fd1dc7c9a269cb216e5005
Instruction ID: 085b2f02be9ab0868ba51c73fb921716b1faa5b055701b3286f453889ed4f7a0
Opcode Fuzzy Hash: 594d90fcbcc125ce78d8867d87774d1134eb35d199fd1dc7c9a269cb216e5005
Instruction Fuzzy Hash: C85182321042409AC624FB71D8A2AEF73E5AFD0304F00453FB94A671E2EF789949C69E

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040DA7D,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

8SG, xrefs: 0040BED7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: 8SG
API String ID: 1925916568-2887235486
Opcode ID: d58867581c17b355a88f5054a28bfcdfe2a7bd02adb3b1b596902c1973a3a1fb
Instruction ID: 2210f0ff69d3cac9d22e7a3f14049619627ec1602d204fa864a150733b7892bf
Opcode Fuzzy Hash: d58867581c17b355a88f5054a28bfcdfe2a7bd02adb3b1b596902c1973a3a1fb
Instruction Fuzzy Hash: B9D012702057009BE70817709D4E76D3951D784703F00407DB90BE51E1CEA488409519

Function 004125EB Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
RegCloseKey.KERNEL32(?), ref: 00412637

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: bbef7dcd2944ded87148144ed2ea16c8e331e8bf26ab8122505fdae2b7519b04
Instruction ID: 14faf112d3046a25d46051106a5b1d66d342437105d793e51b0bcc882fecfd0c
Opcode Fuzzy Hash: bbef7dcd2944ded87148144ed2ea16c8e331e8bf26ab8122505fdae2b7519b04
Instruction Fuzzy Hash: D8F0D176900118BBCB209B91DD09EDF7B7CEB44B50F00406ABA05F2190DA749E599BA8

Function 00412735 Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
RegCloseKey.KERNEL32(00000000), ref: 00412775

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
Instruction ID: 218a6bf298efa18a53fa985214dbde7e418f837aa6fd6996b0f70a828ecfe766
Opcode Fuzzy Hash: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
Instruction Fuzzy Hash: 6501AD35800229BFDF215F91DC09DDF7F38EF05760F004065BA08A20A0EB3589A9DBA4

Function 0041258F Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
RegCloseKey.KERNEL32(?), ref: 004125D8

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction ID: f1b1b21d3432ee16d2560aa6e8f8b6fc3b679f7482eced78fea8614e15db81c1
Opcode Fuzzy Hash: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction Fuzzy Hash: B4F03075A00208BFDF119FA09C45FDEBBB8EB04B55F104065FA05F6191D670DA54DB94

Function 00412546 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004670E0), ref: 0041255D
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004670E0), ref: 00412571
RegCloseKey.KERNEL32(?,?,?,0040B996,004670E0), ref: 0041257C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
Instruction ID: da5e3a6b8615f7fc9763e362b131f946d251b316bd2acc507b7b22157b73f9fc
Opcode Fuzzy Hash: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
Instruction Fuzzy Hash: 1BE03931941224BB9B200BA29D09EDB7F6DEF06BA1B010455B809A2111DAA18E54EAF4

Function 0041AB50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041AB64

Strings

@, xrefs: 0041AB5A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
Instruction ID: b665d68c061e3f9f56ba9c4249da2251c097319f67e9030db6e937b6cf7da2fa
Opcode Fuzzy Hash: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
Instruction Fuzzy Hash: 00D067B59013189FCB20DFA8E945A8DBBF8EB48214F004529E946E3744E774E945CB94

Function 0044BBCE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BBEF

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

RtlReAllocateHeap.NTDLL(00000000,?,00000000,?,0000000F,?,004321E2,00000000,0000000F,0042EC48,?,?,00430CB1,?,00000000), ref: 0044BC2B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 75dba0ed55eed6272312b14fa0e40daa3ab3635ea400bc8e8fcb100b2f7ba330
Instruction ID: 767aa377775814b37deb1c17d78f1b9627af84273febb40deea43816b68d1426
Opcode Fuzzy Hash: 75dba0ed55eed6272312b14fa0e40daa3ab3635ea400bc8e8fcb100b2f7ba330
Instruction Fuzzy Hash: D3F0C23160051166FB212A679C81F6B2B59CF82B74B15402FF805AA691DF3CD841A1ED

Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
Instruction ID: e62a462d4859cb901c95814de100b0ae44c334504336dc08fc7633b5118be932
Opcode Fuzzy Hash: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
Instruction Fuzzy Hash: 100171B0508B809FD7358F38B8456977FE0AB15314F044DAEF1D697BA1C7B5A481CB18

Function 0041AE5D Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041AE7F
GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AE92

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 5ddf7909cc4eade4a63a561fd268963548b72b2db03399db0aca66a0bfcef8e6
Instruction ID: 7a6786a6daea7d79da8b38e9164549a295f8c3929764bf887eb2819544a3ffc0
Opcode Fuzzy Hash: 5ddf7909cc4eade4a63a561fd268963548b72b2db03399db0aca66a0bfcef8e6
Instruction Fuzzy Hash: 4AE04875A0031867FB20B7659C4EFD6766C9704B05F0400ADB619E21C3EDB4EA048BE4

Function 00409517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409531

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 600e4bd1156b45ede3bd9527e83520dda68338290c7276ba2bdfa4a981812738
Instruction ID: 7b719d08391bbb12b01dd12fa1e9474f3c31e37c6e717f7fed2b29792a4b3228
Opcode Fuzzy Hash: 600e4bd1156b45ede3bd9527e83520dda68338290c7276ba2bdfa4a981812738
Instruction Fuzzy Hash: B71193329002059BCB05FF66D8529EE77A4EF54319B10443FF842662E2EF78A915CB98

Function 00446D0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0f5abaf13ca65be01e81702a986caa53ff1045636aaab9ddf486c5bbef5008ab
Instruction ID: 40638bbf90b8c7646580dfe44e72c34c865d7c07d7b9b06d8b79509a7ad90776
Opcode Fuzzy Hash: 0f5abaf13ca65be01e81702a986caa53ff1045636aaab9ddf486c5bbef5008ab
Instruction Fuzzy Hash: 52E0E5B1B00220A6FB202A6A8C02B5B36498F437B4F070033AC0A9A291CE6CCC4081AF

Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404277

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
Instruction ID: a6df37c1a3c4b0bfee4e794801b63ea3b6ec8424062e123ecf3ffc10766d7ffb
Opcode Fuzzy Hash: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
Instruction Fuzzy Hash: F7D012325586094ED620AAB5AD0F8A4775CD317611F0003BA6CB5825D3FA84561CC6AB

Function 00426319 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00426323

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
Instruction ID: aaa3dbc129b5069e484ee587900df28e469ef685d0a3e158187009c9450646dc
Opcode Fuzzy Hash: 733b60b5868be77d00c88bb6e02a93299a3caf11162c6b1e2887e039244bfe1f
Instruction Fuzzy Hash: 30B09279118302BFCA051B60CC0887A7EB6ABC9381B108C2CB546611B0DE37C490EB36

Non-executed Functions

Function 00405042 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00476D14,00476CFC,00476C20,00000000,0046656C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00476D00,00476D1C,00476C20,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 004051E7

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00466554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

SystemDrive, xrefs: 00405109
mG, xrefs: 004051A9
xlG, xrefs: 004052FE
lG, xrefs: 00405133
0lG, xrefs: 00405183
cmd.exe, xrefs: 004050F5
mG, xrefs: 00405114
xlG, xrefs: 00405078
xlG, xrefs: 00405202
xlG, xrefs: 00405332
xlG, xrefs: 004053D7
mG, xrefs: 004050B5

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: lG$ mG$ mG$ mG$0lG$SystemDrive$cmd.exe$xlG$xlG$xlG$xlG$xlG
API String ID: 3815868655-3731297122
Opcode ID: cb4e773262843936e5affcf30dd5fe19e9633cf4f7ccdcdf8c0d7f65116dd57c
Instruction ID: f3d75f47542da312923ddfb9c6ddab2c5323933c8a72fe1ed5abf95ef94fff6a
Opcode Fuzzy Hash: cb4e773262843936e5affcf30dd5fe19e9633cf4f7ccdcdf8c0d7f65116dd57c
Instruction Fuzzy Hash: 3491C571600605AFC610BB65ED42A6F3BAAEB84344F01443FF949A22E2DF7D9C448F6D

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B63A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
Part of subcall function 0041B63A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
Part of subcall function 0041B63A: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BD82: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Strings

open, xrefs: 00407410
VNG, xrefs: 004071C6
pPG, xrefs: 0040705B
pPG, xrefs: 00407563
Failed to download file: , xrefs: 00407321
NG, xrefs: 00406F54
Downloading file: , xrefs: 004071F3
Unable to rename file!, xrefs: 0040768F
pPG, xrefs: 004076A6
Browsing directory: , xrefs: 004074B6
@PG, xrefs: 00407473
Executing file: , xrefs: 0040742F
Unable to delete: , xrefs: 00407078
Downloaded file: , xrefs: 004072A8
pPG, xrefs: 00407998
Deleted file: , xrefs: 0040703A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: @PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$VNG$open$pPG$pPG$pPG$pPG$NG
API String ID: 2918587301-3905578539
Opcode ID: 7bf0c9223161def7fa0df297e9bfc38f6a77f060280b3b18bace057f83552223
Instruction ID: 1d2e2627ec10ef381271a766c0004beadc8049fa085ae304c46d09a1b017b010
Opcode Fuzzy Hash: 7bf0c9223161def7fa0df297e9bfc38f6a77f060280b3b18bace057f83552223
Instruction Fuzzy Hash: 0F42A271A043005BC614FB76C8979AE76A59F90708F40493FF946771E2EE3CAA09C6DB

Function 0041100E Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0041101D

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411059
CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 004110BE

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8

CloseHandle.KERNEL32(00000000), ref: 00411068

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00411332

Strings

0TG, xrefs: 00411046
\system32\, xrefs: 0041111C
rmclient.exe, xrefs: 004111FD
Remcos restarted by watchdog!, xrefs: 00411073
\SysWOW64\, xrefs: 00411174
svchost.exe, xrefs: 004111D8
fsutil.exe, xrefs: 00411222
WDH, xrefs: 004110C8, 004110CE, 00411338
Watchdog launch failed!, xrefs: 00411296
Watchdog module activated, xrefs: 00411097, 004112E8
WinDir, xrefs: 0041112E, 00411183

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 65172268-427618296
Opcode ID: 0a2ceab2b3bb740fe65fffa47f0910217014e1e2adf7202cbebcb540b193482a
Instruction ID: de889ccbd4d484bbc366ed6bf297281231fcf4352047712fae5372da0dd81bf3
Opcode Fuzzy Hash: 0a2ceab2b3bb740fe65fffa47f0910217014e1e2adf7202cbebcb540b193482a
Instruction Fuzzy Hash: 3D717E3160420157C214FB72CC579AE77A8AF94719F40053FF986A21E2EF7C9A49C6AF

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
\key3.db, xrefs: 0040B47B
\logins.json, xrefs: 0040B439
[Firefox StoredLogins Cleared!], xrefs: 0040B504
UserProfile, xrefs: 0040B365
[Firefox StoredLogins not found], xrefs: 0040B3D9

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 139b835f4ffbf59ec83350e6534c8cdefa10e7158f9cf36c09dd110ed7c42565
Instruction ID: 4260ee55bd24f38cfaff6d718e7bb7aae0563b8f0cd35122f003610daf392ab1
Opcode Fuzzy Hash: 139b835f4ffbf59ec83350e6534c8cdefa10e7158f9cf36c09dd110ed7c42565
Instruction Fuzzy Hash: 0A510B319042195ADB14F7A2DC96AEE7764EF50318F50017FF806B30E2EF789A45CA9D

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555
\cookies.sqlite, xrefs: 0040B62F
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F
[Firefox cookies found, cleared!], xrefs: 0040B6E0
UserProfile, xrefs: 0040B563

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 6ec088cd4e676ff785f02da0740e5d90a2cdf893a5d8461fe9e3bd71167868d2
Instruction ID: 1e8de758c2b97f43aed4804fc6a56dd8ce4d3e4bc3adeefe5a602588f19c01c2
Opcode Fuzzy Hash: 6ec088cd4e676ff785f02da0740e5d90a2cdf893a5d8461fe9e3bd71167868d2
Instruction Fuzzy Hash: F4412C319042196ACB14F7A5EC569EE7768EE11318F50017FF802B31E2EF399A458A9E

Function 00415B5E Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415B5F
EmptyClipboard.USER32 ref: 00415B6D
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415B8D
GlobalLock.KERNEL32(00000000), ref: 00415B96
GlobalUnlock.KERNEL32(00000000), ref: 00415BCC
SetClipboardData.USER32(0000000D,00000000), ref: 00415BD5
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 5681ff0c9a35b383e2c6b045e0eecd1f14d4f62be7f256f6ddd9848cacef8785
Instruction ID: a6dc46a1ac747b1df6f49b20b287b9a63e2ec98da8de7deae82efe0a0170cbcd
Opcode Fuzzy Hash: 5681ff0c9a35b383e2c6b045e0eecd1f14d4f62be7f256f6ddd9848cacef8785
Instruction Fuzzy Hash: A82137711047009BC714BBB1DC5AAAF7669AF94B06F00443FF907A61E2EF38C945C76A

Function 0040E2F1 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,004750FC), ref: 0040E30B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,004750FC), ref: 0040E336
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E352
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E3D5
CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E3E4

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E449

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E497
ielowutil.exe, xrefs: 0040E4EF
Inj, xrefs: 0040E5ED
ieinstal.exe, xrefs: 0040E4AE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 726551946-1743721670
Opcode ID: 87cce9a4a50cd951755034059d670aab1d0f5bf3cc04a74559395d6e1b5a5523
Instruction ID: 57de327b15d82dbd2eac346b6cac6cdabb084366653080b34320caf9a24139d1
Opcode Fuzzy Hash: 87cce9a4a50cd951755034059d670aab1d0f5bf3cc04a74559395d6e1b5a5523
Instruction Fuzzy Hash: A17150311043419BC714FB62D8529AFB7A5AFD1358F400D3EF986631E2EF389919CA9A

Function 0041894A Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

1, xrefs: 004189AC
2, xrefs: 00418A0C
3, xrefs: 00418A6C
5, xrefs: 00418B21
4, xrefs: 00418AD0
7, xrefs: 00418B42
0, xrefs: 00418973
6, xrefs: 00418B2B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: b71984b7227c80e84e93102ec4f3283f7503a16cd378a082500de3b756cc0677
Instruction ID: a206eb20bee8e87b23b85030021c48398d73e585fead2f4b7fd4ae1d02439eb2
Opcode Fuzzy Hash: b71984b7227c80e84e93102ec4f3283f7503a16cd378a082500de3b756cc0677
Instruction Fuzzy Hash: EA61D5B4108301AEDB00EF21C862FEA77E4AF95750F44485EF591672E2DF78AA48C797

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?), ref: 00409B67
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

`kG, xrefs: 00409BFD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: `kG
API String ID: 1888522110-3643241581
Opcode ID: 813865d61718a672d45ee58b0bd96c50a2cfd27caa5a932aa58d199cda8164d8
Instruction ID: 5852d3e9e60d78bbc7fecef5f6baa999b7b2ba0a9f64a262714a670a3ee03c46
Opcode Fuzzy Hash: 813865d61718a672d45ee58b0bd96c50a2cfd27caa5a932aa58d199cda8164d8
Instruction Fuzzy Hash: 3B318F72504308AFD700DF91DC45FDBB7ECEB88715F01083AB645D61A1DBB5E9488B9A

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

Strings

[+] CoGetObject SUCCESS, xrefs: 004067F8
Elevation:Administrator!new:, xrefs: 004067A9
[+] ucmAllocateElevatedObject, xrefs: 0040676F
[+] CoGetObject, xrefs: 004067C8
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
$, xrefs: 004067A2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
Instruction ID: 6c9b37094527eb08cc4748ecdfbd23cbc672ad5faa28133fe458ce4522bc368c
Opcode Fuzzy Hash: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
Instruction Fuzzy Hash: B11133B29011186ADB10FAA58955A9E77BCDB48714F11047FF905F3281E77C9A0486BD

Function 00419AB8 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 00419ACE
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419B1D
GetLastError.KERNEL32 ref: 00419B2B
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00419B63

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 1dd961b4c9fcac07026da5b0ee690219509832de60a9bbcba474a99ddfbcb01c
Instruction ID: 410433f0f292194423399e5208e7b63ee2478b974df0930e3a7ace9da88798fe
Opcode Fuzzy Hash: 1dd961b4c9fcac07026da5b0ee690219509832de60a9bbcba474a99ddfbcb01c
Instruction Fuzzy Hash: C28142311043049BC314FB21DC95DAFB7A8BF94718F50492EF582621D2EF78EA09CB9A

Function 0041B63A Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004752F0,00475308), ref: 0041B734
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B741

Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717

FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
GetLastError.KERNEL32(?,?,?,?,?,?,004752F0,00475308), ref: 0041B77B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B78E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
Instruction ID: 009c1ade3c0c7cd9a9baeecb78710ce3116f293085b5e5d3e47bbce280e6f24a
Opcode Fuzzy Hash: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
Instruction Fuzzy Hash: 2931937180521CAACB20E7B19C89FDA777CAF55304F0404EBF515E2181EF799AC4CB69

Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: f2a80d151208758e6afc74d82101205d1ca29a01e7b98fe90d84783cd74d0796
Instruction ID: 916e88852ed13b3ab14e3660f0b3d121b0d8821096f38c6baae7fa71b0b7a026
Opcode Fuzzy Hash: f2a80d151208758e6afc74d82101205d1ca29a01e7b98fe90d84783cd74d0796
Instruction Fuzzy Hash: 6D118271604301AFC710BB7A9C4996B77ECAB94B15B10057EFC45E2191EE34DA01CBAA

Function 0041301D Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130F2
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130FE

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004132C5
GetProcAddress.KERNEL32(00000000), ref: 004132CC

Strings

SHDeleteKeyW, xrefs: 004132BB
Shlwapi.dll, xrefs: 004132C0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 2459b1c664915d925d81c824268ac5754b06978dc3e217c8bf61482ddf1307ee
Instruction ID: 0508f95716d3db9771c6b78d28bd3d55684df0f5bc265fe56362dad8d88080f3
Opcode Fuzzy Hash: 2459b1c664915d925d81c824268ac5754b06978dc3e217c8bf61482ddf1307ee
Instruction Fuzzy Hash: CEB1A371A043006BC614FA76CC979BE76695F9471CF40063FF846B31E2EE7C9A48869B

Function 00418E5F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 004190B5
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419181

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Strings

VG, xrefs: 00419094
VG, xrefs: 00418EE8
PSG, xrefs: 00418F55
NG, xrefs: 00418E8F

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: PSG$NG$VG$VG
API String ID: 341183262-216422830
Opcode ID: d5472ee4fc903d765e5c5a5d55839736b24a63a4751dd8861cc683d0aaa7895c
Instruction ID: 0b04574543ffaf1c42473f802d0f517b04b5d48d9dde9d4f65c428d20583ff9f
Opcode Fuzzy Hash: d5472ee4fc903d765e5c5a5d55839736b24a63a4751dd8861cc683d0aaa7895c
Instruction Fuzzy Hash: AF8150315042405AC314FB71C8A6EEF73A8AFD0718F50493FF946671E2EF389A49C69A

Function 004515C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 0044713B

GetUserDefaultLCID.KERNEL32 ref: 004516D3
IsValidCodePage.KERNEL32(00000000), ref: 0045172E
IsValidLocale.KERNEL32(?,00000001), ref: 0045173D
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451785
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 004517A4

Strings

(E, xrefs: 00451680

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: (E
API String ID: 745075371-542121585
Opcode ID: 0fc09d9a1655c18af9cc3a5c9220ea17ec928df34c5b051db0497d23c970fe5b
Instruction ID: 0c55cced660072bbdea70b00f38c40adf5ab32faa3293abc4b1f14fb3cf6f882
Opcode Fuzzy Hash: 0fc09d9a1655c18af9cc3a5c9220ea17ec928df34c5b051db0497d23c970fe5b
Instruction Fuzzy Hash: EB5193719002059BDB10EFA5CC41BBF77B8AF04706F18056BFD11EB262DB789949CB69

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
[Chrome StoredLogins not found], xrefs: 0040B27B
UserProfile, xrefs: 0040B227
[Chrome StoredLogins found, cleared!], xrefs: 0040B287

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: ffc379b1f4f57ff41c63bd3c2d707756a9e9de96e87acca1eb5f1fcba91254f6
Instruction ID: af3d5975f8ef5736f4e1f689bc2271043fd855ebe8bb8600121af3fad6928989
Opcode Fuzzy Hash: ffc379b1f4f57ff41c63bd3c2d707756a9e9de96e87acca1eb5f1fcba91254f6
Instruction Fuzzy Hash: 5C01D63168010597CA0476B6DC6F8AF3B24E921708B10017FF802731E2FF3A9905C6DE

Function 00416C9D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
GetLastError.KERNEL32 ref: 00416CE8

Strings

SeShutdownPrivilege, xrefs: 00416CBD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: a508deb2e15bf0734952bcbcdf415dcd22d29f087616135b7b35d056b719708c
Instruction ID: d6647de2ed81915fd1100427b9b1f0ab8477674b12134c2b00fdd843198b9521
Opcode Fuzzy Hash: a508deb2e15bf0734952bcbcdf415dcd22d29f087616135b7b35d056b719708c
Instruction Fuzzy Hash: 0DA16E719001089BCB14EBA1DD92AEDB779AF54318F10427FF506B71D2EF385E498B98

Function 00419DBA Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00419A10,00000000,00000000), ref: 00419DC3
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00419A10,00000000,00000000), ref: 00419DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419DE5
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00419A10,00000000,00000000), ref: 00419DF0
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E02
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E05

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 00dd88d246c508cd594f9e4dbbd0cebe3cb146fd406597d5305be7e4eea51918
Instruction ID: bfab90d9ddd5c2d56401b7e15998ac1c6a079cb4321381bf248b2ffa9e014974
Opcode Fuzzy Hash: 00dd88d246c508cd594f9e4dbbd0cebe3cb146fd406597d5305be7e4eea51918
Instruction Fuzzy Hash: 60F0E9715403146FD2115B31EC88DBF2A6CDF85BB2B01002EF442A3191CF78CD4995B5

Function 00450C8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

IsValidCodePage.KERNEL32(00000000), ref: 00450D71
_wcschr.LIBVCRUNTIME ref: 00450E01
_wcschr.LIBVCRUNTIME ref: 00450E0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450EB2

Strings

(E, xrefs: 00450D02

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: (E
API String ID: 4212172061-542121585
Opcode ID: 525fb552d7aeb9fb623c01643774e1165a4f5fb6212cfae64aaece48c14ad97c
Instruction ID: 16e6850baad922d2e300dda2121b2fdf61a8ef58a3873fa5b3432b878cecddba
Opcode Fuzzy Hash: 525fb552d7aeb9fb623c01643774e1165a4f5fb6212cfae64aaece48c14ad97c
Instruction Fuzzy Hash: A361FC7A500306AAD725AB75CC42ABB73A8EF44316F14082FFD05D7243EB78E949C769

Function 00415A51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C9D: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
Part of subcall function 00416C9D: OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
Part of subcall function 00416C9D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
Part of subcall function 00416C9D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
Part of subcall function 00416C9D: GetLastError.KERNEL32 ref: 00416CE8

ExitWindowsEx.USER32(00000000,00000001), ref: 00415AF3
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415B08
GetProcAddress.KERNEL32(00000000), ref: 00415B0F

Strings

PowrProf.dll, xrefs: 00415B03
SetSuspendState, xrefs: 00415AFE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: d92d30d0335d97d8d7db0740593d3c56abbde8cd3663cc10582ea85cb9393ce0
Instruction ID: be3657bdb4b9c596b700244bf1edaf45c421fe256a6f88bebcc25452880e9c8a
Opcode Fuzzy Hash: d92d30d0335d97d8d7db0740593d3c56abbde8cd3663cc10582ea85cb9393ce0
Instruction Fuzzy Hash: 84215E71644741A6CB14FBB198A6AFF22599F80748F40483FB442771D2EF7CE889865E

Function 004513F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045148C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004514B5
GetACP.KERNEL32 ref: 004514CA

Strings

ACP, xrefs: 00451411
OCP, xrefs: 00451447

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction ID: 27270ea0035267e4249f05f4639a08e7e92d7e6a6a5113c6df6fa5280cb26525
Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction Fuzzy Hash: 0821C731600100B7DB308F54C901FA773A6AF52B67F5A9566EC0AD7223EB3ADD49C399

Function 0041A84A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A85B
LoadResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A86F
LockResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A876
SizeofResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A885

Strings

SETTINGS, xrefs: 0041A84E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction ID: 1fe06f9b0c9a023904624b9b61caa7bd4c13f92b8b5c35c0d543cfa28092256f
Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction Fuzzy Hash: DAE01A76240720ABCB211BA1BD4CD073E39F7867637000039F549A2221CE75CC52CB29

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?), ref: 00407B6E
FindClose.KERNEL32(00000000), ref: 00407C76

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 825db6ed8cf1b61796f5abc5fd1a8028dfa2d60821a7186610f6e13ce0024b84
Instruction ID: e1cc7e471fba1e38487cd482a49156f4879f85d64aa43a49cb1f79655cfb0c65
Opcode Fuzzy Hash: 825db6ed8cf1b61796f5abc5fd1a8028dfa2d60821a7186610f6e13ce0024b84
Instruction Fuzzy Hash: 325162729001085ACB14FBA5DD969ED7B78AF50318F50417FB806B31D2EF3CAB498B99

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

open, xrefs: 0040622E
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 0040627F, 004063A7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$open
API String ID: 2825088817-3175848092
Opcode ID: 57b38cfa888634cb9786fcc5f1b485a47139095d26d74e3cbbb7cc8f6efb82cd
Instruction ID: e32f65eb076a11421f0b28df520d432f118a03887cfea0ef8c7e4d0a3f62d172
Opcode Fuzzy Hash: 57b38cfa888634cb9786fcc5f1b485a47139095d26d74e3cbbb7cc8f6efb82cd
Instruction Fuzzy Hash: E361CF3160430067CA14FA76D8569BE37A59F81718F01493FBC46772E6EF3CAA05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

pPG, xrefs: 00406AFD
pPG, xrefs: 00406BC0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: pPG$pPG
API String ID: 4113138495-3204143781
Opcode ID: 4651dc21dd0b10dc8ecedf64783671dbc3da449603e24c6c06f5e5f067670ff5
Instruction ID: b94dab712156e78be0f8cc3bef15d45c6a114b58aade1ae888b20ae253cfdc5a
Opcode Fuzzy Hash: 4651dc21dd0b10dc8ecedf64783671dbc3da449603e24c6c06f5e5f067670ff5
Instruction Fuzzy Hash: F42187715043015BC714FB61DC95DEF77A8AF90318F40093EF996A31E1EF38AA08CA9A

Function 0041BD82 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Part of subcall function 004127AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
Part of subcall function 004127AA: RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
Part of subcall function 004127AA: RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC

Strings

Control Panel\Desktop, xrefs: 0041BDBD, 0041BDF0, 0041BE40
TileWallpaper, xrefs: 0041BE61
WallpaperStyle, xrefs: 0041BDC2, 0041BDF5, 0041BE45

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 1bfbc671ca30572d5e0ca39cbb0dc07168f4c8bf227b605aad73ba7146cfac54
Instruction ID: 3b74369dcb7a8544f1b55df16a592c3d868ba554001bd6a4c71ed5c97b6fc17b
Opcode Fuzzy Hash: 1bfbc671ca30572d5e0ca39cbb0dc07168f4c8bf227b605aad73ba7146cfac54
Instruction Fuzzy Hash: F5112132B8035033D518313A5E67BBF2816D34AB60F55415FB6066A6CAFADE4AA103DF

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: 5518eca4622eae9ca265b1edbc55199914e805ea816dc3e4fecef9c9c3ac9731
Instruction ID: 402ed7a5658d2f2a6adb961a0daa6f616ba37c5e7974c2bf040f6c8ce137202a
Opcode Fuzzy Hash: 5518eca4622eae9ca265b1edbc55199914e805ea816dc3e4fecef9c9c3ac9731
Instruction Fuzzy Hash: 127141728001199BCB15EBA1DC919EE7778AF54314F10427FE846B71E2EF385E49CB98

Function 00448267 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448277

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

GetTimeZoneInformation.KERNEL32 ref: 00448289
WideCharToMultiByte.KERNEL32(00000000,?,0047279C,000000FF,?,0000003F,?,?), ref: 00448301
WideCharToMultiByte.KERNEL32(00000000,?,004727F0,000000FF,?,0000003F,?,?,?,0047279C,000000FF,?,0000003F,?,?), ref: 0044832E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 19c7acd3c199f22d3cb7e6366532db59579824ff8816259e0e4b7be5ccd06bfe
Instruction ID: 51a0df1beadfd175f23f317ccc42380fbea08efb17929679258b12983fd701b8
Opcode Fuzzy Hash: 19c7acd3c199f22d3cb7e6366532db59579824ff8816259e0e4b7be5ccd06bfe
Instruction Fuzzy Hash: 2331FE70804205DFEB04DFA8CE8187EBBB8FF05B10B1442AFE454AB2A1DBB58D41CB58

Function 0045107A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004510CE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004511DF

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 4ccd470e7056d0993d775e4889ca6716d379c6c68ae6626d29c84cbf2dc0103e
Instruction ID: aee342ac21436657f5846041838c3bd09d84a4d920a4c2a145562aed062da8a9
Opcode Fuzzy Hash: 4ccd470e7056d0993d775e4889ca6716d379c6c68ae6626d29c84cbf2dc0103e
Instruction Fuzzy Hash: F661D8719005079BDB289F25CC82B7677A8EF04306F1041BBFD05D66A2EB78D949DB58

Function 0043A86D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A965
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A96F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A97C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction ID: 2e36d9e0b5662236be867d7d52d6a22dc3a0b47d07fc7de068387a758ceea7c7
Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction Fuzzy Hash: E731D6B491131CABCB21DF24D98978DB7B8BF08311F5051EAE80CA7251EB749F818F49

Function 00442764 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0044273A,00000003,0046EAF0,0000000C,00442891,00000003,00000002,00000000,?,00445608,00000003), ref: 00442785
TerminateProcess.KERNEL32(00000000,?,0044273A,00000003,0046EAF0,0000000C,00442891,00000003,00000002,00000000,?,00445608,00000003), ref: 0044278C
ExitProcess.KERNEL32 ref: 0044279E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction ID: c8bd48e99420b6c7b8697c64d03bd4ba31791432aa3bec6fd876c0c539ce8582
Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction Fuzzy Hash: 7EE04F31000704AFEF016F10DD099493F29EF50396F448469F90896132CF79DC42CA48

Function 004477A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004477FA

Strings

GetLocaleInfoEx, xrefs: 004477B8, 004477C2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction ID: 58a0a1dc03b065be57d87c6409a63545e464c60cfee5b8c381720ea1698dad41
Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction Fuzzy Hash: A0F0F631640318B7DB056F61CC06F6E7B64DB04712F10019AFC0467252CF75AB119A9D

Function 004512CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045131E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 027c1458d5ed6f74873aa8befa95add74770dc8593dc036e5844a1523a9cce00
Instruction ID: 0b21b5069fbf1db5bec531630a8d3eee6f1f474d64bb54c6a1c44a3d8e2cc721
Opcode Fuzzy Hash: 027c1458d5ed6f74873aa8befa95add74770dc8593dc036e5844a1523a9cce00
Instruction Fuzzy Hash: 2221D372501206ABEB24AB25CC61B7B77ACEB04316F10017BFD01D6663EB78AD49CB58

Function 00450F52 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(0045107A,00000001), ref: 00450FC4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: a134b41bc5d829e9728389bdda47c80537993d0b30dc1e425e33777d79c51bee
Instruction ID: 451a354658792f2252a151bea30e2a99c0585190810680eeac5085bd3c0c80bb
Opcode Fuzzy Hash: a134b41bc5d829e9728389bdda47c80537993d0b30dc1e425e33777d79c51bee
Instruction Fuzzy Hash: FD11293B2007019FDB28AF39C8916BABB92FF8435AB14442DE94747B41D7B9B847C744

Function 004514FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451298,00000000,00000000,?), ref: 00451526

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e9c166646f4e8be508f26cbb69da8eb03fae0b992987a41753d1b836ab3c7f93
Instruction ID: d2fe2c3fce417e68b0623dfb5eb434355baf81d8c10f12b7a8aa08190ad777f0
Opcode Fuzzy Hash: e9c166646f4e8be508f26cbb69da8eb03fae0b992987a41753d1b836ab3c7f93
Instruction Fuzzy Hash: 4AF0F9326102197BDB289A258C46BBB7758EB80755F04046AEC07A3251FA78FD45C6D4

Function 00450FED Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(004512CA,00000001), ref: 00451039

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2da37f9c60ed282c2569fb951be8b84fd8ff701b01c1be73a4a75f5379a712b9
Instruction ID: 969c50ee721750b2a7664082bdad3607fc28c6e2ba06475257799e5d9796a5a7
Opcode Fuzzy Hash: 2da37f9c60ed282c2569fb951be8b84fd8ff701b01c1be73a4a75f5379a712b9
Instruction Fuzzy Hash: 19F028363003045FDB245F76DC81B7B7B95EF8075DF04442EFD4187A92D6B99C828604

Function 004472BE Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00063ED4,?,0044246B,00000000,0046EAD0,0000000C,00442426,?,?,?,00448949,?,?,00447184,00000001,00000364), ref: 00444CEB

EnumSystemLocalesW.KERNEL32(Function_00047278,00000001,0046EC58,0000000C), ref: 004472F6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction ID: acebf021cc54f47487df9b00313a15cc1bfd22b3d47c3c45ccbcf72c34342655
Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction Fuzzy Hash: 97F06236620200DFEB10EF79DE46B5D37E0EB44715F10816AF414DB2A1CBB89981DB4D

Function 00450F07 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(00450E5E,00000001), ref: 00450F3E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: aa320ee5390be2936928ec7e374a8c8035c75422647d7bb5b460fc6948d3ae5e
Instruction ID: 7585e2e2e927d60b614fbbb7cbec4ece609ea7599c31e6a5607aeddcbc8761df
Opcode Fuzzy Hash: aa320ee5390be2936928ec7e374a8c8035c75422647d7bb5b460fc6948d3ae5e
Instruction Fuzzy Hash: 89F0E53A30020557CB28AF35D845B6A7F94EFC1715B16449EFE098B252C67AD886C794

Function 00433EE2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033EEE,00433BBC), ref: 00433EE7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction ID: 9bcc487b38fe881941be7e97ad5738302595bcb4dafebc2e14986f4c0a09dd7d
Opcode Fuzzy Hash: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction Fuzzy Hash:

Function 0044EB3E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044EB3E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction ID: 07883168748708d5871df038b293f30180ed36dce4f2d3eb69edcdcf819b44e4
Opcode Fuzzy Hash: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction Fuzzy Hash: 8EA01130202202CBA3008F32AB0A20A3BA8AA00AA23028038A00AC02A0EE2080808A08

Function 00418195 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004181AF
CreateCompatibleDC.GDI32(00000000), ref: 004181BA

Part of subcall function 00418648: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418678

CreateCompatibleBitmap.GDI32(?,00000000), ref: 0041823B
DeleteDC.GDI32(?), ref: 00418253
DeleteDC.GDI32(00000000), ref: 00418256
SelectObject.GDI32(00000000,00000000), ref: 00418261
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418289
GetIconInfo.USER32(?,?), ref: 004182C1
DeleteObject.GDI32(?), ref: 004182F0
DeleteObject.GDI32(?), ref: 004182FD
DrawIcon.USER32(00000000,?,?,?), ref: 0041830A
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00660046), ref: 0041833A
GetObjectA.GDI32(?,00000018,?), ref: 00418369
LocalAlloc.KERNEL32(00000040,00000028), ref: 004183B2
LocalAlloc.KERNEL32(00000040,00000001), ref: 004183D5
GlobalAlloc.KERNEL32(00000000,?), ref: 0041843E
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00418461
DeleteDC.GDI32(?), ref: 00418475
DeleteDC.GDI32(00000000), ref: 00418478
DeleteObject.GDI32(00000000), ref: 0041847B
GlobalFree.KERNEL32(00CC0020), ref: 00418486
DeleteObject.GDI32(00000000), ref: 0041853A
GlobalFree.KERNEL32(?), ref: 00418541
DeleteDC.GDI32(?), ref: 00418551
DeleteDC.GDI32(00000000), ref: 0041855C
DeleteDC.GDI32(?), ref: 0041858E
DeleteDC.GDI32(00000000), ref: 00418591
DeleteObject.GDI32(?), ref: 00418597

Strings

DISPLAY, xrefs: 004181A8

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
String ID: DISPLAY
API String ID: 1765752176-865373369
Opcode ID: 3b5eff618c310a3f26b0588bb760a1350030e56d12bb63992aa9b478e52d14e6
Instruction ID: a1654617e6feb41a21483335bab58d6c80918fdf06c9fa75f2eb3c48c5790805
Opcode Fuzzy Hash: 3b5eff618c310a3f26b0588bb760a1350030e56d12bb63992aa9b478e52d14e6
Instruction Fuzzy Hash: EFC16C31504344AFD7209F21CC44BABBBE9EF88751F44482EF989A32A1DF34E945CB5A

Function 0041742B Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417472
GetProcAddress.KERNEL32(00000000), ref: 00417475
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417486
GetProcAddress.KERNEL32(00000000), ref: 00417489
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041749A
GetProcAddress.KERNEL32(00000000), ref: 0041749D
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004174AE
GetProcAddress.KERNEL32(00000000), ref: 004174B1
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417552
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041756A
GetThreadContext.KERNEL32(?,00000000), ref: 00417580
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004175A6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417626
TerminateProcess.KERNEL32(?,00000000), ref: 0041763A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00417671
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041773E
SetThreadContext.KERNEL32(?,00000000), ref: 0041775B
ResumeThread.KERNEL32(?), ref: 00417768
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417780
GetCurrentProcess.KERNEL32(?), ref: 0041778B
TerminateProcess.KERNEL32(?,00000000), ref: 004177A5
GetLastError.KERNEL32 ref: 004177AD

Strings

ZwClose, xrefs: 0041749F
ZwUnmapViewOfSection, xrefs: 0041748B
ZwMapViewOfSection, xrefs: 00417477
ZwCreateSection, xrefs: 00417458
ntdll, xrefs: 0041745D, 0041747C, 00417490, 004174A4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: f38b5be9f691211f4260cf9ecd97ea7f9b789a1cd161b101917179512c27140d
Instruction ID: 9d7e092ec3b05a7a521957261ed1896ff906ab06cfb84d00d3f911d9ff722cfe
Opcode Fuzzy Hash: f38b5be9f691211f4260cf9ecd97ea7f9b789a1cd161b101917179512c27140d
Instruction Fuzzy Hash: C3A16D71508304AFD710DF65CD89B6B7BF8FB48345F00082EF699962A1DB75E884CB6A

Function 0040BF04 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

fso.DeleteFile ", xrefs: 0040C183
open, xrefs: 0040C27A
wend, xrefs: 0040C1D2
exepath, xrefs: 0040BFEF
"), xrefs: 0040C11F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
SG, xrefs: 0040C031
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
while fso.FileExists(", xrefs: 0040C136
fso.DeleteFolder ", xrefs: 0040C1F8
Temp, xrefs: 0040C0B4
PSG, xrefs: 0040BFCC
pth_unenc, xrefs: 0040BF0A
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
.vbs, xrefs: 0040C06F
SG, xrefs: 0040C1E0
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
dMG, xrefs: 0040BF3F
On Error Resume Next, xrefs: 0040C102

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: SG$ SG$")$.vbs$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-899740633
Opcode ID: 2250d17c97ded7105b885d7cf08d0fc0eb67ba70d0281a32b48a5ba7c3a3d491
Instruction ID: 3970d62be7f9f5e1fdb580af11360c5c0218cddba346a3e39168d22276c4a34b
Opcode Fuzzy Hash: 2250d17c97ded7105b885d7cf08d0fc0eb67ba70d0281a32b48a5ba7c3a3d491
Instruction Fuzzy Hash: 838194316042005BC315FB21D852AAF7799AF91708F10453FF986A72E2EF7C9D49C69E

Function 0041138D Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00475308,?,00000000), ref: 004113AC
ExitProcess.KERNEL32 ref: 004115F5

Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00411433
OpenProcess.KERNEL32(00100000,00000000,,@,?,?,?,?,00000000), ref: 00411442
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0041144D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411454
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 0041145A

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041148B
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 004114E7
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411501
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00411513

Part of subcall function 0041B79A: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
Part of subcall function 0041B79A: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
Part of subcall function 0041B79A: CloseHandle.KERNEL32(00000000), ref: 0041B817

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041155B
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0041159C
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004115B1
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004115BC
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004115C3
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004115C9

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9

Strings

open, xrefs: 00411555
temp_, xrefs: 004114F5
0TG, xrefs: 0041139B
,@, xrefs: 00411439
exepath, xrefs: 004113E0
PSG, xrefs: 004113BA
WDH, xrefs: 00411461, 004115D0
.exe, xrefs: 00411507

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: ,@$.exe$0TG$PSG$WDH$exepath$open$temp_
API String ID: 4250697656-4136069298
Opcode ID: fbc8a5ca202ec517db1ca13f52f7e0ddd80c27ccb2c5e3bbd932d0fce397ad16
Instruction ID: 17001e37a1d7cf9a3413e78a7a022695eb621cd558d1591dce66fb7483b9d66c
Opcode Fuzzy Hash: fbc8a5ca202ec517db1ca13f52f7e0ddd80c27ccb2c5e3bbd932d0fce397ad16
Instruction Fuzzy Hash: 7551B571A00315BBDB00A7A09C46EFE736E9B44715F10416BF906B71E2EF788E858A9D

Function 0041A3B1 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A4A8
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A4BC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0041A4E4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041A4F5
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A536
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A54E
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A563
SetEvent.KERNEL32 ref: 0041A580
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A591
CloseHandle.KERNEL32 ref: 0041A5A1
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A5C3
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A5CD

Strings

" type , xrefs: 0041A441
close audio, xrefs: 0041A5C8
play audio, xrefs: 0041A4B7
alias audio, xrefs: 0041A424
stopped, xrefs: 0041A569
status audio mode, xrefs: 0041A55E
open ", xrefs: 0041A43C
pause audio, xrefs: 0041A531
stop audio, xrefs: 0041A5BE
resume audio, xrefs: 0041A549
NG, xrefs: 0041A475, 0041A3F5

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 9b07305e96e667a3756fee820ac713a50753d2d09d119473dbbbbaa0a213108b
Instruction ID: 23b594f260307180257043fa1e2d6aa1707bafa700398656917524c484c431be
Opcode Fuzzy Hash: 9b07305e96e667a3756fee820ac713a50753d2d09d119473dbbbbaa0a213108b
Instruction Fuzzy Hash: A251B1716442046AD214BB32EC92EBF3B9DAB90758F10443FF445621E2EE789D48866F

Function 0040BC67 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\Desktop\preliminary drawing.pif.exe,00000000,00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\Desktop\preliminary drawing.pif.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750FC,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

SG, xrefs: 0040BDD1
open, xrefs: 0040BEB2
SG, xrefs: 0040BC7A
6, xrefs: 0040BD48
SG, xrefs: 0040BD6C
del, xrefs: 0040BE63
SG, xrefs: 0040BE40
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
SG, xrefs: 0040BD85

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: SG$ SG$ SG$ SG$ SG$6$C:\Users\user\Desktop\preliminary drawing.pif.exe$del$open
API String ID: 1579085052-800598285
Opcode ID: a85956b95bba8b8f25b20a3907958e6b901def64775b8dc4c2bdbbf334444639
Instruction ID: cada26950b0f91ffbe9684419e497f708478a0192fdd3dd39558b78de3226dfb
Opcode Fuzzy Hash: a85956b95bba8b8f25b20a3907958e6b901def64775b8dc4c2bdbbf334444639
Instruction Fuzzy Hash: 0B51C1316046006BD609B722EC52E7F77889F81719F50443FF985A62E2DF7CAD4582EE

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00472B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00472B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00472B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

data, xrefs: 00401D2C
RIFF, xrefs: 00401C78
WAVE, xrefs: 00401C98
fmt , xrefs: 00401CA8

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction ID: 459023fa40bd80d73c97eac26e4027242e7445eca248bff5dcea5bec94493f3f
Opcode Fuzzy Hash: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction Fuzzy Hash: 85411C726443187AE210DE51DD86FBB7FACEB85B54F40081AF644E6080D7A5E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000001,004068B2,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000003,004068DA,004752F0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

LdrEnumerateLoadedModules, xrefs: 00406558
RtlAcquirePebLock, xrefs: 00406530
NtAllocateVirtualMemory, xrefs: 00406508
RtlInitUnicodeString, xrefs: 004064EE
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
NtFreeVirtualMemory, xrefs: 0040651C
RtlReleasePebLock, xrefs: 00406544
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 004064E1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3288624609
Opcode ID: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction ID: d8392adca69ca7380431791802c09c3f057f20abbaf47be00649cb9a46baa942
Opcode Fuzzy Hash: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction Fuzzy Hash: D20171A4E40B1635CB206F7B7C94D17AEAC9E503503160837A406F32A1EEBCD400CD7D

Function 0041B3C6 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B3E1
_memcmp.LIBVCRUNTIME ref: 0041B3F9
lstrlenW.KERNEL32(?), ref: 0041B412
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B44D
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B460
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B4A4
lstrcmpW.KERNEL32(?,?), ref: 0041B4BF
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B4D7
_wcslen.LIBCMT ref: 0041B4E6
FindVolumeClose.KERNEL32(?), ref: 0041B506
GetLastError.KERNEL32 ref: 0041B51E
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B54B
lstrcatW.KERNEL32(?,?), ref: 0041B564
lstrcpyW.KERNEL32(?,?), ref: 0041B573
GetLastError.KERNEL32 ref: 0041B57B

Strings

?, xrefs: 0041B478

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 6982c59c6a0451699a968109d70466e4b80b21570212c23bcaa89958a35395b5
Instruction ID: f0577cbf519c1fbc76aa3138d797bbd7c283cc622b072e5c2a83b2d98bec9820
Opcode Fuzzy Hash: 6982c59c6a0451699a968109d70466e4b80b21570212c23bcaa89958a35395b5
Instruction Fuzzy Hash: 8441A071504705ABC720DF61E8489EBB7E8EB48705F00482FF541D2262EF78D989CBDA

Function 0044E41E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E4B0
_free.LIBCMT ref: 0044E4D6
_free.LIBCMT ref: 0044E4FF
_free.LIBCMT ref: 0044E537
_free.LIBCMT ref: 0044E568
_free.LIBCMT ref: 0044E5A9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E62A
_free.LIBCMT ref: 0044E643
_wcschr.LIBVCRUNTIME ref: 0044E680
_free.LIBCMT ref: 0044E6EC
_free.LIBCMT ref: 0044E712
_free.LIBCMT ref: 0044E73B
_free.LIBCMT ref: 0044E770
_free.LIBCMT ref: 0044E7A1
_free.LIBCMT ref: 0044E7E2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E867
_free.LIBCMT ref: 0044E880

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 1ef1f1efc3329644a7b65e68090bb2690b7ac0eefe1bb445a4772c0482a5960f
Instruction ID: a8aac0df7486383d9a181904d39d16e24afc3d72eb934652fe50c6e09291e228
Opcode Fuzzy Hash: 1ef1f1efc3329644a7b65e68090bb2690b7ac0eefe1bb445a4772c0482a5960f
Instruction Fuzzy Hash: 5DD12771D00310AFFB21AF77888166E7BA4BF01368F45416FF945A7381EA399E418B9D

Function 00411D59 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411D72

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Sleep.KERNEL32(0000000A,00466324), ref: 00411EC4
Sleep.KERNEL32(0000000A,00466324,00466324), ref: 00411F66
Sleep.KERNEL32(0000000A,00466324,00466324,00466324), ref: 00412008
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 00412069
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120A0
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120DC
Sleep.KERNEL32(000001F4,00466324,00466324,00466324), ref: 004120F6
Sleep.KERNEL32(00000064), ref: 00412138

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

/stext ", xrefs: 00411E4F, 00411EF1, 00411F93
HTG, xrefs: 004122CA
HTG, xrefs: 004123EE
NG, xrefs: 00412356
NG, xrefs: 0041220A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HTG$HTG$NG$NG
API String ID: 1223786279-556891652
Opcode ID: 6fede7390979bedc89db744d15321cb4538490df3490e4e5832589b35743d367
Instruction ID: b666a026b41db1aee680f36e7b950d376c2ae40a85d54f66cdb5da2431d4b1f1
Opcode Fuzzy Hash: 6fede7390979bedc89db744d15321cb4538490df3490e4e5832589b35743d367
Instruction Fuzzy Hash: F00224315083414AD324FB61D891BEFB7D5AFD4308F50493EF88A931E2EF785A49C69A

Function 00413F0F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
LoadLibraryA.KERNEL32(?), ref: 00413FA0
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
FreeLibrary.KERNEL32(00000000), ref: 00413FC7
LoadLibraryA.KERNEL32(?), ref: 00413FFF
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
FreeLibrary.KERNEL32(00000000), ref: 00414018
GetProcAddress.KERNEL32(00000000,?), ref: 00414027
FreeLibrary.KERNEL32(00000000), ref: 0041403E

Strings

freeaddrinfo, xrefs: 00413F3B
getnameinfo, xrefs: 00413F2B
getaddrinfo, xrefs: 00413F1C, 00413FBA, 0041400B
\ws2_32, xrefs: 00413F88
\wship6, xrefs: 00413FE7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction ID: be6955175b5ce73d91635d8a52bfbd354ab09fdd92d7e760b1966c561f7cb5d0
Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction Fuzzy Hash: B33117B280131567D320EF55DC84EDB7BDCAF89745F01092AFA88A3201D73CD98587AE

Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

{ User has been idle for , xrefs: 0040A5AB
minutes }, xrefs: 0040A59F
[, xrefs: 0040A50E
], xrefs: 0040A508
<mG, xrefs: 0040A43B
<mG, xrefs: 0040A4C0
<mG, xrefs: 0040A4AA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$<mG$<mG$<mG$]
API String ID: 911427763-3636820255
Opcode ID: 6599e25ee26e04fa7d272e16c8438f04086bf880c5d3df9effd670f1da3a021b
Instruction ID: ab9145b4e211f5f3da3af6290e6e7a2c9d96cae7f6b46a2c86e206227f6ebbf0
Opcode Fuzzy Hash: 6599e25ee26e04fa7d272e16c8438f04086bf880c5d3df9effd670f1da3a021b
Instruction Fuzzy Hash: 1951D0716043409BC324FB25D886AAE7795AF84718F00093FF446A32E2DF7C9E55868F

Function 0041CCA9 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CCF4
GetCursorPos.USER32(?), ref: 0041CD03
SetForegroundWindow.USER32(?), ref: 0041CD0C
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CD26
Shell_NotifyIconA.SHELL32(00000002,00474B50), ref: 0041CD77
ExitProcess.KERNEL32 ref: 0041CD7F
CreatePopupMenu.USER32 ref: 0041CD85
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CD9A

Strings

Close, xrefs: 0041CD8B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction ID: 460fc807693895ecf387abb2373bcbc61375cccb84b7011694e880842115b21a
Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction Fuzzy Hash: F321F831140205EFDB054FA4FD4DBAA3F65EB04702F004539FA0AA41B1DBB6ED91EB59

Function 0044514D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004451BD
_free.LIBCMT ref: 004451D3
_free.LIBCMT ref: 004451E4
_free.LIBCMT ref: 004451F5
_free.LIBCMT ref: 0044520C
GetCPInfo.KERNEL32(?,?), ref: 00445254

Part of subcall function 00451E2B: _free.LIBCMT ref: 00451E96

_free.LIBCMT ref: 00445400
_free.LIBCMT ref: 00445413
_free.LIBCMT ref: 00445421
_free.LIBCMT ref: 0044542C
_free.LIBCMT ref: 0044546E
_free.LIBCMT ref: 00445476
_free.LIBCMT ref: 0044547E
_free.LIBCMT ref: 00445486
_free.LIBCMT ref: 00445494

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction ID: de18a1b700a064f56ed707831433d851a0809218b1b1d193042f08ca5b0df7c8
Opcode Fuzzy Hash: d1d8ca3bfaab8ff34c38809097ff282998849f31a70215ee9c59cc9cd170099d
Instruction Fuzzy Hash: 59B190719006059FEF11DF69C881BEEBBF4FF09304F14406EF895AB252DA799C459B24

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

Uploading file to Controller: , xrefs: 00408077
SetFilePointerEx error, xrefs: 00408266
NG, xrefs: 00407E87
ReadFile error, xrefs: 0040822E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 1884690901-2582957567
Opcode ID: d855988946ca77edb3d1c15a4a77d80cb05c4bd8572238c93c46ceff4b613837
Instruction ID: fe8c5194ffe86d3827a7b181bfbb3d0fd3c62202293e6b84b2d5449ede98e066
Opcode Fuzzy Hash: d855988946ca77edb3d1c15a4a77d80cb05c4bd8572238c93c46ceff4b613837
Instruction Fuzzy Hash: 73B182716083409BC614FB25C892BAFB7E5AFD4314F40492EF889632D2EF789945C79B

Function 0045027D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004502C1

Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F510
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F522
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F534
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F546
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F558
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F56A
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F57C
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F58E
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5A0
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5B2
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5C4
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5D6
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5E8

_free.LIBCMT ref: 004502B6

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

_free.LIBCMT ref: 004502D8
_free.LIBCMT ref: 004502ED
_free.LIBCMT ref: 004502F8
_free.LIBCMT ref: 0045031A
_free.LIBCMT ref: 0045032D
_free.LIBCMT ref: 0045033B
_free.LIBCMT ref: 00450346
_free.LIBCMT ref: 0045037E
_free.LIBCMT ref: 00450385
_free.LIBCMT ref: 004503A2
_free.LIBCMT ref: 004503BA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction ID: 8d5a52dc196ca223d521196e0170462af54da78aea2ffa7a7b46d1c1532e12ca
Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction Fuzzy Hash: 57316F355003009FEB20AA79D84AB5B73E9EF01365F51445FF88AD7652DF38AC48D719

Function 0041BA93 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0041BA95
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041BAC6
RegCloseKey.ADVAPI32(?), ref: 0041BD5F

Strings

DisplayVersion, xrefs: 0041BB08
InstallLocation, xrefs: 0041BB1C
InstallDate, xrefs: 0041BB30
UninstallString, xrefs: 0041BB44
DisplayName, xrefs: 0041BADC
Publisher, xrefs: 0041BAF1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
API String ID: 1332880857-3730529168
Opcode ID: f8792196a4a6038e23f0b3b092560972f4f2ac71007ac42b09c8881e95054baf
Instruction ID: 0bdba4d5443de57538e8dea8c505e9c6563ea9aa0cda83444964b9bd965e15eb
Opcode Fuzzy Hash: f8792196a4a6038e23f0b3b092560972f4f2ac71007ac42b09c8881e95054baf
Instruction Fuzzy Hash: 76612E311082409FD324FB21D991AEFB7E5BFD4314F10493FB586921E1EF34AA59CA9A

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

Temp, xrefs: 0040C708
open, xrefs: 0040C820
.vbs, xrefs: 0040C6CD
""", 0, xrefs: 0040C74F
exepath, xrefs: 0040C69F
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
PSG, xrefs: 0040C67D
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$PSG$Temp$exepath$open
API String ID: 1913171305-1605470806
Opcode ID: caf45e9fa25058340df5cebfd1a993c93ab1390295965bbed2115dc8fd7f1f01
Instruction ID: 0a59ab1ac2652dc6c4b0de1f1bfb113b457f9f33def171b9a9917dadcc9857af
Opcode Fuzzy Hash: caf45e9fa25058340df5cebfd1a993c93ab1390295965bbed2115dc8fd7f1f01
Instruction Fuzzy Hash: 2E416D329101185ACB14F761DC56DFE7779AF50708F10417FF806B31E2EE786A8ACA98

Function 0044F5F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F639
_free.LIBCMT ref: 0044F65D
_free.LIBCMT ref: 0044F66A
_free.LIBCMT ref: 0044F68F
_free.LIBCMT ref: 0044F69C
_free.LIBCMT ref: 0044F6A5
_free.LIBCMT ref: 0044F983
_free.LIBCMT ref: 0044F98B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction ID: 986e8a668492dbee8f9f46891c6c86f5dcf9ebf43b9fca0c5b911ed3811bef24
Opcode Fuzzy Hash: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction Fuzzy Hash: 1FC15371D40204BBEB20EAA8CC82FEE77B89B08704F15416AFE45FB282D6749D459768

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
closesocket.WS2_32(000000FF), ref: 0040481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
Instruction ID: bab6184e8302d1d457a53eef1949a11c31841f7ba2aeead181e9cd14b25d2afd
Opcode Fuzzy Hash: 0962e5985aceae85a5c94cde7029e24ad356a8ace8c6bfbca5ef33fdb60659b2
Instruction Fuzzy Hash: 21212C71100F149FC6216B26DC05A17BBE1EF40325F104A6EE2A622AF2CF35F851DB4C

Function 00454B92 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454860: CreateFileW.KERNEL32(00000000,?,?,;LE,?,?,00000000,?,00454C3B,00000000,0000000C), ref: 0045487D

GetLastError.KERNEL32 ref: 00454CA6
__dosmaperr.LIBCMT ref: 00454CAD
GetFileType.KERNEL32(00000000), ref: 00454CB9
GetLastError.KERNEL32 ref: 00454CC3
__dosmaperr.LIBCMT ref: 00454CCC
CloseHandle.KERNEL32(00000000), ref: 00454CEC
CloseHandle.KERNEL32(?), ref: 00454E36
GetLastError.KERNEL32 ref: 00454E68
__dosmaperr.LIBCMT ref: 00454E6F

Strings

H, xrefs: 00454DF4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 613e5f0681d86df1cf833b8ccc3a41a67bb27939c59475f34fec34ad35ad9574
Instruction ID: a1ee14646c220e05fb339a94c39d658440f80e8cb8884f5184f0ba1168eb6fd8
Opcode Fuzzy Hash: 613e5f0681d86df1cf833b8ccc3a41a67bb27939c59475f34fec34ad35ad9574
Instruction Fuzzy Hash: EBA126319045489FDF19DF68D8427AE7BB1EB46329F14015EEC01AF392CB398896CB5A

Function 0041931E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419323
GdiplusStartup.GDIPLUS(00474AF4,?,00000000), ref: 00419355
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004193E1
Sleep.KERNEL32(000003E8), ref: 00419463
GetLocalTime.KERNEL32(?), ref: 00419472
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041955B

Strings

VG, xrefs: 004194B7
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419409
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00419404, 0041941F, 00419496
VG, xrefs: 004193BC

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG
API String ID: 489098229-455837001
Opcode ID: 7dac4d79220d4628e18e00c911b99afa2e5faaa15a73bcf09d06719e2b4fcc5c
Instruction ID: fd6a6a94d4e700b4a78141c9ee43bb9ee9cebd21b8d39b126fa21a823fd8be24
Opcode Fuzzy Hash: 7dac4d79220d4628e18e00c911b99afa2e5faaa15a73bcf09d06719e2b4fcc5c
Instruction Fuzzy Hash: 9F517B71A002449ACB14BBB5C866AFE7BA9AB55308F40403FF845B71D2EF3C5E85C799

Function 00413D3F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 00413DEF, 00413DF7, 00413DFB
65535, xrefs: 00413D42

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction ID: c3bfc2202edcb816331f8b78e042012e01f064b481147a6b300cfea58c86e196
Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction Fuzzy Hash: E241F4716093029BD7209F28D905BBB3BA4EB84742F04042FF98593391EB6DDEC1866E

Function 00439571 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395C9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395D6
__dosmaperr.LIBCMT ref: 004395DD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439609
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439613
__dosmaperr.LIBCMT ref: 0043961A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043965D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439667
__dosmaperr.LIBCMT ref: 0043966E
_free.LIBCMT ref: 0043967A
_free.LIBCMT ref: 00439681

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 3cc6c3feccea9b19db8524165a9463a6778d4ff1195c55235e694e19f1087387
Instruction ID: 4e2bc3e06b1619faa1414a7a2c806c5d1514cda6e297fdc8b1054bbcfea92265
Opcode Fuzzy Hash: 3cc6c3feccea9b19db8524165a9463a6778d4ff1195c55235e694e19f1087387
Instruction Fuzzy Hash: D431E27280560ABFDF11AFA5DC459AF3B68EF09324F10015EF81066251DB39CD50DBAA

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

GetMessage, xrefs: 00404FAA
CloseChat, xrefs: 00404FBB
DisplayMessage, xrefs: 00404F9E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 053e10a55c4551df3908e5fe8e612e6c9651672ab63fab796246c9c06bb003c2
Instruction ID: 290a0909c372499a911e5ffd519e5407deecd3e64339803c74491ead196e324c
Opcode Fuzzy Hash: 053e10a55c4551df3908e5fe8e612e6c9651672ab63fab796246c9c06bb003c2
Instruction Fuzzy Hash: A441B1726043016BC614FB75DC568AF7BA8ABC1714F00093EF906A31E6EF38DA05C79A

Function 0041700D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 0041710A
CloseHandle.KERNEL32(00000000), ref: 00417113
DeleteFileA.KERNEL32(00000000), ref: 00417122
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004170D6

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

@, xrefs: 004170B8
HVG, xrefs: 004170E3
HVG, xrefs: 0041714F
<, xrefs: 004170B1
Temp, xrefs: 0041702E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$HVG$HVG$Temp
API String ID: 1107811701-2568817187
Opcode ID: 5aa0ece0df8138549e61a03eb97216aa5ce4d8b26df3c9d9235948b48d4cb784
Instruction ID: 91e4b2e714ed18abe86730f534b33d619c8c8851ecafca63038a632c75497fc1
Opcode Fuzzy Hash: 5aa0ece0df8138549e61a03eb97216aa5ce4d8b26df3c9d9235948b48d4cb784
Instruction Fuzzy Hash: 00319C31A00209ABCB04FBA1DC56AEE7775AF50308F40417EF506761E2EF785A89CB99

Function 00419E7B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419E8A
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EA1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EAE
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EBD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ECE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ED1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 66830c546c332cdbbd3d6ace020b7a317dcb6b13d5bfc944a077639b8ae85b99
Instruction ID: 401ec45fa9dd23e1a78cca63bf6ad54db5d4c9b9326c405a7ffc92fc58cb3c60
Opcode Fuzzy Hash: 66830c546c332cdbbd3d6ace020b7a317dcb6b13d5bfc944a077639b8ae85b99
Instruction Fuzzy Hash: 4211A331941218BBD711AB64DC85DFF3B6CDB45BA1B05002AF902A21D2DF64CD4A9AB5

Function 00446FDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446FEF

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

_free.LIBCMT ref: 00446FFB
_free.LIBCMT ref: 00447006
_free.LIBCMT ref: 00447011
_free.LIBCMT ref: 0044701C
_free.LIBCMT ref: 00447027
_free.LIBCMT ref: 00447032
_free.LIBCMT ref: 0044703D
_free.LIBCMT ref: 00447048
_free.LIBCMT ref: 00447056

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction ID: 9fec27c2adf71536e74eabd4120179072dbaa777ef3671cded9c13d0800a1e4b
Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction Fuzzy Hash: 86119B7550011CBFDB05EF55C882CDD3BB5EF05364B9240AAF9494F222DA35DE50EB49

Function 004103EC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0041040B
inet_ntoa.WS2_32(?), ref: 004104A6

Strings

NG, xrefs: 00410431
StartForward, xrefs: 0041056A
StopReverse, xrefs: 00410598
GetDirectListeningPort, xrefs: 004105A9
StartReverse, xrefs: 00410576
StopForward, xrefs: 00410587

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: 563588cd95dc7da388005e2f93dde1ad500d910a52a57b2d4eeb204fb7c0c559
Instruction ID: 73c74054356758d85ec5353b0407031f458931cc5dd6312d5a4dd957febfbb04
Opcode Fuzzy Hash: 563588cd95dc7da388005e2f93dde1ad500d910a52a57b2d4eeb204fb7c0c559
Instruction Fuzzy Hash: 5851A4316043005BCA14FB75D95AAAE36A59B84318F00453FF809972E1DFBC9D85C78E

Function 00409E48 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049

Strings

PSG, xrefs: 00409F24
PSG, xrefs: 00409F19

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: PSG$PSG
API String ID: 3795512280-3836871860
Opcode ID: b59c58dbae27002fdbd6dcd6cb0641502cd8426c278fecd02e8c4d3235419ca3
Instruction ID: 2e46ee78bd67d64478951c63fc585b7447d0c94e1b250d5b4a4871e09aa14890
Opcode Fuzzy Hash: b59c58dbae27002fdbd6dcd6cb0641502cd8426c278fecd02e8c4d3235419ca3
Instruction Fuzzy Hash: 68517F716043005ACB05BB71C866ABF779AAF81309F00453FF886B71E2DE7D9D45C69A

Function 00455349 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455FBF), ref: 0045536C

Strings

exp, xrefs: 00455431, 00455493
log, xrefs: 00455412, 0045541E
pow, xrefs: 00455450, 004554FC, 0045550F
acos, xrefs: 004554E4
log10, xrefs: 004553B6, 00455406
sqrt, xrefs: 004554F0
asin, xrefs: 004554D8

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 7dde1d8a3dfb52f7b355bf6d4a2ca2e0c62041c9b1c9e9ef390e0fc0b1e4339f
Instruction ID: 83316d2fa1d48b2f4155984bd6892a75fd3c5afb36d5e99e95f82d48d48c5a2a
Opcode Fuzzy Hash: 7dde1d8a3dfb52f7b355bf6d4a2ca2e0c62041c9b1c9e9ef390e0fc0b1e4339f
Instruction Fuzzy Hash: 93516C70900A09DBCF10DF58D5581BDBBB0FB0A306F204197DC81A7326DB798A6C8B1E

Function 004167E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00416842

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Sleep.KERNEL32(00000064), ref: 0041686E
DeleteFileW.KERNEL32(00000000), ref: 004168A2

Strings

\sysinfo.txt, xrefs: 004167ED
open, xrefs: 0041683C
dxdiag, xrefs: 00416837
temp, xrefs: 004167F2
/t , xrefs: 00416821

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: e270d92704cf307a94344dcfa92ebe76c5d6642343bce59e732a9c2cefeceab2
Instruction ID: c4be9e9118a59201799f54b99a9a171b680bb642a7e99c3b30ff6139130205e5
Opcode Fuzzy Hash: e270d92704cf307a94344dcfa92ebe76c5d6642343bce59e732a9c2cefeceab2
Instruction Fuzzy Hash: 1B313E719001189ADB04FBA1DC96EEE7764AF50708F00417FF946730D2EF786A8ACA9D

Function 00406616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00475A50,00000000,004752F0,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00475A50,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\preliminary drawing.pif.exe), ref: 00406705

Strings

[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
windir, xrefs: 00406654
PEB: %x, xrefs: 00406716
\explorer.exe, xrefs: 0040666A
explorer.exe, xrefs: 004066BD, 004066E2
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
Instruction ID: 2a8ac338152687dbadce55b3d6de3572d7837fd421bef744f3a625c24d449dc1
Opcode Fuzzy Hash: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
Instruction Fuzzy Hash: B231B671600700AFD300AF65DC8AF5677A8FB44709F11053EF50ABB6E1EBB9A8548B6D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401BD2

Strings

dMG, xrefs: 00401B04
.wav, xrefs: 00401AEC
%Y-%m-%d %H.%M, xrefs: 00401AC4
|MG, xrefs: 00401B8B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 1253069484da8d7cfcabc0dfc598fe49a0b01d7fb4eb253305c20f53f56eb517
Instruction ID: b0e15ff03f11dcb3e5bfd7c1448581b7ace3962aa9bffbd159c0990beee9d81b
Opcode Fuzzy Hash: 1253069484da8d7cfcabc0dfc598fe49a0b01d7fb4eb253305c20f53f56eb517
Instruction Fuzzy Hash: 7E315E315043019FC324EB21DC56A9E77A4FB94314F00493EF559A21F1EFB8AA89CB9A

Function 0041CB7A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041CB93

Part of subcall function 0041CC2A: RegisterClassExA.USER32(00000030), ref: 0041CC77
Part of subcall function 0041CC2A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
Part of subcall function 0041CC2A: GetLastError.KERNEL32 ref: 0041CC9C

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041CBCA
lstrcpynA.KERNEL32(00474B68,Remcos,00000080), ref: 0041CBE4
Shell_NotifyIconA.SHELL32(00000000,00474B50), ref: 0041CBFA
TranslateMessage.USER32(?), ref: 0041CC06
DispatchMessageA.USER32(?), ref: 0041CC10
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CC1D

Strings

Remcos, xrefs: 0041CBD5

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction ID: 6591afd7fea275f101bd811abb8745f55115b26a2df550b070e187602390ba30
Opcode Fuzzy Hash: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction Fuzzy Hash: 130112B1940344ABD7109BA5EC4DFEABBBCA7C5B05F004029E615A2061EFB8E585CB6D

Function 0044B660 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7418b1772248e3e3351a3e0d672deb3f5975b9a12c4fdb4e9d7e9cf784523f
Instruction ID: 8081305e108bfff8a8e14cd18a234b42858a69a1a1930647e7f2335dd99175ec
Opcode Fuzzy Hash: 7a7418b1772248e3e3351a3e0d672deb3f5975b9a12c4fdb4e9d7e9cf784523f
Instruction Fuzzy Hash: 44C105B0D04249AFEF11DFA9C8417BEBBB4EF09314F04415AE544A7392C738D941CBA9

Function 00452D3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00452DE6
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452E69
__alloca_probe_16.LIBCMT ref: 00452EA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452EFC
__alloca_probe_16.LIBCMT ref: 00452F4B
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452F13

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452F8F
__freea.LIBCMT ref: 00452FBA
__freea.LIBCMT ref: 00452FC6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 8453bcbf33bc5b40d4a47403688d85da13e833611dd53665dc146d0a6c2cf776
Instruction ID: e285173fe66e9ab68cc8b5f7bb46492c032c90826bba7407019ac45f59d87ef3
Opcode Fuzzy Hash: 8453bcbf33bc5b40d4a47403688d85da13e833611dd53665dc146d0a6c2cf776
Instruction Fuzzy Hash: E991D572E002169BDF208E64DA41AEFBBB5AF0A312F14055BFC05E7242D778DC48C768

Function 00444609 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

_memcmp.LIBVCRUNTIME ref: 004448B3
_free.LIBCMT ref: 00444924
_free.LIBCMT ref: 0044493D
_free.LIBCMT ref: 0044496F
_free.LIBCMT ref: 00444978
_free.LIBCMT ref: 00444984

Strings

C, xrefs: 00444771

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: cdc2932352a284fc875287c209ac440ed7ed83e78f650952a7feba8cc93201a3
Instruction ID: ce46d41f1d9e01bafc0896c2bb0d2adb680072b6a59d341745b23d3028246374
Opcode Fuzzy Hash: cdc2932352a284fc875287c209ac440ed7ed83e78f650952a7feba8cc93201a3
Instruction Fuzzy Hash: 24B14975A012199FEB24DF18C884BAEB7B4FF49314F1045AEE849A7351D738AE90CF48

Function 00413A9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 00413C03
udp, xrefs: 00413BD9

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction ID: 641150f3fd0ea6af627c79cdc5c75230aa36f57d28899e04d0661f3c05bf373f
Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction Fuzzy Hash: 0D71D1716083528FDB24CF1994846ABB7E0AF84746F14442FF885A7352E77CDE81CB8A

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: ea1fc20af3e1ac77e3be19ec06ef1aa71ea95071ced060ea76eaba41132591a1
Instruction ID: 7eae26b3d9efd85ab9a821acf87acbbc445967fcd6ce231ca79d13f55b5b668b
Opcode Fuzzy Hash: ea1fc20af3e1ac77e3be19ec06ef1aa71ea95071ced060ea76eaba41132591a1
Instruction Fuzzy Hash: C631A4715083019FD210EF21DD459AFB7A8FB84755F40093EF9C6B21A1DF38AA48CB9A

Function 0040196B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00472AF8,000000FF,00472B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

dMG, xrefs: 0040196F
|MG, xrefs: 00401A1E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG
API String ID: 1356121797-1683252805
Opcode ID: 6c7fffa8973006a95e04d4fb0f729e3aec7f9014fdd27026002a8dd32de0fa42
Instruction ID: 140f40b68b7a2e7574469051551963e155d477b90c1392cdc23a62cf20397fe9
Opcode Fuzzy Hash: 6c7fffa8973006a95e04d4fb0f729e3aec7f9014fdd27026002a8dd32de0fa42
Instruction Fuzzy Hash: 52215C316002019BC725DF66EE1996A7BA6FB84710B00883EF50DE76B0DBF898C0CB5C

Function 00449B60 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042D05E,?,?,?,00449DB1,00000001,00000001,?), ref: 00449BBA
__alloca_probe_16.LIBCMT ref: 00449BF2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042D05E,?,?,?,00449DB1,00000001,00000001,?), ref: 00449C40
__alloca_probe_16.LIBCMT ref: 00449CD7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449D3A
__freea.LIBCMT ref: 00449D47

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

__freea.LIBCMT ref: 00449D50
__freea.LIBCMT ref: 00449D75

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: bcc67550d4e2d18a707ccbdc65f3f36e380daf58ba7195116bd386f48bc0eefa
Instruction ID: b9264d00d576e3e69c3e593975f72d59ef517f4fd458bc34bb1ef2c80a576446
Opcode Fuzzy Hash: bcc67550d4e2d18a707ccbdc65f3f36e380daf58ba7195116bd386f48bc0eefa
Instruction Fuzzy Hash: 3651F8B2A10206AFFB258F65DC82EBF77A9EB44754F15462EFC05DB240EB38DC409658

Function 00418CB4 Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418CFE
SendInput.USER32(00000001,?,0000001C), ref: 00418D26
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D4D
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D6B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D8B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DB0
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DD2
SendInput.USER32(00000001,?,0000001C), ref: 00418DF5

Part of subcall function 00418CA7: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418CAD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction ID: 141eef32e971302722b3407f09031bac5ba220a7556c2b6a6b809b2d6bbc12e7
Opcode Fuzzy Hash: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction Fuzzy Hash: 2D318031258349A9E210DF65DC41FDFBBECAFC9B08F04080FB58457191EAA4858C87AB

Function 00415BDD Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415BDE
EmptyClipboard.USER32 ref: 00415BEC
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: ad4a99c753833bf9c3f45224ff19880243952f39c70b7b55e81ac8f79b12c6f6
Instruction ID: 369576e1793333014f6cd695595c81a654a0099a6e7e621b1e9fba3c04e1709a
Opcode Fuzzy Hash: ad4a99c753833bf9c3f45224ff19880243952f39c70b7b55e81ac8f79b12c6f6
Instruction Fuzzy Hash: EE0152322003009FC350BF71DC59AAE77A5AF80B42F00443FFD06A61A2EF35C949C659

Function 00446369 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446471
__freea.LIBCMT ref: 0044651B
__freea.LIBCMT ref: 00446539

Strings

am/pm, xrefs: 0044659C
hD, xrefs: 004467A3
a/p, xrefs: 00446600

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm$hD
API String ID: 3509577899-3668228793
Opcode ID: f97d2b517c729d9cce72d9c172bfce4aebfe9cb0491648ec0c5b140018eac5b3
Instruction ID: deb853d5fd6adf3918d69246e21912660bd894b39407ab32d9d7da7685977c7a
Opcode Fuzzy Hash: f97d2b517c729d9cce72d9c172bfce4aebfe9cb0491648ec0c5b140018eac5b3
Instruction Fuzzy Hash: 1CD111719002069AFB289F68C9857BBB7B0FF06708F26415BE9019B355D33D9D81CB6B

Function 0044FA16 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044FA85
_free.LIBCMT ref: 0044FA93
_free.LIBCMT ref: 0044FBC1
_free.LIBCMT ref: 0044FBCC

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e32a54b49e6cc877e8a8b955d25f299adebd42ed15a8535a596abcbb025667c0
Instruction ID: 0b2e84c71dbf843dbcc2e99f9f8dbab27ea7d8a4e4ef3fbdb467abc62f582456
Opcode Fuzzy Hash: e32a54b49e6cc877e8a8b955d25f299adebd42ed15a8535a596abcbb025667c0
Instruction Fuzzy Hash: E061E271D00244AFEB20DF69C842BAABBF4EB4A320F24407BED45EB251D734AD45DB58

Function 0044418B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

_free.LIBCMT ref: 00444296
_free.LIBCMT ref: 004442AD
_free.LIBCMT ref: 004442CC
_free.LIBCMT ref: 004442E7
_free.LIBCMT ref: 004442FE

Strings

Z9D, xrefs: 004441BB, 0044433D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: Z9D
API String ID: 3033488037-3781130823
Opcode ID: 25d8197588e18aa296d75778c7ffd1ef7f6a3e7e8de6c1e53fe448f815abcb9b
Instruction ID: 86c8eacfe83d9672290f1135950403671a27bde0e5aa55c461cabd1b4ee88ac5
Opcode Fuzzy Hash: 25d8197588e18aa296d75778c7ffd1ef7f6a3e7e8de6c1e53fe448f815abcb9b
Instruction Fuzzy Hash: D551B171A00304AFEB20DF6AC881B6A77F4FF95724B1446AEF809D7650E779DA01CB48

Function 0044A2D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044AA48,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A315
__fassign.LIBCMT ref: 0044A390
__fassign.LIBCMT ref: 0044A3AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A3D1
WriteFile.KERNEL32(?,00000000,00000000,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A3F0
WriteFile.KERNEL32(?,?,00000001,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A429

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction ID: 781c03a50f1c813746d4e14bf3c61566c92396d5579059589c4d950ed669b936
Opcode Fuzzy Hash: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction Fuzzy Hash: 6551C474E002499FDB10CFA8D845AEEBBF4EF09300F14412BE955E7291E774A951CB6A

Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004017F4

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401902

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Strings

XMG, xrefs: 00401800
NG, xrefs: 0040188E
NG, xrefs: 0040180B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: XMG$NG$NG
API String ID: 1596592924-1283814050
Opcode ID: 70330d4ab6addee688349e5cba1d26322866765582e7cf81e2b7868529151acc
Instruction ID: a5e0bc9ac4bbc073a85812dd1d3adb1d2a3c84d0b98f0a89840e4e641ba94373
Opcode Fuzzy Hash: 70330d4ab6addee688349e5cba1d26322866765582e7cf81e2b7868529151acc
Instruction Fuzzy Hash: 5341B4712042008BC329FB65DD96AAE7395EB94318F10453FF54AA31F2DF389986CB5E

Function 00412D60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412D99

Part of subcall function 00412A82: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
Part of subcall function 00412A82: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 00412F09

Strings

TG, xrefs: 00412ED7
NG, xrefs: 00412DC8
TeFTeF, xrefs: 00412F05
TG, xrefs: 00412DD0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TeFTeF$NG$TG$TG
API String ID: 3114080316-826076573
Opcode ID: 8e420be082fe693f158a27e4deefd8db20786bc834dc45f4bee1956f7e56b455
Instruction ID: 217e792c851e8857c64f97df11b7492b8bc11e7bd79a931969a0b124146415da
Opcode Fuzzy Hash: 8e420be082fe693f158a27e4deefd8db20786bc834dc45f4bee1956f7e56b455
Instruction Fuzzy Hash: ED41A1316042005BD224F725D8A2AEF7395AFD0308F50843FF94A671E2EF7C5D4986AE

Function 00437C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437CBB
___except_validate_context_record.LIBVCRUNTIME ref: 00437CC3
_ValidateLocalCookies.LIBCMT ref: 00437D51
__IsNonwritableInCurrentImage.LIBCMT ref: 00437D7C
_ValidateLocalCookies.LIBCMT ref: 00437DD1

Strings

csm, xrefs: 00437D66

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
Instruction ID: 1103995f59bc857a00dd0af833384e4a9f5f4a2e3f3cb1d3a3c35a3a433dd29e
Opcode Fuzzy Hash: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
Instruction Fuzzy Hash: 4E410674A042099BCF20DF29C844AAE7BA5AF4C328F14905AEC55AB392D739DD45CF98

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
[IE cookies not found], xrefs: 0040B741
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
Cookies, xrefs: 0040B6FE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: e0876ad6e41ec9b62627d19ca7a75b97dfb70f1edf8a66f830784ff2e88c23ee
Instruction ID: 7ed93d3ebd4d115a7197ccd8f2df160251767479400bef64a6787df62d4369c8
Opcode Fuzzy Hash: e0876ad6e41ec9b62627d19ca7a75b97dfb70f1edf8a66f830784ff2e88c23ee
Instruction Fuzzy Hash: 29215C31A1410966CB04F7B2CCA69EE7764AE94318F40013FA902771D2EF789A4986DE

Function 00455B13 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e12c7eccc7cef6ec59d1b7d98754e9316727051cdf67e3b64bf7a2946289435
Instruction ID: 890753aa9dfb888b2a1585f98a5e225511b13b718af609ae416a1884f745cca0
Opcode Fuzzy Hash: 8e12c7eccc7cef6ec59d1b7d98754e9316727051cdf67e3b64bf7a2946289435
Instruction Fuzzy Hash: 3A112472504A15BFDB206F729C08D3B3AACEB82736F20016EFC15D7282DE38C800C669

Function 0040FCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FCD4
int.LIBCPMT ref: 0040FCE7

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 0040FD23
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FD49
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FD65

Strings

xkG, xrefs: 0040FD6C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: xkG
API String ID: 2536120697-3406988965
Opcode ID: 96fabc4dfed61d4effa21e192acd17317463e5ebe4e4c0b5a644fce98ebf0d8b
Instruction ID: 7cf641d0f45d7e480cf6c67891cb53e845b1d2cd586d61112ae60f6436568b55
Opcode Fuzzy Hash: 96fabc4dfed61d4effa21e192acd17317463e5ebe4e4c0b5a644fce98ebf0d8b
Instruction Fuzzy Hash: 3B11F032900119A7CB14FBA5D8429DEB7689E55358F10013BF809B72D1EB3CAF49C7D9

Function 0044FEEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FC32: _free.LIBCMT ref: 0044FC5B

_free.LIBCMT ref: 0044FF39

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

_free.LIBCMT ref: 0044FF44
_free.LIBCMT ref: 0044FF4F
_free.LIBCMT ref: 0044FFA3
_free.LIBCMT ref: 0044FFAE
_free.LIBCMT ref: 0044FFB9
_free.LIBCMT ref: 0044FFC4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: 7d3bb130547cbd64d3bc6acdbb054c191a8682768e3bc5df2cfa43195c7f437f
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 3611603158175CAAE930B7B2CC87FCB779CFF01744F804C2EB69B66052DA2CB90A5655

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

[+] ShellExec success, xrefs: 00406873
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 00406815, 00406818, 0040686A
[+] before ShellExec, xrefs: 00406856

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-4177046661
Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction ID: bf5204b976fdd256b066cceb308157ad377b3c08e3874fea13dbf5f4dff6080c
Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction Fuzzy Hash: F20180722023117FE2287B21DC0EF7B6658DB4176AF12413FF946A71C1EAA9AC014679

Function 0040FFAA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FFB7
int.LIBCPMT ref: 0040FFCA

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 00410006
std::_Lockit::~_Lockit.LIBCPMT ref: 0041002C
__CxxThrowException@8.LIBVCRUNTIME ref: 00410048

Strings

pmG, xrefs: 0040FFC2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: pmG
API String ID: 2536120697-2472243355
Opcode ID: 8d42472844bd96afdecf8ba7111de5d66855e4620eafdcd68511299a710044a1
Instruction ID: 7757f8b08a06b45aa46d7f93aac2e311949306114fe400d1b3bff67def6a62fd
Opcode Fuzzy Hash: 8d42472844bd96afdecf8ba7111de5d66855e4620eafdcd68511299a710044a1
Instruction Fuzzy Hash: D911B231900419EBCB14FBA5D9429DD7B689E58358F10016FF40567191EB78AF86C789

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
[Chrome Cookies found, cleared!], xrefs: 0040B314
UserProfile, xrefs: 0040B2B4
[Chrome Cookies not found], xrefs: 0040B308

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 208d28cc089e0902a12fb103dce5446f2e08227b8448d2331c0134df23e1f140
Instruction ID: 9d7a183bab8cffc7e176200adf3036985cfece21d6991fc3b8afe8d0fe8b9813
Opcode Fuzzy Hash: 208d28cc089e0902a12fb103dce5446f2e08227b8448d2331c0134df23e1f140
Instruction Fuzzy Hash: AB01623565010557CB0477B6DD6B9AF3628ED51718B60013FF802771E2FE3A990586DE

Function 0041C0BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(004750FC), ref: 0041C0C4
ShowWindow.USER32(00000000,00000000), ref: 0041C0DD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041C102

Strings

Remcos v, xrefs: 0041C11D
CONOUT$, xrefs: 0041C0F0
6.0.0 Pro, xrefs: 0041C12B

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$6.0.0 Pro$CONOUT$
API String ID: 2425139147-3561919337
Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction ID: 9cd6404a4583bb7861016a5e8077681a34a6ce6b29b6da971a73374578d830bb
Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction Fuzzy Hash: 750121B1A80304BADA10F7F19D4BF9976AC6B14B09F500426BA05A70C2EEB8A554462D

Function 0043980C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439999
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399B5
__allrem.LIBCMT ref: 004399CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399EA
__allrem.LIBCMT ref: 00439A01
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439A1F

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 31e2b55488ddeb09d7ca8352022d9d2291424f2169f1d8468a917e76cef19f60
Instruction ID: 5399b0f9a6461ae69e9bde9777a653eaf6085cdcce353b40ae7049a42401d5b7
Opcode Fuzzy Hash: 31e2b55488ddeb09d7ca8352022d9d2291424f2169f1d8468a917e76cef19f60
Instruction Fuzzy Hash: 15810B72A00706ABE724BA79CC41B6B73E89F89768F24522FF411D7781E7B8DD008758

Function 00444D4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444D79
__cftoe.LIBCMT ref: 00444DAB

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 852e4da016d356d11357218231835bd017087aeac4d4c96d23f389898d640629
Instruction ID: 890c16c57639ce4616fdae23c1b2cf08611ffd87950db76db0bf4773250d0152
Opcode Fuzzy Hash: 852e4da016d356d11357218231835bd017087aeac4d4c96d23f389898d640629
Instruction Fuzzy Hash: 2C512972900205ABFB249BA98C41FAF77A9EFC8324F24411FF815D6292DB3DDD11966C

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

OpenCamera, xrefs: 00403F48
FreeFrame, xrefs: 00403F76
GetFrame, xrefs: 00403F65
HNG, xrefs: 00403FAC
CloseCamera, xrefs: 00403F54

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: e7545194277c3571c60d24974087cbebdc65dfcc5f268e76aa99d4d6e3e1e360
Instruction ID: 0fabaa65846f565374d927adde4572b2cc1454b627dc53539f04e4ca1ee376cc
Opcode Fuzzy Hash: e7545194277c3571c60d24974087cbebdc65dfcc5f268e76aa99d4d6e3e1e360
Instruction Fuzzy Hash: 4641B031A0420196C614FF75C956AAD3BA59B81708F00453FF809A72E6DF7C9A85C7CF

Function 00419FE2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 00419FF2
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A006
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A013
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004196FD), ref: 0041A048
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05A
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: acb1ab762709c3537526a51b10a93c78cfb3dfb6c5fe312adfbbead143cf3a3e
Instruction ID: 3721d8981427c9c50277447f2eb78ca90bee9705940f35750f03ddb94c099399
Opcode Fuzzy Hash: acb1ab762709c3537526a51b10a93c78cfb3dfb6c5fe312adfbbead143cf3a3e
Instruction Fuzzy Hash: 28016D315062107ED2111F349C0EEBF3E1CDF567B1F00022FF522A22D2DE69CE8981AA

Function 00438016 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043800D,004379C1), ref: 00438024
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438032
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043804B
SetLastError.KERNEL32(00000000,?,0043800D,004379C1), ref: 0043809D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
Instruction ID: c897193d57ecee64636fe05851fbd3cadc70b6e754ca2b2668497838eaebe06c
Opcode Fuzzy Hash: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
Instruction Fuzzy Hash: DC0190321083416DFB2823756C465377B68E709378F21123FF328515F1EF994C44514C

Function 004470CF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0043EAE7,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 004470D3
_free.LIBCMT ref: 00447106
_free.LIBCMT ref: 0044712E
SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 0044713B
SetLastError.KERNEL32(00000000,?,0041AD7E,-00476D74,?,?,?,?,00466900,0040C07B,.vbs), ref: 00447147
_abort.LIBCMT ref: 0044714D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction ID: 03a1e9305cc52ab1e573739f72da4c843e3c1f7cd4612cbd08a2c6f68691a865
Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction Fuzzy Hash: F2F0F931508B1027F612777A6C46E1B15269BC17B6B26002FF509A6392EF2C8C07911D

Function 00419E16 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E25
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E39
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E46
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E55
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E67
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E6A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 9cb85cc35f2519c6338691534af121ca1389047ec6e6f2a9c8debe6c8711b385
Instruction ID: 47980c42e9b022aba05d73d81e1ae7aa31c0ed05cef52b60765f03c540efa169
Opcode Fuzzy Hash: 9cb85cc35f2519c6338691534af121ca1389047ec6e6f2a9c8debe6c8711b385
Instruction Fuzzy Hash: 44F062319003186BD611AB65DC89EBF3B6CDB45BA1F01002AF906A21D2DF78DD4A95F5

Function 00419F7D Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419F8C
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FA0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FAD
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FBC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FCE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FD1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3db3a5d68129f61560c03075b8f0b2ae50547be632efc36bd400162bfd816848
Instruction ID: cbb6f8d25e78bf3f904679f952f169c6c08018e661e4ba535c0ca8fa304c3d8e
Opcode Fuzzy Hash: 3db3a5d68129f61560c03075b8f0b2ae50547be632efc36bd400162bfd816848
Instruction Fuzzy Hash: 68F0C2315002147BD2116B24DC49EBF3A6CDB45BA1B01002AFA06A2192DF78CE4A85B8

Function 00419F18 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F27
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F3B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F48
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F57
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F69
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F6C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 1883ab34e669b71cec32f4a46158b3c00bdc3606bc540b5e14eaa9f5014ced4b
Instruction ID: 95d7f5aa039a93820bb4883d7663946178ed8a5ec9cf590f88e81ba893971d89
Opcode Fuzzy Hash: 1883ab34e669b71cec32f4a46158b3c00bdc3606bc540b5e14eaa9f5014ced4b
Instruction Fuzzy Hash: 7EF062715003147BD2116B65DC4AEBF3B6CDB45BA1B01002AFA06B2192DF78DD4A96B9

Function 00412A82 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412BC5

Strings

TG, xrefs: 00412C07
[regsplt], xrefs: 00412C5D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$TG
API String ID: 3554306468-170812940
Opcode ID: 0d173ed5413b4b1651b2ae219d5cc25fb6549f641541746ac6b165420a8096cf
Instruction ID: eeb20da9b05a32976bf12a6402f5e40020a9f6991e42d7db5c0f7bae6a1218cc
Opcode Fuzzy Hash: 0d173ed5413b4b1651b2ae219d5cc25fb6549f641541746ac6b165420a8096cf
Instruction Fuzzy Hash: C5511E72108345AED310EF61D985DEFB7ECEF84704F00492EB585D2191EB74EA088BAA

Function 00455BDA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455D09

Strings

wME, xrefs: 00455BE2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free
String ID: wME
API String ID: 269201875-3986563984
Opcode ID: 9e8ec78fe16e6d96c1dad1dca968e38a5d4ed37e6c09b270d7894abe65d6e597
Instruction ID: 0bd1fcef5d7791e57e96aa6a4775832058b0444fd7bffa6098b49987863132bf
Opcode Fuzzy Hash: 9e8ec78fe16e6d96c1dad1dca968e38a5d4ed37e6c09b270d7894abe65d6e597
Instruction Fuzzy Hash: 64415D31900F00ABEF227AB98C9667F3A75DF01775F14411FFC1896293D63C890986AA

Function 0041AA28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 0041265C: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0041267E
Part of subcall function 0041265C: RegQueryValueExW.ADVAPI32(?,0040E18D,00000000,00000000,?,00000400), ref: 0041269D
Part of subcall function 0041265C: RegCloseKey.ADVAPI32(?), ref: 004126A6

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

_wcslen.LIBCMT ref: 0041AB01

Strings

program files\, xrefs: 0041AAE7, 0041AAEE, 0041AB00
http\shell\open\command, xrefs: 0041AA38
program files (x86)\, xrefs: 0041AAFB
.exe, xrefs: 0041AA53

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-4246244872
Opcode ID: 482e74eaaa3f2e20e4166c3984dea5ca38626ab951abc54cc3c7810d92b694be
Instruction ID: 944f249e3467cd2310196e71108a033bc811508d99a3a404dc4e3305fa2889c9
Opcode Fuzzy Hash: 482e74eaaa3f2e20e4166c3984dea5ca38626ab951abc54cc3c7810d92b694be
Instruction Fuzzy Hash: 8621A772B001042BDB04B6B58C96EFE366D9B84318B10087FF452B71D3EE3C9D554269

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Strings

TmG, xrefs: 0040AE80
[End of clipboard], xrefs: 0040AEE9
XmG, xrefs: 0040AE70
[Text copied to clipboard], xrefs: 0040AEF6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$TmG$XmG
API String ID: 2974294136-1855599884
Opcode ID: f1537b6c864876bd6e697c17872c161cbee5024a969681bc65b79ce2e310a33e
Instruction ID: 2623299308dd9d50029d580546b1e3590cd03a5acc49d0be8ee118f943746456
Opcode Fuzzy Hash: f1537b6c864876bd6e697c17872c161cbee5024a969681bc65b79ce2e310a33e
Instruction Fuzzy Hash: FB216131A102155ACB24FB65D8929EE7775AF54318F10403FF506772E2EF3C6E4A868D

Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

], xrefs: 0040A892
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D
Offline Keylogger Started, xrefs: 0040A87D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 417cd478b33fcd8336bdd6508270cf64408166eba9a3bedffc978348360268a3
Instruction ID: eacaba0d290b76b22f399a57737f65b18f8a023abca8575ba11697f47f6457b1
Opcode Fuzzy Hash: 417cd478b33fcd8336bdd6508270cf64408166eba9a3bedffc978348360268a3
Instruction Fuzzy Hash: F1115172500118AACB18FB96EC56CFF77B8AE48715B00013FF542621D1EF7C5A86C6E9

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

pQG, xrefs: 00409DC2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: pQG
API String ID: 1958988193-3769108836
Opcode ID: 270f53498fc7c8e5ea9fed9cdbda2050302444d24a2d0276fc634fa0d6fb6203
Instruction ID: 007c54a35b5ab6fada7f5b2b4f31fda992404cc28ee9ac254c5285dcec39f6dc
Opcode Fuzzy Hash: 270f53498fc7c8e5ea9fed9cdbda2050302444d24a2d0276fc634fa0d6fb6203
Instruction Fuzzy Hash: 0911E730640B406AE720E724D88972F7B9AAB81316F44047EF18566AE3CA799CD5C29D

Function 0041CC2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CC77
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
GetLastError.KERNEL32 ref: 0041CC9C

Strings

MsgWindowClass, xrefs: 0041CC33
0, xrefs: 0041CC38

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction ID: c9edb97a89f7ec8dfbaa779d36c224b53f51aa00da94833f787b12e8c600820c
Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction Fuzzy Hash: 2001E9B1D1021DAF8B00DF9ADCC49EFFBBDBE49355B50452AE414B6100EB708A458AA5

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
C:\Windows\System32\cmd.exe, xrefs: 004069FB

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction ID: 0865c4136dfbb59e32125d892e445ee09242962a1e3dc4bc305b740a121ed375
Opcode Fuzzy Hash: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction Fuzzy Hash: 68F090B690029D7ACB20ABD69C0EECF7F3CEBC5B11F01046ABA04A2051DA706104CAB8

Function 004064D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

8SG, xrefs: 0040693F
C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 00406927

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID: 8SG$C:\Users\user\Desktop\preliminary drawing.pif.exe
API String ID: 0-3603987985
Opcode ID: 2e2f3ec73120aaf2d5374a419d2de378c1fc52240c54a194de7764e475bbe054
Instruction ID: ac3f053366391772af188fc274efb03f25e4c049f181d6a95d7665767018bac5
Opcode Fuzzy Hash: 2e2f3ec73120aaf2d5374a419d2de378c1fc52240c54a194de7764e475bbe054
Instruction Fuzzy Hash: 4FF0F6B17022109BDB103B34AD1966A3A45DB40346F01807BF98BFA6E2DF7C8851C68C

Function 004427E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044279A,00000003,?,0044273A,00000003,0046EAF0,0000000C,00442891,00000003,00000002), ref: 00442809
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044281C
FreeLibrary.KERNEL32(00000000,?,?,?,0044279A,00000003,?,0044273A,00000003,0046EAF0,0000000C,00442891,00000003,00000002,00000000), ref: 0044283F

Strings

CorExitProcess, xrefs: 00442814
mscoree.dll, xrefs: 00442802

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction ID: e557d05a47d06e8d32a7f66c2c4e22cdfb14d47a79db446b90f8ad9ee3cbc836
Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction Fuzzy Hash: 8CF0A430900309FBDB119F94DD09B9EBFB4EB08753F4041B9F805A2261DF789D44CA98

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004755B0,00414F47,00000000,00000000,00000001), ref: 00404AED
SetEvent.KERNEL32(?), ref: 00404AF9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404B04
CloseHandle.KERNEL32(?), ref: 00404B0D

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 1d8b2a529bd13c7b3998ff04f974cbc6989fe0b56a5d70fb02fa613a61c518d4
Instruction ID: 7c4d48bbaa8a7164c3353f7df4ad5523490a6ea0f3ebe4e46dcacb08dafaa92a
Opcode Fuzzy Hash: 1d8b2a529bd13c7b3998ff04f974cbc6989fe0b56a5d70fb02fa613a61c518d4
Instruction Fuzzy Hash: 31F096B19047007BDB1137759D0B66B7F58AB46325F00096FF492A26F2DE39D8508B5E

Function 0041A128 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041A15A
PlaySoundW.WINMM(00000000,00000000), ref: 0041A168
Sleep.KERNEL32(00002710), ref: 0041A16F
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041A178

Strings

Alarm triggered, xrefs: 0041A131

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 545fa531557c757fbbe18d4fe6d8fe89de1fdfeac445219701f628b98b8da168
Instruction ID: 198adcd2ac8b5b4b9acde76a755fda1533c143b191b85f9fe5233f4cbfc21951
Opcode Fuzzy Hash: 545fa531557c757fbbe18d4fe6d8fe89de1fdfeac445219701f628b98b8da168
Instruction Fuzzy Hash: 79E01A22A04261379520337B7D0FD6F3D28EAC7B65741006FF905A6192EE580811C6FB

Function 0041C07A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041C10D), ref: 0041C084
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C091
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041C10D), ref: 0041C09E
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C0B1

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041C0A4

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction ID: f27d36e20d2a67c690befc106ea5cafab99e09d075a2dfca7d32a9b7008c9529
Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction Fuzzy Hash: 57E04F62604348BBD30037F6AC4EDAB3B7CE784617B10092AF612A01D3ED7484468B79

Function 004403AA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68b1d49af0c7730ce498653d8fed6b0bde13fb1d860b9cc8fbdbd671e887c34
Instruction ID: 7c1105064789ab48ae90d42f937b6a9cbc34ac1ed42c20d541c6d1c3f1a57216
Opcode Fuzzy Hash: f68b1d49af0c7730ce498653d8fed6b0bde13fb1d860b9cc8fbdbd671e887c34
Instruction Fuzzy Hash: 7671D371900216AFEF20CF54C884ABFBB75EF45310F14422BEA15A7281DB788C61CFA9

Function 00410BF1 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410691: SetLastError.KERNEL32(0000000D,00410C10,?,00000000), ref: 00410697

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410C9C
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410D02
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410D09
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410E17
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410E41

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: cd86719b9dcd2ae297b38eec54943b1f428d3bc40038883f77d3c934b4d0046b
Instruction ID: e2f64966b18619331c3eea81ef564f6afd9e4387f8ea08f62d3b86939114ae32
Opcode Fuzzy Hash: cd86719b9dcd2ae297b38eec54943b1f428d3bc40038883f77d3c934b4d0046b
Instruction Fuzzy Hash: 8E61E570200305ABD710AF56C981BA77BA5BF84308F04451EF909CB382DBF8E8D5CB99

Function 0040E77B Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E799
Process32FirstW.KERNEL32(00000000,?), ref: 0040E7BD
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7CC
CloseHandle.KERNEL32(00000000), ref: 0040E983

Part of subcall function 0041B392: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E5A8,00000000,?,?,004750FC), ref: 0041B3A7

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E974

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: fb918f1dad0439fc27645b8bebce4404754a0811f6db5b5fa9fbc7acbd75aa5f
Instruction ID: eccf11dc20c1a31a83cdfd33956dcb3d749eb3f266b118f2c15681f5292a9231
Opcode Fuzzy Hash: fb918f1dad0439fc27645b8bebce4404754a0811f6db5b5fa9fbc7acbd75aa5f
Instruction Fuzzy Hash: F741CF311083455BC225FB61D891AEFB7E5AFA4304F50453EF849531E1EF389A49C65A

Function 004432A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044331A
_free.LIBCMT ref: 0044333A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction ID: 036c3dfb054a6f01566e3cd8d28730a68c174e79056a6e67996f15c63748089b
Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction Fuzzy Hash: F341D636A002049FEB20DF79C881A5EB7B5FF88718F1545AEE915EB351DA35EE01CB84

Function 004500E3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042D05E,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E), ref: 00450130
__alloca_probe_16.LIBCMT ref: 00450168
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042D05E,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E,?), ref: 004501B9
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042D05E,0042D05E,?,00000002,?), ref: 004501CB
__freea.LIBCMT ref: 004501D4

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: fd0aa0384684eacdf7abc6501352976ef31b4d957b4bd6fef1948425fb379f9d
Instruction ID: d7464a72994917abc30d80f71ec8451e4cba9cf5435b4dea42e63c5c2bdc5daf
Opcode Fuzzy Hash: fd0aa0384684eacdf7abc6501352976ef31b4d957b4bd6fef1948425fb379f9d
Instruction Fuzzy Hash: 9631E132A0060AABDF249F65DC41DAF7BA5EB00311F05416AFC04E7252EB3ACD54CBA5

Function 0044E34B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E354
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E377

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,0040E684,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8,?,?,004752F0), ref: 00446D41

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E39D
_free.LIBCMT ref: 0044E3B0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E3BF

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a4cd5982238a72dbe6aa6d8d50da3adc4d042805fd07c78ab303c145de14084b
Instruction ID: 5f1b7bba735f2dc00ee4e6ee14e94985e19ed078b50b1d1b699098eccd63c47a
Opcode Fuzzy Hash: a4cd5982238a72dbe6aa6d8d50da3adc4d042805fd07c78ab303c145de14084b
Instruction Fuzzy Hash: D50171726017157F73221A776C88C7B6A6DEAC2F65315012EFD05D3241DE698C0291B9

Function 00447153 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0040E684,?,00445569,00446D52,00000000,?,00433832,0040E684,?,00402BE9,004752F0,00402F1C,00000000,004752F0,004084A8), ref: 00447158
_free.LIBCMT ref: 0044718D
_free.LIBCMT ref: 004471B4
SetLastError.KERNEL32(00000000,?,0040E684,004752F0), ref: 004471C1
SetLastError.KERNEL32(00000000,?,0040E684,004752F0), ref: 004471CA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction ID: 9627307c59aa3692a64de8377ee3c20019e30fe80ec8d82769d3f9bfdfbdb6fb
Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction Fuzzy Hash: 3E01F97624CB102BB30267B95C85D2B2A29DBC17B6726012FF509A6392EF2C8C07515D

Function 0044F9AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F9C5

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

_free.LIBCMT ref: 0044F9D7
_free.LIBCMT ref: 0044F9E9
_free.LIBCMT ref: 0044F9FB
_free.LIBCMT ref: 0044FA0D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction ID: 2de1f51a18cc7960585f1cc37bbb46b0208bdbaa703fd0d38dd13c161260ee8b
Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction Fuzzy Hash: B5F012725042107BA620DF59FAC6D1773E9EA457247A5482BF18DEBA51C738FCC0865C

Function 004434F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443515

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

_free.LIBCMT ref: 00443527
_free.LIBCMT ref: 0044353A
_free.LIBCMT ref: 0044354B
_free.LIBCMT ref: 0044355C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction ID: bf08c2b723e6da78e2f9a692d3f9dcffc94df7bb1312aea5ebb3a1bf48e2a6b8
Opcode Fuzzy Hash: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction Fuzzy Hash: 4EF0FEB08011219FD726AF69BE414063BA0F709764346113BF45E66B71E7790982EB8E

Function 00416937 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041694E
GetWindowTextW.USER32(?,?,0000012C), ref: 00416980
IsWindowVisible.USER32(?), ref: 00416987

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Strings

0VG, xrefs: 00416B10

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: 0VG
API String ID: 3142014140-3748860515
Opcode ID: ff03ffd4f6cc77f932e4edfdeb06edc0b20a7c92ae044af92d2bebefb50f3518
Instruction ID: a92d2c2722018a5f2df8734f3a85bf91d45912e01cb50305def5a483f7f9536a
Opcode Fuzzy Hash: ff03ffd4f6cc77f932e4edfdeb06edc0b20a7c92ae044af92d2bebefb50f3518
Instruction Fuzzy Hash: FE71C3311082415AC335FB61D8A5ADFB3E4EFD4308F50493EB58A530E1EF74AA49CB9A

Function 004428E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\preliminary drawing.pif.exe,00000104), ref: 00442924
_free.LIBCMT ref: 004429EF
_free.LIBCMT ref: 004429F9

Strings

C:\Users\user\Desktop\preliminary drawing.pif.exe, xrefs: 0044291B, 00442922, 00442951, 00442989

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\preliminary drawing.pif.exe
API String ID: 2506810119-1790079400
Opcode ID: 879d9e2b38b1d89f551397a097aa935745b0c0e22aaa1738aebc34f268e2407b
Instruction ID: 08a660f2d8e46f51ee0862092f41265a48d7a3eaa7bec75f040af8368b354bfd
Opcode Fuzzy Hash: 879d9e2b38b1d89f551397a097aa935745b0c0e22aaa1738aebc34f268e2407b
Instruction Fuzzy Hash: E53193B1A00258AFEB21DF999E8199EBBBCEB85314F50406BF805A7311D6F84A41CB59

Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

Strings

{NAL, xrefs: 00404473, 004044D6, 0040454A, 004044DC

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID: {NAL
API String ID: 3963590051-1903569844
Opcode ID: e5b1152e801fc0e060bd94fd94af3035c379d0ee4d3e398b9c2365be4aea0086
Instruction ID: 09920f02ef31e30e393b68ef0c8285e211ae926702cc5adcda46913b737bad1c
Opcode Fuzzy Hash: e5b1152e801fc0e060bd94fd94af3035c379d0ee4d3e398b9c2365be4aea0086
Instruction Fuzzy Hash: 552137B29005156BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EE78A504C6E4

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Sleep.KERNEL32(000000FA,00466324), ref: 00403AFC

Strings

0NG, xrefs: 00403A5B
/sort "Visit Time" /stext ", xrefs: 00403A76

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: c4b831b34e14828552bc9d4d0ad47ce0156765275efe979d0b0e3b197869aa7a
Instruction ID: 03df4c4d2d4284c33795d9a7a6d048d6c9d09091ba23d5cef523323604a75e49
Opcode Fuzzy Hash: c4b831b34e14828552bc9d4d0ad47ce0156765275efe979d0b0e3b197869aa7a
Instruction Fuzzy Hash: 88319531A0011456CB14FB76DC969EE7779AF80318F00007FF906B31D2EF385A4AC699

Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9

ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

open, xrefs: 0040C62C
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateExecuteExitFileProcessShell
String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 2309964880-3562070623
Opcode ID: 5b9f087faae90e8765311bcc83d073f78384341eefa14734647449da5b96e6f6
Instruction ID: 93f40cfe3ee9365c747514cb1b77cb91c8b74bdf9be970de4a2d602802d72697
Opcode Fuzzy Hash: 5b9f087faae90e8765311bcc83d073f78384341eefa14734647449da5b96e6f6
Instruction Fuzzy Hash: D42145315042404AC324FB25D8969BF77E4AFD1718F50453FF486620F2EF39AA49C69A

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: cd73f897d4b6c00ded67e9d5e0828c2b3fa8008c19ad26bc0745e4278f96b09a
Instruction ID: 15e43fcc554e39227c644a0273f32637653ac1eeca6ef832bd6c9a92d0497390
Opcode Fuzzy Hash: cd73f897d4b6c00ded67e9d5e0828c2b3fa8008c19ad26bc0745e4278f96b09a
Instruction Fuzzy Hash: 0A1198B15003097AD224BA36CC86DBF7A5CDA813A8B40053EB845622D3EA785E14C6FB

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 3c573273cba6266483297c7d5fea9e6e4b82bdb6727bfee743cf38f62d3d9514
Instruction ID: 13545b77b67cc4507d33d8d8c8ff512a749ba16b8a43449315e0da64450a8124
Opcode Fuzzy Hash: 3c573273cba6266483297c7d5fea9e6e4b82bdb6727bfee743cf38f62d3d9514
Instruction Fuzzy Hash: E80161A1A003193AE62076768C86DBF7A6DCA813A8F41043EF541662C3EA7D5D5582FA

Function 0044AC83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,8@,?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACD9
GetLastError.KERNEL32(?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACE3
__dosmaperr.LIBCMT ref: 0044AD0E

Strings

8@, xrefs: 0044AC88

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 8@
API String ID: 2583163307-819625340
Opcode ID: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction ID: 727ae4bd5dc399200e14d16721253afac520870d53d00e52bc8525c117eb1139
Opcode Fuzzy Hash: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction Fuzzy Hash: 6F018836640A100BF3212634688573F67498B91B39F29022FF804872D2CE2D8CC1919F

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 2702246f0fa09606d6e931d0fc4fb6c4d29b2eb700644ddbcdd3ba467188eb7d
Instruction ID: 3c9b6871d48b6b3111a672927d5bafc1cfd46058a166b60e959a8cf6be3f516d
Opcode Fuzzy Hash: 2702246f0fa09606d6e931d0fc4fb6c4d29b2eb700644ddbcdd3ba467188eb7d
Instruction Fuzzy Hash: 1601F5B1900B41AFD325BB3A8C4255ABFE4AB45315740053FE293A2BA2DE38E440CB5E

Function 0041284C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752F0), ref: 00412857
RegSetValueExW.ADVAPI32(004752F0,?,00000000,00000001,00000000,00000000,00475308,?,0040E6A3,pth_unenc,004752F0), ref: 00412885
RegCloseKey.ADVAPI32(004752F0,?,0040E6A3,pth_unenc,004752F0), ref: 00412890

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: a9a4faf41eaec605be467c851ca097a2ed92dd1208ab8b935ce10a87fa44d963
Instruction ID: ab464752906d06cf6e422ab9fb9c42b8cedad3247386a7cb387aa37f92243dc4
Opcode Fuzzy Hash: a9a4faf41eaec605be467c851ca097a2ed92dd1208ab8b935ce10a87fa44d963
Instruction Fuzzy Hash: 2DF09071500218BBDF50AFA0EE46FEE376CEF40B55F10452AF902B60A1EF75DA08DA94

Function 0040CE91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CE9C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CEDB

Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 004349EC
Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 00434A10

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CEFF

Strings

bad locale name, xrefs: 0040CEE9

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: c3bb0996a3100e44b4af927014152775e02b4080fd2ac81c35c0cfa3e2f5b79b
Instruction ID: d3fe92e39fe1a76843bdcbebe92e6b3b15f8dcb0f99b50ce5c9cc2ba4b618b17
Opcode Fuzzy Hash: c3bb0996a3100e44b4af927014152775e02b4080fd2ac81c35c0cfa3e2f5b79b
Instruction Fuzzy Hash: FEF03171004214AAC768FB62D853ADE77A4AF14758F504B3FF046224D2AF7CB619C688

Function 0041534A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041538C

Strings

open, xrefs: 00415386
cmd.exe, xrefs: 00415381
/C , xrefs: 0041536A

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 81820de318613ce1981a08fcedbd9c1ec419e2b7f67279ed33ac04362bc6c47b
Instruction ID: 200bce0b0309f38ec9064e519a9a4578f5a600b3ca3b701a036ea6d1077247ba
Opcode Fuzzy Hash: 81820de318613ce1981a08fcedbd9c1ec419e2b7f67279ed33ac04362bc6c47b
Instruction Fuzzy Hash: F1E0C0B11043406AC708FB65DC96DBF77AC9A90749F10483FB582621E2EE78A949865E

Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3

Strings

pth_unenc, xrefs: 0040AFBA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
Instruction ID: 19faee7e247875c6ed4f8509c992ad96cda0262a64c11258bcf204109443e34b
Opcode Fuzzy Hash: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
Instruction Fuzzy Hash: BEE01DB1245715DFD3101F545C94825BB99EB44746324087FF6C165252CD798C14C759

Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction ID: d22651b824a9dcc27ed8a3983426188770e59c2792dec55b339c490717ece8d0
Opcode Fuzzy Hash: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction Fuzzy Hash: 54B09B705457459BC600DBE15C4D7143D14A544703B104069F04791151DE7450008F1E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction ID: 0ec815453ed4bd5b2a0753acad69ff197eebc14e76dec883dd33c8fab126b773
Opcode Fuzzy Hash: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction Fuzzy Hash: EDB092B19827449FC7006BE0AD8DA263A64B654B43729006BF04BE51A1EEB890009A1F

Function 00448F1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448FA6
__alldvrm.LIBCMT ref: 004491A7
__alldvrm.LIBCMT ref: 004491C9

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: d40d264ce186481e8e8803da27d4fb82d1c369339dcbd8dea302127bdb9e3949
Instruction ID: 0b1f6a9dfc50a2d3a5cef35921af3bd2f2baba9a31ad448e356136b6fbdd55d0
Opcode Fuzzy Hash: d40d264ce186481e8e8803da27d4fb82d1c369339dcbd8dea302127bdb9e3949
Instruction Fuzzy Hash: 3AA14532A042869FFB258E18C8817AFBBA1EF15354F1841AFE8859B382C67C8D41D758

Function 00441C91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f277d5c0f1564c07d21cbdf6a65813eeb35f15303aa3ddcbbecc19a9b8a38fe0
Instruction ID: 88518833c1d7008d36d723bd78668d328a40e80baed6ee8e3f57c0ed0377fbed
Opcode Fuzzy Hash: f277d5c0f1564c07d21cbdf6a65813eeb35f15303aa3ddcbbecc19a9b8a38fe0
Instruction Fuzzy Hash: FE413AB1A00704BFE7249F39CC41BAABBA8EB84718F10412FF405DB291D379A9418788

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

Cleared browsers logins and cookies., xrefs: 0040B8EF
[Cleared browsers logins and cookies.], xrefs: 0040B8DE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: f717ee1729712f907129b316fa0d2f436d0ed2d67aa55d85118ae772642bc300
Instruction ID: 247d09dce9e3c977c7e86e48a76dae703d52755688f8fe644b587970fcea700c
Opcode Fuzzy Hash: f717ee1729712f907129b316fa0d2f436d0ed2d67aa55d85118ae772642bc300
Instruction Fuzzy Hash: FE31A81124C38069CA117B7514167AB6F958A93754F08847FE8C4273E3DB7A480883EF

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B8F1: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B901
Part of subcall function 0041B8F1: GetWindowTextLengthW.USER32(00000000), ref: 0041B90A
Part of subcall function 0041B8F1: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B934

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

], xrefs: 00409C9D
[ , xrefs: 00409CB1

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 2511530f514a93335b33953baec759d84381d0a6c4ebb83ce20f45fcaf4bcf82
Instruction ID: 7bed66d096a43dd94c2219bc8d3cdd3a5a7df98386a17a5ae9bf36b343ab91a8
Opcode Fuzzy Hash: 2511530f514a93335b33953baec759d84381d0a6c4ebb83ce20f45fcaf4bcf82
Instruction Fuzzy Hash: AF119F315042009BD218BB26DC17AAEBBA8AF41708F40047FF542621D3EF79AA1986DE

Function 0041B79A Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
CloseHandle.KERNEL32(00000000), ref: 0041B817

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction ID: fca0af3f27241acfb9d15a16a542bc487c24adb9e916811621f81636ea96e045
Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction Fuzzy Hash: 1501F5712052057FE6105E249CC9EBB739CEB82B75F10063EF662D23C1DB25CC8686B9

Function 00442EE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction ID: b58c8eca075ef28bddc965f0bc4d2171c3ec1f8ef65ef5096018edf4bb449d44
Opcode Fuzzy Hash: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction Fuzzy Hash: 2501F2B26093163EF61016796CC1F27671CEF417B8BB1032BB626612D2EEA88C46606D

Function 00442F61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction ID: 7fe3e8edc5bbc175eb6928fc2517c3e9b6b95ea9c4057c88a91cd5d3c4beb3ed
Opcode Fuzzy Hash: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction Fuzzy Hash: F201F9B22096167EB61016796DC4D27676DEF813B83F1033BF421612D1EEA8CC44A179

Function 00438305 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043831F

Part of subcall function 0043826C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043829B
Part of subcall function 0043826C: ___AdjustPointer.LIBCMT ref: 004382B6

_UnwindNestedFrames.LIBCMT ref: 00438334
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438345
CallCatchBlock.LIBVCRUNTIME ref: 0043836D

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 0bcd00d322a0ad7a372b2cc4a74953bc209b0d499cbe7a3061e5fba3b10c2df3
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 3E014072100248BBDF126E96CC41DEF7B69EF4C758F04501DFE4866221D73AE861DBA4

Function 00447420 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00475308,00000000,00000000,?,004473C7,00475308,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue), ref: 00447452
GetLastError.KERNEL32(?,004473C7,00475308,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000,00000364,?,004471A1), ref: 0044745E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004473C7,00475308,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000), ref: 0044746C

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction ID: 55721a836d87515a1eea2a56d4c7bce34062b93f94d6470a2cb527c4f3a692dc
Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction Fuzzy Hash: 6D01FC326497366BD7314F789C44A777FD8AF047617114535F906E3241DF28D802C6E8

Function 0041B825 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B852
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B877
CloseHandle.KERNEL32(00000000), ref: 0041B885

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 491b1589daa83d69fa1d080c515bd77b52251b70493fd69acd89ec977a862727
Instruction ID: 2a104a3335fe37b36386f9496d9e2b25d881a91c22a4f34d2042fa75e5cfbfce
Opcode Fuzzy Hash: 491b1589daa83d69fa1d080c515bd77b52251b70493fd69acd89ec977a862727
Instruction Fuzzy Hash: 47F0C2B12422047FE6102F25AC89FBF3A5CDB86BA9F10023EF801A2291DE258C0581B9

Function 00418702 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 0041870F
GetSystemMetrics.USER32(0000004D), ref: 00418715
GetSystemMetrics.USER32(0000004E), ref: 0041871B
GetSystemMetrics.USER32(0000004F), ref: 00418721

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction ID: 0d34e4fe417a410293abd419840fb627d3fd172a5f9f2d4f3f0ee0adad43daa0
Opcode Fuzzy Hash: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction Fuzzy Hash: 26F0D672B043215BCB00AB754C4596EBB969FC03A4F25083FFA159B381EE78EC4687D9

Function 0041B588 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5DE
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5E6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: ddb94331a0dc938029f7d14c553cc6e36a98f223d8a3dcd9af2f2b1925e6f0da
Instruction ID: 5d23c8c1f4703883972a4236376900cac23e2486f01e1b2fafccabe2f4d6955e
Opcode Fuzzy Hash: ddb94331a0dc938029f7d14c553cc6e36a98f223d8a3dcd9af2f2b1925e6f0da
Instruction Fuzzy Hash: D5F049712003167BD31167558C4AFABB66ECF40B9AF01002BF611E21A2EF74DDC146BD

Function 004420ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0044217D

Strings

pow, xrefs: 00442155, 00442172

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction ID: 9e1bbc3390eeabea57be79b34f62796538476165ffe421cdb5ba0d05f4dc7be1
Opcode Fuzzy Hash: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction Fuzzy Hash: 7251AF61A0A20297F7557B15CE8137B2B90EB50741F684D6BF085423E9EB7CCC819F4E

Function 00421179 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421211

Strings

<kG, xrefs: 004213DC
<kG, xrefs: 004211E7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: <kG$<kG
API String ID: 2931989736-383723866
Opcode ID: d47ae52ce4a61cc16c24248539f97dea7df6f2f1aee32e52f124e5a8bb677117
Instruction ID: 841d78c923fca9e627808cf77cab3bf97fcfd39527adbe47470f5cf9fadca134
Opcode Fuzzy Hash: d47ae52ce4a61cc16c24248539f97dea7df6f2f1aee32e52f124e5a8bb677117
Instruction Fuzzy Hash: 9F613471604B0A9ED710DF28D8806A6B7A5FF18304F440A3FEC5CCF656E3B8A955C7A9

Function 004095D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B8B5: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041B8CA

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

pQG, xrefs: 00409676
NG, xrefs: 00409657

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: pQG$NG
API String ID: 2334542088-921107917
Opcode ID: e52c4bfbbf491a69ecb4960c1d6259ff9f79ac9da7c2a8f6420d67b0d9921c35
Instruction ID: 713adcd63a50277e86c853b9c7bd1a900ae8bd87492a3ad9f31fb308660c5d8e
Opcode Fuzzy Hash: e52c4bfbbf491a69ecb4960c1d6259ff9f79ac9da7c2a8f6420d67b0d9921c35
Instruction Fuzzy Hash: BB5141321082405AC365F775D8A2AEF73E5AFD4308F50483FF84A671E2EE789949C69D

Function 0044DD44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DD69

Strings

vD, xrefs: 0044DD5B
, xrefs: 0044DDAE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: Info
String ID: $vD
API String ID: 1807457897-3636070802
Opcode ID: 93903f92fe2fb0ed0337dde64186c6a748e8e2785b4d3c371d891558e8e27b72
Instruction ID: 6a53932102cf2f29093c464eb4c67803ff3648b28b3ba8b7d074bec3f8911faa
Opcode Fuzzy Hash: 93903f92fe2fb0ed0337dde64186c6a748e8e2785b4d3c371d891558e8e27b72
Instruction Fuzzy Hash: D0415DB0D047489BEF218E24CC84AF6BBF9DF55708F2404EEE58A87142D239AD45DF65

Function 00450AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 00450BC9

Strings

ACP, xrefs: 00450B0C
OCP, xrefs: 00450B42

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction ID: d29bb87f3b47b124c8bd6c760bb86eb4cd4ec0f84f402c6b2e0ab732353f73f5
Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction Fuzzy Hash: 4021F72AA00105A6E7308FD48C82B977396AB50B1BF564467ED09D7303F73AFD09C358

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: b297191fcc39de0c32076be6b31a8c079d0e7b5d7b43f94d621be0d323a1c09e
Instruction ID: 07f09c1926c096f578aeb4a964dedba27d52497869334d5e310e707c12b0f234
Opcode Fuzzy Hash: b297191fcc39de0c32076be6b31a8c079d0e7b5d7b43f94d621be0d323a1c09e
Instruction Fuzzy Hash: 932131B1A042806BD600F77A980635B7B9497C4314F84043FE90C562E2EEBD59898BAF

Function 0041A891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

%02i:%02i:%02i:%03i , xrefs: 0041A8C0
| , xrefs: 0041A8DE

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 081e93fbbec349e8936f4a956e4cb7ac947408df14d2201bf20346be4eca2895
Instruction ID: bea5c42f2d95e84a76b62dfc34e9438b8882b4e2d456746f57979f9b7964cbe7
Opcode Fuzzy Hash: 081e93fbbec349e8936f4a956e4cb7ac947408df14d2201bf20346be4eca2895
Instruction Fuzzy Hash: 0F114C725082405BC704EBA5D8969BF77E8AB94708F10093FF885A31E1EF38DA44C69E

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 4cb91a23982654f73f6ac0ef0022b7f09afb7950f5fb41b3fe27527950a6f0fc
Instruction ID: da65c2120251a34d34924486d515db36f90714a8cba0a7d82e96ebed52376b78
Opcode Fuzzy Hash: 4cb91a23982654f73f6ac0ef0022b7f09afb7950f5fb41b3fe27527950a6f0fc
Instruction Fuzzy Hash: 5901F131A043019BCB25BB35C80B7AEBBB19B45314F40406EE441225D2EB7999A6C3DF

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00476B98,00474EE0,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D

Strings

XMG, xrefs: 004016F6

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 9fc96e4d9a4cc4764b743b30a3811bafc81a4a425666bc66b2c283c0432b57c3
Instruction ID: 26799fbdff8c3ec01ad48014b311b0d3f370155dffc0330205344997a7b0d52a
Opcode Fuzzy Hash: 9fc96e4d9a4cc4764b743b30a3811bafc81a4a425666bc66b2c283c0432b57c3
Instruction Fuzzy Hash: 6501AD71300300AFD7209F39ED45A69BBB5EF89315B00413EB808E33A2EB74AC50CB98

Function 004479A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,z?D,00000000,00000001,?,?,00443F7A,?,?,?,?,00000004), ref: 004479EC

Strings

IsValidLocaleName, xrefs: 004479B1, 004479BB
z?D, xrefs: 004479E3, 004479D0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$z?D
API String ID: 1901932003-2490211753
Opcode ID: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction ID: 892bc6e93789200f6c95030ba230210178196c8f1f686432b442ac7872abfc60
Opcode Fuzzy Hash: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction Fuzzy Hash: 06F0E930645218B7DB186F258C06F5E7B95CB05716F50807BFC047A293DE794E0295DD

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

XMG, xrefs: 00401DDB
XMG, xrefs: 00401DB7

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: XMG$XMG
API String ID: 3519838083-886261599
Opcode ID: acd40ce3d972dd5881ad06443dd18d6c3efa0f6b796b096c1a78f2c415bb384c
Instruction ID: 0a877421dfc5135a28098138b17ad9f721677e320a6d1c8a6a2adbe775497da7
Opcode Fuzzy Hash: acd40ce3d972dd5881ad06443dd18d6c3efa0f6b796b096c1a78f2c415bb384c
Instruction Fuzzy Hash: D4F0E9B1B00211ABC715BB65880569EB768EF41369F01827FB416772E1CFBD5D04975C

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: ce67c6b9541bce5d684c0b314e2bb763e4fb79d2184cd9e37727c5d4efc2308b
Instruction ID: 4c389cf0edc94a27bb3bc0fddc987b72c0da48b50f0a0a77cbfc03dd010ffeca
Opcode Fuzzy Hash: ce67c6b9541bce5d684c0b314e2bb763e4fb79d2184cd9e37727c5d4efc2308b
Instruction Fuzzy Hash: 9AE09B2134032117C898323EA91B6EE3A218F82F65B80016FF8427BADADD7D4D5043CF

Function 00448A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448A35

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(00000000,?,0044FC60,00000000,00000000,00000000,00000000,?,0044FF04,00000000,00000007,00000000,?,00450415,00000000,00000000), ref: 00446CFD

Strings

8@, xrefs: 00448A18
8@, xrefs: 00448A19

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: 8@$8@
API String ID: 1353095263-3408345419
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 8fe4af4b93ebf6b2b13329648f525de20a5552277f2be9521e73d3219e6c2dc0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: 01E092361003059F8720CF6DD400A86B7F4EF95720720852FE89EE3710D731E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlL], xrefs: 0040ADE3
[CtrlR], xrefs: 0040ADD2

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 10b53adc53ede08df6f25a29bd1bf7e8709a3babba08c05ac3a9a02de2c9d962
Instruction ID: c178b64a75e50e2fccb38c9379e001e6e5e0f6b670105b82eaba8ba361dc1658
Opcode Fuzzy Hash: 10b53adc53ede08df6f25a29bd1bf7e8709a3babba08c05ac3a9a02de2c9d962
Instruction Fuzzy Hash: 59E0866170031517C514363DD61B67F39128F41B66F80012FF842A7AC6ED7E8D6423CB

Function 00412A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004752F0,00475308,?,pth_unenc), ref: 00412A60
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412A70

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412A5E

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction ID: 27182704b7fa20b5ed2a2764b3d23dc9a6b68b829b0f6622ee10c7d45645f89b
Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction Fuzzy Hash: F1E01270200308BAEF204FA19E06FEB37ACAB40BC9F004169F601F5191EAB6DD54A658

Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF

Strings

pth_unenc, xrefs: 0040AF77

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: f7b85fab9477efd9d82f10b25cd420d4a2c46f567e9869b209d93ad92d032d30
Instruction ID: b030a41f26c3d5f2e51690188d4bb45887e11e7cc62b1c698fc8f7347c957287
Opcode Fuzzy Hash: f7b85fab9477efd9d82f10b25cd420d4a2c46f567e9869b209d93ad92d032d30
Instruction Fuzzy Hash: 12E046715116104BC610AB32E845AEBB798AB05306F00446FE8D3B36A1DE38A948CA98

Function 00411771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

Strings

pth_unenc, xrefs: 00411771

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
Instruction ID: eef26e02e81300ba4c8cf7f61278c3f59c29627b67378ac59a4e73c1cb1fd9d7
Opcode Fuzzy Hash: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
Instruction Fuzzy Hash: 24D01234145351AFD7610B60AD19F953F68E705323F108365F428512F1CFB58494AA1C

Function 0043FCA1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FD37
GetLastError.KERNEL32 ref: 0043FD45
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FDA0

Memory Dump Source

Source File: 00000003.00000002.4116448076.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_preliminary drawing.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 75af1ae90eda16089b96163d1aae9c37308c8a05f6e9fb080295441cde96d00a
Instruction ID: a8021b2984f9c2011c4d4eba480f75da6e6c35d7fa760b83b06315d7a0ea6bca
Opcode Fuzzy Hash: 75af1ae90eda16089b96163d1aae9c37308c8a05f6e9fb080295441cde96d00a
Instruction Fuzzy Hash: E1410A30E00246AFCF218F65C84867B7BA5EF09310F14517EFC5A9B2A2DB398D05C759

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report preliminary drawing.pif.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\preliminary drawing.pif.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gszmag2m.3sh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_infewk4n.l50.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2qxnqcn.1jb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wibeid03.n4p.ps1

Windows Analysis Report
preliminary drawing.pif.exe

Function 08BC75E8 Relevance: 6.9, Strings: 5, Instructions: 628
COMMON

Function 00FDD551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 00FDD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 05042514 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Function 050439AB Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre