Edit tour

Windows Analysis Report
2LDJIyMl2r.exe

Overview

General Information

Sample name:	2LDJIyMl2r.exe renamed because original name is a hash value
Original sample name:	C3C8E7B07E16739C1C0B79F5FF91479F.exe
Analysis ID:	1581464
MD5:	c3c8e7b07e16739c1c0b79f5ff91479f
SHA1:	5de5162c4f4c76a1fbcc281f26a02486f626f29a
SHA256:	918c574b7b2841d4dfafd36d23940f4b5f9636ccfb483589ff7df63967ddcf87
Tags:	exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops large PE files

Injects a PE file into a foreign processes

Installs a global keyboard hook

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

2LDJIyMl2r.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\2LDJIyMl2r.exe" MD5: C3C8E7B07E16739C1C0B79F5FF91479F)

2LDJIyMl2r.exe (PID: 4948 cmdline: "C:\Users\user\Desktop\2LDJIyMl2r.exe" MD5: C3C8E7B07E16739C1C0B79F5FF91479F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["newstaticfreepoint24.ddns-ip.net:3020:0"], "Assigned name": "ROSAS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kljjbdlcjbavhbiluiewliuwqerlib-DDZVN3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "data", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
Process Memory Space: 2LDJIyMl2r.exe PID: 6648	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 6648	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 6648	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 6648	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x99314:$a1: Remcos restarted by watchdog! 0xbd69b:$a1: Remcos restarted by watchdog! 0x99871:$a3: %02i:%02i:%02i:%03i 0x99c29:$a3: %02i:%02i:%02i:%03i 0xbdbf5:$a3: %02i:%02i:%02i:%03i 0xbdfad:$a3: %02i:%02i:%02i:%03i
Process Memory Space: 2LDJIyMl2r.exe PID: 4948	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 4948	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 4948	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: 2LDJIyMl2r.exe PID: 4948	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8726:$a1: Remcos restarted by watchdog! 0x8c80:$a3: %02i:%02i:%02i:%03i 0x9038:$a3: %02i:%02i:%02i:%03i
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b6f8:$a1: Remcos restarted by watchdog! 0x6bc70:$a3: %02i:%02i:%02i:%03i
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65994:$str_a1: C:\Windows\System32\cmd.exe 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65a04:$str_b2: Executing file: 0x6683c:$str_b3: GetDirectListeningPort 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66380:$str_b7: \update.vbs 0x65a2c:$str_b9: Downloaded file: 0x65a18:$str_b10: Downloading file: 0x65abc:$str_b12: Failed to upload file: 0x66804:$str_b13: StartForward 0x66824:$str_b14: StopForward 0x662d8:$str_b15: fso.DeleteFile " 0x6626c:$str_b16: On Error Resume Next 0x66308:$str_b17: fso.DeleteFolder " 0x65aac:$str_b18: Uploaded file: 0x65a6c:$str_b19: Unable to delete: 0x662a0:$str_b20: while fso.FileExists(" 0x65f49:$str_c0: [Firefox StoredLogins not found]
0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65810:$s1: CoGetObject 0x65824:$s1: CoGetObject 0x65840:$s1: CoGetObject 0x6f470:$s1: CoGetObject 0x657d0:$s2: Elevation:Administrator!new:
0.2.2LDJIyMl2r.exe.4580000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69ef8:$a1: Remcos restarted by watchdog! 0x6a470:$a3: %02i:%02i:%02i:%03i
0.2.2LDJIyMl2r.exe.4580000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64194:$str_a1: C:\Windows\System32\cmd.exe 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64204:$str_b2: Executing file: 0x6503c:$str_b3: GetDirectListeningPort 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x64b80:$str_b7: \update.vbs 0x6422c:$str_b9: Downloaded file: 0x64218:$str_b10: Downloading file: 0x642bc:$str_b12: Failed to upload file: 0x65004:$str_b13: StartForward 0x65024:$str_b14: StopForward 0x64ad8:$str_b15: fso.DeleteFile " 0x64a6c:$str_b16: On Error Resume Next 0x64b08:$str_b17: fso.DeleteFolder " 0x642ac:$str_b18: Uploaded file: 0x6426c:$str_b19: Unable to delete: 0x64aa0:$str_b20: while fso.FileExists(" 0x64749:$str_c0: [Firefox StoredLogins not found]
0.2.2LDJIyMl2r.exe.4580000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64080:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64010:$s1: CoGetObject 0x64024:$s1: CoGetObject 0x64040:$s1: CoGetObject 0x6dc70:$s1: CoGetObject 0x63fd0:$s2: Elevation:Administrator!new:
0.2.2LDJIyMl2r.exe.4610000.2.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2LDJIyMl2r.exe.4610000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.2LDJIyMl2r.exe.4610000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2LDJIyMl2r.exe.4610000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
2.2.2LDJIyMl2r.exe.2940000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.2LDJIyMl2r.exe.2940000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
2.2.2LDJIyMl2r.exe.2940000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
2.2.2LDJIyMl2r.exe.2940000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 31 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Favorites\my-web-app\backend\userModel.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\2LDJIyMl2r.exe, ProcessId: 6648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userModel

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:12:13.277679+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49732	181.71.216.203	3020	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:12:14.542367+0100	2032777	1	Malware Command and Control Activity Detected	181.71.216.203	3020	192.168.2.4	49732	TCP
2024-12-27T20:14:17.250395+0100	2032777	1	Malware Command and Control Activity Detected	181.71.216.203	3020	192.168.2.4	49732	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T20:12:16.531481+0100	2803304	3	Unknown Traffic	192.168.2.4	49734	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: newstaticfreepoint24.ddns-ip.net

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["newstaticfreepoint24.ddns-ip.net:3020:0"], "Assigned name": "ROSAS", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kljjbdlcjbavhbiluiewliuwqerlib-DDZVN3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "data", "Keylog file max size": ""}

Multi AV Scanner detection for submitted file

Source: 2LDJIyMl2r.exe

ReversingLabs: Detection: 63%

Yara detected Remcos RAT

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0297293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

2_2_0297293A

Source: 2LDJIyMl2r.exe, 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_952f180d-3

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02946764 _wcslen,CoGetObject,

2_2_02946764

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Unpacked PE file: 0.2.2LDJIyMl2r.exe.4610000.2.unpack

Source: 2LDJIyMl2r.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2LDJIyMl2r.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: 2LDJIyMl2r.exe, userModel.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: 2LDJIyMl2r.exe, userModel.exe.0.dr

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0294B335
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0295B42F
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0294B53A
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_02947A8C
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02946AC2 FindFirstFileW,FindNextFileW,	2_2_02946AC2
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_029489A9
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_02958C69
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_02948DA7

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02946F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_02946F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 181.71.216.203:3020
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.71.216.203:3020 -> 192.168.2.4:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: newstaticfreepoint24.ddns-ip.net

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 181.71.216.203:3020

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0295A51B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0295A51B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: newstaticfreepoint24.ddns-ip.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864614461.0000000002D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/ecurity=Impersonation
Source: 2LDJIyMl2r.exe, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: 2LDJIyMl2r.exe, 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp=
Source: 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpDMl0
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpd
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	String found in binary or memory: https://zoom.us/privacy/Zoom

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_029499E4 SetWindowsHookExA 0000000D,029499D0,00000000

2_2_029499E4

Installs a global keyboard hook

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\2LDJIyMl2r.exe

Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02955A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_02955A45

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_029559C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_029559C6

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02955A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_02955A45

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02949B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

2_2_02949B10

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0295BB77 SystemParametersInfoW,

2_2_0295BB77

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Drops large PE files

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

File dump: userModel.exe.0.dr 959567331

Jump to dropped file

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_029558B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

2_2_029558B9

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02966254	2_2_02966254
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02971377	2_2_02971377
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297D098	2_2_0297D098
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029920D2	2_2_029920D2
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0295D071	2_2_0295D071
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029761AA	2_2_029761AA
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02977150	2_2_02977150
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029767C6	2_2_029767C6
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029667CB	2_2_029667CB
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0298C739	2_2_0298C739
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0295E5DF	2_2_0295E5DF
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297651C	2_2_0297651C
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02976A8D	2_2_02976A8D
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02972A49	2_2_02972A49
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297C9DD	2_2_0297C9DD
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297CE3B	2_2_0297CE3B
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02980E20	2_2_02980E20
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02966E73	2_2_02966E73
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02966FAD	2_2_02966FAD
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02992F00	2_2_02992F00
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02952F45	2_2_02952F45
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297CC0C	2_2_0297CC0C
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02974D22	2_2_02974D22
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02976D48	2_2_02976D48

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: String function: 029420E7 appears 40 times
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: String function: 029738A5 appears 41 times
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: String function: 02941F66 appears 49 times
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: String function: 02973FB0 appears 55 times

Source: 2LDJIyMl2r.exe, 00000000.00000002.1870381431.0000000000858000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZoom* vs 2LDJIyMl2r.exe
Source: 2LDJIyMl2r.exe, 00000002.00000002.4103438442.0000000000858000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZoom* vs 2LDJIyMl2r.exe
Source: 2LDJIyMl2r.exe	Binary or memory string: OriginalFilenameZoom* vs 2LDJIyMl2r.exe

Source: 2LDJIyMl2r.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02956AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

2_2_02956AB7

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0294E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

2_2_0294E219

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0295A63F FindResourceA,LoadResource,LockResource,SizeofResource,

2_2_0295A63F

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02959BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_02959BC4

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

File created: C:\Users\user\Favorites\my-web-app

Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Mutant created: \Sessions\1\BaseNamedObjects\kljjbdlcjbavhbiluiewliuwqerlib-DDZVN3

Source: 2LDJIyMl2r.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2LDJIyMl2r.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

File read: C:\Users\user\Desktop\2LDJIyMl2r.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2LDJIyMl2r.exe "C:\Users\user\Desktop\2LDJIyMl2r.exe"
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Process created: C:\Users\user\Desktop\2LDJIyMl2r.exe "C:\Users\user\Desktop\2LDJIyMl2r.exe"
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Process created: C:\Users\user\Desktop\2LDJIyMl2r.exe "C:\Users\user\Desktop\2LDJIyMl2r.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: crowdstrikeceoisextragay.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: sentinelisabadedrtrynexttimemaybe.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 2LDJIyMl2r.exe

Static file information: File size 5488128 > 1048576

Source: 2LDJIyMl2r.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x510e00

Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2LDJIyMl2r.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2LDJIyMl2r.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 2LDJIyMl2r.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb@@ source: 2LDJIyMl2r.exe, userModel.exe.0.dr
Source:	Binary string: c:\jenkins\workspace\Client\Client\Windows_VDI\release\Bin\Release\ZoomDocConverter.pdb source: 2LDJIyMl2r.exe, userModel.exe.0.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Unpacked PE file: 0.2.2LDJIyMl2r.exe.4610000.2.unpack

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0295BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

2_2_0295BCE3

Source: 2LDJIyMl2r.exe

Static PE information: real checksum: 0x6698e should be: 0x53be76

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029967E0 push eax; ret	2_2_029967FE
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02995EAF push ecx; ret	2_2_02995EC2
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02973FF6 push ecx; ret	2_2_02974009

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02946128 ShellExecuteW,URLDownloadToFileW,

2_2_02946128

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

File created: C:\Users\user\Favorites\my-web-app\backend\userModel.exe

Jump to dropped file

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02959BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_02959BC4

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run userModel			Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run userModel			Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

2_2_0295BCE3

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0294E54F Sleep,ExitProcess,

2_2_0294E54F

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

2_2_029598C2

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Window / User API: threadDelayed 9370			Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Window / User API: foregroundWindowGot 1753			Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Dropped PE file which has not been started: C:\Users\user\Favorites\my-web-app\backend\userModel.exe

Jump to dropped file

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3332	Thread sleep count: 233 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3332	Thread sleep time: -116500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3120	Thread sleep count: 149 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3120	Thread sleep time: -447000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3120	Thread sleep count: 9370 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe TID: 3120	Thread sleep time: -28110000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	2_2_0294B335
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	2_2_0295B42F
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	2_2_0294B53A
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	2_2_02947A8C
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02946AC2 FindFirstFileW,FindNextFileW,	2_2_02946AC2
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	2_2_029489A9
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW,	2_2_02958C69
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	2_2_02948DA7

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02946F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

2_2_02946F06

Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: HgfSWD
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: hgfSW
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: hgfS?g
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: mHgfSf
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864614461.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: HgfSa
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: hgfS?
Source: 2LDJIyMl2r.exe, userModel.exe.0.dr	Binary or memory string: HgfSA}

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

API call chain: ExitProcess graph end node

graph_2-47544

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0297A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0297A65D

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

2_2_0295BCE3

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02982554 mov eax, dword ptr fs:[00000030h]

2_2_02982554

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02950B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError,

2_2_02950B19

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Process created: C:\Users\user\Desktop\2LDJIyMl2r.exe "C:\Users\user\Desktop\2LDJIyMl2r.exe"

Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02974168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_02974168
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_0297A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0297A65D
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02973B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_02973B44
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: 2_2_02973CD7 SetUnhandledExceptionFilter,	2_2_02973CD7

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Memory written: C:\Users\user\Desktop\2LDJIyMl2r.exe base: 2940000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

2_2_02950F36

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02958754 mouse_event,

2_2_02958754

Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /12/27 14:12:21 Program Manager]
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerF
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6be679O
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864614461.0000000002D8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: registros.dat.2.dr	Binary or memory string: [2024/12/27 14:12:12 Program Manager]
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager=
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager~
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp, registros.dat.2.dr	Binary or memory string: [2024/12/27 14:12:21 Program Manager]
Source: 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D91000.00000004.00000020.00020000.00000000.sdmp, registros.dat.2.dr	Binary or memory string: [2024/12/27 14:12:34 Program Manager]

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02973E0A cpuid

2_2_02973E0A

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoA,	2_2_0294E679
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoW,	2_2_029912EA
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_029913B7
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoW,	2_2_029910BA
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: EnumSystemLocalesW,	2_2_029870AE
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_029911E3
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoW,	2_2_02987597
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_02990A7F
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_02990E6A
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: EnumSystemLocalesW,	2_2_02990CF7
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: EnumSystemLocalesW,	2_2_02990DDD
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: EnumSystemLocalesW,	2_2_02990D42

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 0_2_00414C65 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00414C65

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_0295A7A2 GetComputerNameExW,GetUserNameW,

2_2_0295A7A2

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: 2_2_02988057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_02988057

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

2_2_0294B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		2_2_0294B335
Source: C:\Users\user\Desktop\2LDJIyMl2r.exe	Code function: \key3.db		2_2_0294B335

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4610000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2LDJIyMl2r.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2LDJIyMl2r.exe.4580000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 2LDJIyMl2r.exe PID: 4948, type: MEMORYSTR

Source: C:\Users\user\Desktop\2LDJIyMl2r.exe

Code function: cmd.exe

2_2_02945042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	1 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Bypass User Account Control	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2LDJIyMl2r.exe	63%	ReversingLabs	Win32.Trojan.Remcos

Source	Detection	Scanner	Label	Link
newstaticfreepoint24.ddns-ip.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geoplugin.net	178.237.33.50	true	false		high
newstaticfreepoint24.ddns-ip.net	181.71.216.203	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
newstaticfreepoint24.ddns-ip.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://geoplugin.net/json.gpd	2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gpDMl0	2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/ecurity=Impersonation	2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/	2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D64000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000003.1864614461.0000000002D8F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp%	2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp/C	2LDJIyMl2r.exe, 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, 2LDJIyMl2r.exe, 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp	false	high
https://zoom.us/privacy/Zoom	2LDJIyMl2r.exe, userModel.exe.0.dr	false	high
http://geoplugin.net/json.gpSystem32	2LDJIyMl2r.exe, 00000002.00000002.4104268099.0000000002D27000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp=	2LDJIyMl2r.exe, 00000002.00000003.1864437018.0000000002D87000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false
181.71.216.203	newstaticfreepoint24.ddns-ip.net	Colombia		27831	ColombiaMovilCO	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581464
Start date and time:	2024-12-27 20:11:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2LDJIyMl2r.exe renamed because original name is a hash value
Original Sample Name:	C3C8E7B07E16739C1C0B79F5FF91479F.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 77% Number of executed functions: 55 Number of non-executed functions: 178
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.190.181.23, 13.107.246.63, 20.223.35.26, 20.223.36.55, 2.16.158.176
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2LDJIyMl2r.exe, PID 6648 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 2LDJIyMl2r.exe

Simulations

Behavior and APIs

Time	Type	Description
14:12:44	API Interceptor	5569961x Sleep call for process: 2LDJIyMl2r.exe modified
19:12:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run userModel C:\Users\user\Favorites\my-web-app\backend\userModel.exe
19:12:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run userModel C:\Users\user\Favorites\my-web-app\backend\userModel.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	94e.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	94e.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	0442.pdf.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	nikDoCvpJa.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	SEPTobn3BR.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geoplugin.net	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	0442.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	nikDoCvpJa.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	SEPTobn3BR.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
newstaticfreepoint24.ddns-ip.net	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	4JwhvqLe8n.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	fIPSLgT0lO.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	3XSXmrEOw7.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	ozfqy8Ms6t.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	pPLwX9wSrD.exe	Get hash	malicious	Remcos	Browse	181.131.217.244
	hCJ8gK9kNn.exe	Get hash	malicious	Remcos	Browse	181.131.217.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	94e.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	0442.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1734707047fff7a4a195c1e77157873964de3a3a708aa4bdc0aee24f3a94bc5bd05cc323f3964.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	SHROsQyiAd.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	nikDoCvpJa.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17346150108fd59162a7f50db4b74cc85f1873b39cc8eaeab355e353b3b8b18e8e21fd369d493.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LbtytfWpvx.vbs	Get hash	malicious	Remcos	Browse	178.237.33.50
	SEPTobn3BR.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
ColombiaMovilCO	telnet.ppc.elf	Get hash	malicious	Unknown	Browse	177.252.126.11
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	186.181.45.206
	armv6l.elf	Get hash	malicious	Unknown	Browse	186.180.36.76
	nshkmips.elf	Get hash	malicious	Mirai	Browse	191.92.238.158
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	177.252.78.179
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	191.90.131.151
	nshkppc.elf	Get hash	malicious	Mirai	Browse	179.13.242.231
	la.bot.arm.elf	Get hash	malicious	Mirai	Browse	186.180.182.173
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	191.91.113.252
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	186.180.66.202

Process:	C:\Users\user\Desktop\2LDJIyMl2r.exe
File Type:	data
Category:	dropped
Size (bytes):	488
Entropy (8bit):	3.260636480070927
Encrypted:	false
SSDEEP:	12:6lDlnecmlDlqbWFe5Ulcl7IbWFe5UlElAbW+:6JlecmJlOWqUGSWqUeuW+
MD5:	4FD4E59A91AF9D1E997EE61323DE23B0
SHA1:	5AACE94596C330465559DBCD7D08C1F70F1E2222
SHA-256:	56812D7E16EF7294C656618E18BA865BE6A01075E3737750A5799A6FFF2877B9
SHA-512:	2410CECCD3480B2C852D2770A50A4807932F8A6B4E03457EBBCFA219B543DA87FF9A1E7B0D7B0676CCD7EFDF0200D830FA6BDD8F779FE7D025423188AECFC519
Malicious:	false
Reputation:	low
Preview:	....[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.1.2. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.2.0. .R.u.n.].........[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.2.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.2.8. .R.u.n.].........[.2.0.2.4./.1.2./.2.7. .1.4.:.1.2.:.3.4. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\user\Desktop\2LDJIyMl2r.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019506780280991
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	7459F6DA71CD5EAF9DBE2D20CA9434AC
SHA1:	4F60E33E15277F7A632D8CD058EC7DF4728B40BC
SHA-256:	364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
SHA-512:	3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\Favorites\my-web-app\backend\userModel.exe

Download File

Process:	C:\Users\user\Desktop\2LDJIyMl2r.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	959567331
Entropy (8bit):	0.07481558821507805
Encrypted:	false
SSDEEP:
MD5:	B831CCFDA8C10461D7A32EF9C81B7C63
SHA1:	00C271A53695E1B0EFC6F0A4CDE04D58F7206336
SHA-256:	A82C0ADE08DAB1F5DC1F15F4B1A84F0C760DD0125B802FEE8CC947794CF7FB17
SHA-512:	B3E2064806849D855571EDBE453AF9A80C7A4F8B4B34BE9036C295A72096882C3A9F8934443FBC0F0BD9E4D232FE5567E14CC4A28310BABBD304806B59A36FEF
Malicious:	false
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........rt..............k.......f.......f.......f.......f.......{.......{.......f.......f..........=....f.......f..............f......Rich............................PE..L.....Cg.................~...<R.....pF............@...........................S......i....@..................................H..........D.Q.............8_.......*......p...................@.......H...@............................................text............~.................. ..`.rdata..............................@..@.data....P.......:...v..............@....rsrc...D.Q.......Q.................@..@................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.23326273395216
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2LDJIyMl2r.exe
File size:	5'488'128 bytes
MD5:	c3c8e7b07e16739c1c0b79f5ff91479f
SHA1:	5de5162c4f4c76a1fbcc281f26a02486f626f29a
SHA256:	918c574b7b2841d4dfafd36d23940f4b5f9636ccfb483589ff7df63967ddcf87
SHA512:	cef48c9be82f4db90c68443630d58084aae1aea054bca82803d51ab63226ca085e1c05b393505dd9442c832b1c59e6720ff217d61200ac9011159d145ac33ba4
SSDEEP:	49152:/IFXei/uNQrNQDuNz6jk+1n+Vu1cJ+TsehmvK718uFvvPRSTp8UX6:/QN8DU6jn+V8/IeIA8u08UX6
TLSH:	EE466BB0C50BDC42E8255A7FD022AABD0222AEFDE457A04B56D9FF26B573EC134D4463
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........rt..............k.......f.......f.......f.......f.......{.......{.......f.......f..........=....f.......f...............f.....

File Icon


Icon Hash:	e082c4e4ae8c82e8

Static PE Info

General

Entrypoint:	0x414670
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6743E4D1 [Mon Nov 25 02:45:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	73fea8e21025ec6f368037fae3afc60a

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FBA64E69222h
jmp 00007FBA64E68A4Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
push dword ptr [esi]
call 00007FBA64E69443h
push dword ptr [ebp+14h]
mov dword ptr [esi], eax
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push esi
push 00413F30h
push 00429024h
call 00007FBA64E69374h
add esp, 1Ch
pop esi
pop ebp
ret
jmp 00007FBA64E68456h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0041932Ch]
push dword ptr [ebp+08h]
call dword ptr [00419324h]
push C0000409h
call dword ptr [00419270h]
push eax
call dword ptr [00419368h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00419330h]
test eax, eax
je 00007FBA64E68BE7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0042CB80h], eax
mov dword ptr [0042CB7Ch], ecx
mov dword ptr [0042CB78h], edx
mov dword ptr [0042CB74h], ebx
mov dword ptr [0042CB70h], esi
mov dword ptr [0042CB6Ch], edi
mov word ptr [0042CB98h], ss
mov word ptr [0042CB8Ch], cs
mov word ptr [0042CB68h], ds
mov word ptr [0042CB64h], es
mov word ptr [00000000h], fs

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x248e8	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x510c44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x58800	0x5f38	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x59000	0x2acc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x21cd8	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x21e40	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x21d48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18000	0x17e00	4eebc998272166f0a3f244cc99c39396	False	0.5096224640052356	data	6.421767810263636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x10000	0xf400	705b94a546f1abb8fba1e84ce4933d03	False	0.29005507172131145	data	5.0324726546167895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x5000	0x3a00	22c50ae1b95257f8c3a44ff7a2de2c94	False	0.10162984913793104	data	2.0443500313558287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x510c44	0x510e00	bd96fed0f512afaa7caba14f20e95a4c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x2e7c0	0x79a8	Device independent bitmap graphic, 288 x 27 x 32, image size 0, resolution 7874 x 7874 px/m			0.2794438736193167
RT_BITMAP	0x36168	0xe02a	Device independent bitmap graphic, 448 x 32 x 32, image size 57346, resolution 2834 x 2834 px/m			0.2725751925556756
RT_BITMAP	0x44194	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.5472696681858841
RT_BITMAP	0xb6bb8	0x72a24	Device independent bitmap graphic, 500 x 313 x 24, image size 469500, resolution 3780 x 3780 px/m			0.6592132725646377
RT_BITMAP	0x1295dc	0x51ea7	PC bitmap, Windows 3.x format, 42442 x 2 x 51, image size 336412, cbSize 335527, bits offset 54			0.8009787587884134
RT_BITMAP	0x17b484	0x268a2	PC bitmap, Windows 3.x format, 20529 x 2 x 40, image size 158237, cbSize 157858, bits offset 54			0.6517059635875281
RT_BITMAP	0x1a1d28	0x27a18	Device independent bitmap graphic, 966 x 42 x 32, image size 162288, resolution 3582 x 3582 px/m			0.205152530678626
RT_ICON	0x1c9740	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.13995694884161317
RT_ICON	0x20b768	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.17032414527386727
RT_ICON	0x21bf90	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.25226251035135455
RT_ICON	0x22c7b8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.17801372293860168
RT_ICON	0x23cfe0	0x44028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144			0.2436353062806927
RT_ICON	0x281008	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.4277919081982728
RT_ICON	0x291830	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0			0.39190238778589814
RT_ICON	0x2d3858	0x528	Device independent bitmap graphic, 16 x 32 x 32, image size 1280	English	United States	0.4401515151515151
RT_ICON	0x2d3d80	0xb68	Device independent bitmap graphic, 24 x 48 x 32, image size 2880	English	United States	0.29486301369863016
RT_ICON	0x2d48e8	0x1428	Device independent bitmap graphic, 32 x 64 x 32, image size 5120	English	United States	0.23507751937984497
RT_ICON	0x2d5d10	0x2d28	Device independent bitmap graphic, 48 x 96 x 32, image size 11520	English	United States	0.17439446366782008
RT_ICON	0x2d8a38	0x5028	Device independent bitmap graphic, 64 x 128 x 32, image size 20480	English	United States	0.12339181286549708
RT_ICON	0x2dda60	0x14028	Device independent bitmap graphic, 128 x 256 x 32, image size 81920	English	United States	0.0954123962908736
RT_ICON	0x2f1a88	0xc16d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0005250721974273
RT_RCDATA	0x2fdbf8	0xc32ba	Delphi compiled form 'Tdm'			0.2685228503736468
RT_RCDATA	0x3c0eb4	0xf7ece	Delphi compiled form 'TfPNGMessage'			0.16635910121299613
RT_RCDATA	0x4b8d84	0x20b55	Delphi compiled form 'TMainForm'			0.3190568248826256
RT_RCDATA	0x4d98dc	0x5fd99	Delphi compiled form '\023TOperationModeFrame\022OperationModeFrame'			0.5993158448399265
RT_MESSAGETABLE	0x539678	0x2840	data			0.41498447204968947
RT_MESSAGETABLE	0x53beb8	0x2840	data			0.3259899068322981
RT_GROUP_ICON	0x53e6f8	0x68	data	English	United States	0.7403846153846154
RT_VERSION	0x53e760	0x364	data	English	United States	0.43317972350230416
RT_MANIFEST	0x53eac4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentThreadId, QueryDosDeviceW, VirtualProtect, HeapFree, EnterCriticalSection, GetCurrentProcess, ReleaseSemaphore, WriteFile, GetModuleFileNameW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, SetFilePointer, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, CreateEventW, Process32NextW, CreateFileA, SetEvent, Process32FirstW, FreeLibrary, HeapAlloc, GetWindowsDirectoryW, VerSetConditionMask, GetProcessHeap, GetModuleHandleW, CreateSemaphoreW, FlushInstructionCache, VerifyVersionInfoW, CreateDirectoryA, SetDllDirectoryW, VirtualQuery, LoadLibraryExW, FlushFileBuffers, LocalFree, SetErrorMode, GetPrivateProfileStringW, GetTempFileNameW, CreateFileW, OutputDebugStringW, IsWow64Process, MultiByteToWideChar, SetConsoleCtrlHandler, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, CreateThread, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetProcAddress, LoadLibraryW, ExitProcess, DeleteCriticalSection, CloseHandle, DeleteFileW, TerminateThread, GetLastError, GetTickCount64, Sleep, WaitForSingleObject, InitializeCriticalSectionEx, TerminateProcess, CreateDirectoryW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	GetMessageW, GetUserObjectInformationA, SetTimer, TranslateMessage, PostThreadMessageW, DispatchMessageW, GetProcessWindowStation, MessageBoxW
ADVAPI32.dll	GetTokenInformation, RegGetValueW, RegOpenKeyExW, OpenProcessToken, RegEnumKeyExW, RegCloseKey, DuplicateTokenEx, FreeSid, CreateRestrictedToken, ImpersonateLoggedOnUser, CreateWellKnownSid, AllocateAndInitializeSid, SetTokenInformation, RevertToSelf
SHELL32.dll	SHGetKnownFolderPath, SHGetSpecialFolderPathW, ShellExecuteExW, SHGetSpecialFolderPathA
ole32.dll	CoInitialize, CoUninitialize, CoTaskMemFree, CoInitializeEx, CoSetProxyBlanket, OleRun, CoCreateInstance
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString
SHLWAPI.dll	PathAppendW, PathIsRelativeW
PSAPI.DLL	GetModuleInformation, GetModuleFileNameExW, GetMappedFileNameW, EnumProcessModules
WINTRUST.dll	WinVerifyTrust, WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WTHelperGetProvSignerFromChain
CRYPT32.dll	CertGetNameStringW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T20:12:13.277679+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.4	49732	181.71.216.203	3020	TCP
2024-12-27T20:12:14.542367+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	181.71.216.203	3020	192.168.2.4	49732	TCP
2024-12-27T20:12:16.531481+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49734	178.237.33.50	80	TCP
2024-12-27T20:14:17.250395+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	181.71.216.203	3020	192.168.2.4	49732	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 20:12:13.156824112 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:13.276601076 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:13.276725054 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:13.277678967 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:13.397212982 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:14.542366982 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:14.545089960 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:14.664983988 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:14.778001070 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:14.830921888 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:15.114454985 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:12:15.234064102 CET	80	49734	178.237.33.50	192.168.2.4
Dec 27, 2024 20:12:15.234432936 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:12:15.234766960 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:12:15.354881048 CET	80	49734	178.237.33.50	192.168.2.4
Dec 27, 2024 20:12:16.531404972 CET	80	49734	178.237.33.50	192.168.2.4
Dec 27, 2024 20:12:16.531481028 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:12:16.562652111 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:16.564788103 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:16.684407949 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:16.685774088 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:16.805507898 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:17.531455040 CET	80	49734	178.237.33.50	192.168.2.4
Dec 27, 2024 20:12:17.531518936 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:12:46.712667942 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:12:46.715065956 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:12:46.834976912 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:13:16.902291059 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:13:16.903414965 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:13:17.023138046 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:13:47.021121979 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:13:47.022515059 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:13:47.142281055 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:14:04.862548113 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:05.269912958 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:05.956072092 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:07.263926029 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:09.824052095 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:14.752963066 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:17.250395060 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:14:17.251952887 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:14:17.371535063 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:14:24.362345934 CET	49734	80	192.168.2.4	178.237.33.50
Dec 27, 2024 20:14:47.340174913 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:14:47.341655970 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:14:47.461196899 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:15:17.519386053 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:15:17.523961067 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:15:17.643481016 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:15:47.713099003 CET	3020	49732	181.71.216.203	192.168.2.4
Dec 27, 2024 20:15:47.840384960 CET	49732	3020	192.168.2.4	181.71.216.203
Dec 27, 2024 20:15:47.960081100 CET	3020	49732	181.71.216.203	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 20:12:12.747088909 CET	50868	53	192.168.2.4	1.1.1.1
Dec 27, 2024 20:12:13.151896954 CET	53	50868	1.1.1.1	192.168.2.4
Dec 27, 2024 20:12:14.875579119 CET	62500	53	192.168.2.4	1.1.1.1
Dec 27, 2024 20:12:15.109642982 CET	53	62500	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 20:12:12.747088909 CET	192.168.2.4	1.1.1.1	0xb4a6	Standard query (0)	newstaticfreepoint24.ddns-ip.net	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:12:14.875579119 CET	192.168.2.4	1.1.1.1	0xbc7d	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 20:12:13.151896954 CET	1.1.1.1	192.168.2.4	0xb4a6	No error (0)	newstaticfreepoint24.ddns-ip.net		181.71.216.203	A (IP address)	IN (0x0001)	false
Dec 27, 2024 20:12:15.109642982 CET	1.1.1.1	192.168.2.4	0xbc7d	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	178.237.33.50	80	4948	C:\Users\user\Desktop\2LDJIyMl2r.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 20:12:15.234766960 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Dec 27, 2024 20:12:16.531404972 CET	1171	IN	HTTP/1.1 200 OK date: Fri, 27 Dec 2024 19:12:16 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	14:11:53
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\2LDJIyMl2r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2LDJIyMl2r.exe"
Imagebase:	0x400000
File size:	5'488'128 bytes
MD5 hash:	C3C8E7B07E16739C1C0B79F5FF91479F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1870892737.0000000004580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1870945582.0000000004610000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:12:11
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\2LDJIyMl2r.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2LDJIyMl2r.exe"
Imagebase:	0x400000
File size:	5'488'128 bytes
MD5 hash:	C3C8E7B07E16739C1C0B79F5FF91479F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6%
Total number of Nodes:	1336
Total number of Limit Nodes:	47

Executed Functions

Function 0295BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0294D783), ref: 0295BCF8
GetProcAddress.KERNEL32(00000000), ref: 0295BD01
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0294D783), ref: 0295BD18
GetProcAddress.KERNEL32(00000000), ref: 0295BD1B
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0294D783), ref: 0295BD2D
GetProcAddress.KERNEL32(00000000), ref: 0295BD30
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0294D783), ref: 0295BD41
GetProcAddress.KERNEL32(00000000), ref: 0295BD44
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0294D783), ref: 0295BD55
GetProcAddress.KERNEL32(00000000), ref: 0295BD58
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0294D783), ref: 0295BD65
GetProcAddress.KERNEL32(00000000), ref: 0295BD68
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0294D783), ref: 0295BD75
GetProcAddress.KERNEL32(00000000), ref: 0295BD78
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0294D783), ref: 0295BD85
GetProcAddress.KERNEL32(00000000), ref: 0295BD88
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0294D783), ref: 0295BD99
GetProcAddress.KERNEL32(00000000), ref: 0295BD9C
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0294D783), ref: 0295BDA9
GetProcAddress.KERNEL32(00000000), ref: 0295BDAC
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0294D783), ref: 0295BDBD
GetProcAddress.KERNEL32(00000000), ref: 0295BDC0
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0294D783), ref: 0295BDD1
GetProcAddress.KERNEL32(00000000), ref: 0295BDD4
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0294D783), ref: 0295BDE5
GetProcAddress.KERNEL32(00000000), ref: 0295BDE8
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0294D783), ref: 0295BDF5
GetProcAddress.KERNEL32(00000000), ref: 0295BDF8
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0294D783), ref: 0295BE06
GetProcAddress.KERNEL32(00000000), ref: 0295BE09
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0294D783), ref: 0295BE16
GetProcAddress.KERNEL32(00000000), ref: 0295BE19
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0294D783), ref: 0295BE2B
GetProcAddress.KERNEL32(00000000), ref: 0295BE2E
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0294D783), ref: 0295BE3B
GetProcAddress.KERNEL32(00000000), ref: 0295BE3E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0294D783), ref: 0295BE50
GetProcAddress.KERNEL32(00000000), ref: 0295BE53
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0294D783), ref: 0295BE60
GetProcAddress.KERNEL32(00000000), ref: 0295BE63

Strings

Iphlpapi, xrefs: 0295BE45, 0295BE4F, 0295BE5A
IsWow64Process, xrefs: 0295BD6A
GetMonitorInfoW, xrefs: 0295BDD6
GetConsoleWindow, xrefs: 0295BE0B
GetComputerNameExW, xrefs: 0295BD7A
user32, xrefs: 0295BD3C, 0295BDB3, 0295BDC7, 0295BDDB
kernel32, xrefs: 0295BD5F, 0295BD64, 0295BD6F, 0295BD7F, 0295BDA3, 0295BDEF, 0295BE10
GetProcessImageFileNameW, xrefs: 0295BCED, 0295BCF2, 0295BD12
GetSystemTimes, xrefs: 0295BDEA
SetProcessDpiAwareness, xrefs: 0295BD22, 0295BD27, 0295BD3B
NtSuspendProcess, xrefs: 0295BE1B
Psapi, xrefs: 0295BCF3
Kernel32, xrefs: 0295BD13
EnumDisplayMonitors, xrefs: 0295BDC2
IsUserAnAdmin, xrefs: 0295BD8A
Shell32, xrefs: 0295BD8F
Shlwapi, xrefs: 0295BDFC
GlobalMemoryStatusEx, xrefs: 0295BD5A
NtUnmapViewOfSection, xrefs: 0295BD4B
shcore, xrefs: 0295BD28
ntdll, xrefs: 0295BD50, 0295BE20, 0295BE2A, 0295BE3A
EnumDisplayDevicesW, xrefs: 0295BDAE
SetProcessDEPPolicy, xrefs: 0295BD9E
NtResumeProcess, xrefs: 0295BE30
GetExtendedUdpTable, xrefs: 0295BE55
GetExtendedTcpTable, xrefs: 0295BE40

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: d09c0e854dd03e3ca687c51ebc1e87bdcc131e27d4f3795f060098747587745a
Instruction ID: 049c652a0e06d3618d3a1be5d42c962dea20a2113300246bba0c44f7143f040e
Opcode Fuzzy Hash: d09c0e854dd03e3ca687c51ebc1e87bdcc131e27d4f3795f060098747587745a
Instruction Fuzzy Hash: E331F1A0EC436C79FA11BBB75D79C3FBF9CD9A09583110C6BB50593145DA7498108EE8

Function 029559C6 Relevance: 18.1, APIs: 12, Instructions: 80
clipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 029559C7
EmptyClipboard.USER32 ref: 029559D5
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 029559F5
GlobalLock.KERNEL32(00000000), ref: 029559FE
GlobalUnlock.KERNEL32(00000000), ref: 02955A34
SetClipboardData.USER32(0000000D,00000000), ref: 02955A3D
CloseClipboard.USER32 ref: 02955A5A
OpenClipboard.USER32 ref: 02955A61
GetClipboardData.USER32(0000000D), ref: 02955A71
GlobalLock.KERNEL32(00000000), ref: 02955A7A
GlobalUnlock.KERNEL32(00000000), ref: 02955A83
CloseClipboard.USER32 ref: 02955A89

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 2f77539e8a79aeed2a4e22a140f75fdcef065b27e69826e983b44045821d65f3
Instruction ID: d9cb6d0fe8e8c1320fcfe9fe6e494ecc642db18f4f62f91c8808d44805c1be3f
Opcode Fuzzy Hash: 2f77539e8a79aeed2a4e22a140f75fdcef065b27e69826e983b44045821d65f3
Instruction Fuzzy Hash: 652135B1A543009BD714BBF8E859EFFB6AAAFD4711F410D1DFC0686140EF304855CA62

Function 029499E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 02949A01
SetWindowsHookExA.USER32(0000000D,029499D0,00000000), ref: 02949A0F
GetLastError.KERNEL32 ref: 02949A1B

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 02949A6B
TranslateMessage.USER32(?), ref: 02949A7A
DispatchMessageA.USER32(?), ref: 02949A85

Strings

Keylogger initialization failure: error , xrefs: 02949A32

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
String ID: Keylogger initialization failure: error
API String ID: 941179788-952744263
Opcode ID: de4bbfc553cbed733d472c5e30e7bf8591c5f06b5672032db9989b2df8df06fc
Instruction ID: d85951a8c9f8cd47a115c4c3726ba0340f526becda207be39225ac37b422ce97
Opcode Fuzzy Hash: de4bbfc553cbed733d472c5e30e7bf8591c5f06b5672032db9989b2df8df06fc
Instruction Fuzzy Hash: 4F117B71A542016FE710BBBD9C49D6BB7EDDBC5625B40095EFC85C2140FF60D911CBA2

Function 02949B10 Relevance: 12.1, APIs: 8, Instructions: 108
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(?,?,029B40F8), ref: 02949B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 02949B4B
GetKeyboardLayout.USER32(00000000), ref: 02949B52
GetKeyState.USER32(00000010), ref: 02949B5C
GetKeyboardState.USER32(?,?,029B40F8), ref: 02949B67
ToUnicodeEx.USER32(029B414C,?,?,?,00000010,00000000,00000000), ref: 02949B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02949BE3
ToUnicodeEx.USER32(029B414C,?,?,?,00000010,00000000,00000000), ref: 02949C1C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: 47eee5de7b7a76faea6edf0b0d322458ea530e27d4ef22139af28de5b26ba2e4
Instruction ID: 4b1b8eb99320930b1a69d6b2a3da8d9f10a2d3a5692b46c118c04832b16a2dfa
Opcode Fuzzy Hash: 47eee5de7b7a76faea6edf0b0d322458ea530e27d4ef22139af28de5b26ba2e4
Instruction Fuzzy Hash: 0431D6B2588308AFD701DF94DC85FEBB7ECEB88714F400C2AB641D6090DBB1A558CB92

Function 02955A45 Relevance: 12.0, APIs: 8, Instructions: 46
clipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenClipboard.USER32 ref: 02955A46
EmptyClipboard.USER32 ref: 02955A54
CloseClipboard.USER32 ref: 02955A5A
OpenClipboard.USER32 ref: 02955A61
GetClipboardData.USER32(0000000D), ref: 02955A71
GlobalLock.KERNEL32(00000000), ref: 02955A7A
GlobalUnlock.KERNEL32(00000000), ref: 02955A83
CloseClipboard.USER32 ref: 02955A89

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 43d344fb86dede6a49a7ddba9d92897cda226f6ba2ec7f033fa389370e207328
Instruction ID: d40d1230616fce18968c609a5761231c663d0f3269c30f4f17603621430e947b
Opcode Fuzzy Hash: 43d344fb86dede6a49a7ddba9d92897cda226f6ba2ec7f033fa389370e207328
Instruction Fuzzy Hash: CD0179716943109FC314FBB8E85AAFEF7A9AFD0721F80092DEC0A85150DF704855CB51

Function 0295A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0295A53E
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0295A554
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0295A56D
InternetCloseHandle.WININET(00000000), ref: 0295A5B3
InternetCloseHandle.WININET(00000000), ref: 0295A5B6

Strings

http://geoplugin.net/json.gp, xrefs: 0295A54E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: f9a75413f630cde16308b6165f9ae15d25a8d2c9746cef51fa60a2f375cd345a
Instruction ID: ba05a11ce97e8aed9f57f1696231a3a4d793b0db04591c5d1b4eca4e1379aed1
Opcode Fuzzy Hash: f9a75413f630cde16308b6165f9ae15d25a8d2c9746cef51fa60a2f375cd345a
Instruction Fuzzy Hash: 7D11C171A193226BD224EA659C54EBF7FADEF86275F000A3DF80992181CF549849CAF1

Function 029558B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97
libraryloadershutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02956AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 02956AC4
Part of subcall function 02956AB7: OpenProcessToken.ADVAPI32(00000000), ref: 02956ACB
Part of subcall function 02956AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02956ADD
Part of subcall function 02956AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02956AFC
Part of subcall function 02956AB7: GetLastError.KERNEL32 ref: 02956B02

ExitWindowsEx.USER32(00000000,00000001), ref: 0295595B
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 02955970
GetProcAddress.KERNEL32(00000000), ref: 02955977

Strings

PowrProf.dll, xrefs: 0295596B
SetSuspendState, xrefs: 02955966

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: b0674974850cabe6450f875d2da29c0dc8a2f114320c7f7f7e27e447812a7b00
Instruction ID: fc90b23826d815557289604e0930144c24bb611ab74e7c58596dca5fc2ce872c
Opcode Fuzzy Hash: b0674974850cabe6450f875d2da29c0dc8a2f114320c7f7f7e27e447812a7b00
Instruction Fuzzy Hash: A42160A0B0835197DA24FBF4D874EBF639B9FD0744FC54C29A50A6B181EF648849CB61

Function 0294E54F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 029524B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 029524D7
Part of subcall function 029524B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,029B42F8), ref: 029524F5
Part of subcall function 029524B7: RegCloseKey.KERNEL32(?), ref: 02952500

Sleep.KERNEL32(00000BB8), ref: 0294E603
ExitProcess.KERNEL32 ref: 0294E672

Strings

override, xrefs: 0294E574
pth_unenc, xrefs: 0294E565, 0294E5AC, 0294E619
5.3.0 Pro, xrefs: 0294E5DE, 0294E64B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 5.3.0 Pro$override$pth_unenc
API String ID: 2281282204-531312966
Opcode ID: e45f0dd8a38026e331a1eaf510cd06a18567a0d83e9cadb7448177728ee75bfe
Instruction ID: 5081cc3105d215a456adcc97dfc8bf69d81ee52be9e68adcc762a8baeac8cbca
Opcode Fuzzy Hash: e45f0dd8a38026e331a1eaf510cd06a18567a0d83e9cadb7448177728ee75bfe
Instruction Fuzzy Hash: 81210762F2031027EA08BB788929E7F3ADFABD1710F84051CE849572C5EE65CE418BD3

Function 0295A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,029B4358), ref: 0295A7BF
GetUserNameW.ADVAPI32(?,0294DFC3), ref: 0295A7D7

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: 433d19b0498032ae471bda1ee40655044a578e144119bff46d50457f71ac84e2
Instruction ID: 6730b1c4a3d4907616734c44536df3211e05a24e515bce5093f0e5640858be35
Opcode Fuzzy Hash: 433d19b0498032ae471bda1ee40655044a578e144119bff46d50457f71ac84e2
Instruction Fuzzy Hash: 7301127290011CABDB15EBD4DC54EEEB77DEF84314F100566A406B3194EFB06B898F98

Function 0294E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,029545AD,029B3EE8,029B4A10,029B3EE8,00000000,029B3EE8,?,029B3EE8,5.3.0 Pro), ref: 0294E68D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e3ca97b4256a2351ba3b9bd3ce110142648e49904d31bd990ab8d846191ebc2e
Instruction ID: 2bbad57a73b909ff59b16a7bcb8ac4a3c7089750d705272c57f8b939d00f7208
Opcode Fuzzy Hash: e3ca97b4256a2351ba3b9bd3ce110142648e49904d31bd990ab8d846191ebc2e
Instruction Fuzzy Hash: 76D0A7707402187BEA109285CC0AFEB7B9CE740B61F000161BA01D72C0EDE0AF00CBE1

Function 0294D767 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0294D783), ref: 0295BCF8
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD01
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0294D783), ref: 0295BD18
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD1B
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0294D783), ref: 0295BD2D
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD30
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0294D783), ref: 0295BD41
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD44
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0294D783), ref: 0295BD55
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD58
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0294D783), ref: 0295BD65
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD68
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0294D783), ref: 0295BD75
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD78
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0294D783), ref: 0295BD85
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD88
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0294D783), ref: 0295BD99
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BD9C
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0294D783), ref: 0295BDA9
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BDAC
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0294D783), ref: 0295BDBD
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BDC0
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0294D783), ref: 0295BDD1
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BDD4
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0294D783), ref: 0295BDE5
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BDE8
Part of subcall function 0295BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0294D783), ref: 0295BDF5
Part of subcall function 0295BCE3: GetProcAddress.KERNEL32(00000000), ref: 0295BDF8
Part of subcall function 0295BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0294D783), ref: 0295BE06

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\2LDJIyMl2r.exe,00000104), ref: 0294D790

Part of subcall function 0294FCBA: __EH_prolog.LIBCMT ref: 0294FCBF

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 0294D788, 0294DBB1
Software\, xrefs: 0294D865
User, xrefs: 0294E038
Remcos Agent initialized, xrefs: 0294DD8C
Inj, xrefs: 0294D977, 0294D98E
del, xrefs: 0294E078
licence, xrefs: 0294DD25
Administrator, xrefs: 0294E02C
Exe, xrefs: 0294D8B1
license_code.txt, xrefs: 0294D7EF
del, xrefs: 0294E094, 0294E0F4
Access Level: , xrefs: 0294E047
exepath, xrefs: 0294DC34, 0294DCDE

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: Access Level: $Administrator$C:\Users\user\Desktop\2LDJIyMl2r.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
API String ID: 2830904901-2348684261
Opcode ID: 616b25fbd27b8d2a526e87867b2f355f725060464d9e1eabe60561d87de60f0a
Instruction ID: bb65ec9cf4402ea780118be57a46523a244d6d372a8d5e8733f5a40d66a10d37
Opcode Fuzzy Hash: 616b25fbd27b8d2a526e87867b2f355f725060464d9e1eabe60561d87de60f0a
Instruction Fuzzy Hash: 8832F654B443406BEF19B774ED65FBF26DF9FC1700F04092EA44A9B2C1DEA48D858BA2

Function 02953FD4 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 813
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,029B42F8,?,00000000), ref: 02954028
WSAGetLastError.WS2_32 ref: 02954249
Sleep.KERNEL32(00000000,00000002), ref: 02954B88

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 02954474
Connection Error: Unable to create socket, xrefs: 029542A4
| , xrefs: 029541CA, 02954310
name, xrefs: 0295441A
%I64u, xrefs: 029543AD
TLS On , xrefs: 029541A1
Connected | , xrefs: 0295430B
Connecting | , xrefs: 029541C0
hlight, xrefs: 02954447
TLS Off, xrefs: 02954193, 029541A6
Connection Error: , xrefs: 0295425A
Disconnected, xrefs: 02954AF8
5.3.0 Pro, xrefs: 0295457C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$5.3.0 Pro$C:\Users\user\Desktop\2LDJIyMl2r.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
API String ID: 524882891-3959844286
Opcode ID: 01ecf487080eda5ddd4533690bbbff5aab6f8c016c1ca7cb82c212cd350bd14b
Instruction ID: ddce6ee251e9ce8ecdf73978426b25340bbd3065cb770c53e42e38d43cd012a2
Opcode Fuzzy Hash: 01ecf487080eda5ddd4533690bbbff5aab6f8c016c1ca7cb82c212cd350bd14b
Instruction Fuzzy Hash: 9B520972E002145BDB19F774EDA1EEE73A6AFE0700F5041A9E80EA6190EF706F85CE55

Function 0294428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 029442A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0294192B), ref: 029443CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0294192B), ref: 029443D5
WSAGetLastError.WS2_32(?,?,?,0294192B), ref: 029443E7

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

Strings

Connection Refused, xrefs: 0294443E
TLS Error 3, xrefs: 0294439D
Connection Failed: , xrefs: 0294440C
TLS Authentication Failed, xrefs: 0294435E
TLS Error 1, xrefs: 029442FC
TLS Handshake... | , xrefs: 029442C9
TLS Error 2, xrefs: 0294431A

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 59a984e673a80071f97d1f22d8bd9908a1241062f2d0f1fef7ee000c636ffd3b
Instruction ID: 7486ccf721590b805b238187d79111d965aa2b3ee7dbb2483d5bdcbe7fb47e50
Opcode Fuzzy Hash: 59a984e673a80071f97d1f22d8bd9908a1241062f2d0f1fef7ee000c636ffd3b
Instruction Fuzzy Hash: A5413E61F00301B7EB04B77D8D5AE7D7BDBEBC1324B810258D80A47681EF51A9218BE3

Function 0294A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0294A456
Sleep.KERNEL32(000001F4), ref: 0294A461
GetForegroundWindow.USER32 ref: 0294A467
GetWindowTextLengthW.USER32(00000000), ref: 0294A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0294A4A4
Sleep.KERNEL32(000003E8), ref: 0294A574

Part of subcall function 02949D58: SetEvent.KERNEL32(?,?,?,0294AF3F,?,?,?,?,?,00000000), ref: 02949D84

Strings

{ User has been idle for , xrefs: 0294A5AB
minutes }, xrefs: 0294A59F
], xrefs: 0294A508
[, xrefs: 0294A50E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: dba320b1108f825d9f016b08d4bd290f705d49b6e5bf284714b0fc696bb8164c
Instruction ID: bb834dac681fed8756158c6a3100a5d2182b9fc925f287ba1a4ba4728d6ad5d2
Opcode Fuzzy Hash: dba320b1108f825d9f016b08d4bd290f705d49b6e5bf284714b0fc696bb8164c
Instruction Fuzzy Hash: D051E071A583405BD718FB64D968EBFB7DABFC4314F800A2DF84A861D0DF609A45CB92

Function 0294C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0294CA04

Strings

\SysWOW64, xrefs: 0294C96A
WinDir, xrefs: 0294C905, 0294C927, 0294C979
SystemDrive, xrefs: 0294C8FB
ProgramFiles, xrefs: 0294C9D8
AppData, xrefs: 0294C9BB
Temp, xrefs: 0294C8D0
UserProfile, xrefs: 0294C9C2
ProgramData, xrefs: 0294C9C9
\system32, xrefs: 0294C918

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: d50b17dd845f8b4da79ac1b64ff0247ea43787be2d766e8b361f81aae6905110
Instruction ID: e34d5d83bd2b7a937715f8dc676aeae1611837168220d09985466c3de69220e5
Opcode Fuzzy Hash: d50b17dd845f8b4da79ac1b64ff0247ea43787be2d766e8b361f81aae6905110
Instruction Fuzzy Hash: 82413736548300AFD718F760DD61DBFB7EAAED0710F54092EF48B921E0EE609949CE96

Function 0295A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0295B15B: GetCurrentProcess.KERNEL32(?,?,?,0294C914,WinDir,00000000,00000000), ref: 0295B16C

Part of subcall function 02952513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02952537
Part of subcall function 02952513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02952554
Part of subcall function 02952513: RegCloseKey.KERNEL32(?), ref: 0295255F

StrToIntA.SHLWAPI(00000000,029ABC48,?,00000000,00000000,029B4358,00000003,Exe,00000000,0000000E,00000000,029A556C,00000003,00000000), ref: 0295A4D9

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0295A477, 0295A481, 0295A4BF
ProductName, xrefs: 0295A472
(64 bit), xrefs: 0295A506, 0295A510
(32 bit), xrefs: 0295A501
CurrentBuildNumber, xrefs: 0295A4BA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 55fedd6c8b4ece8cc91d9ed6db3affefabb0ada953b47256d8891876e850eade
Instruction ID: db64605c9837a911e8735cde36dd8fac1f89bfdf725b101a38be4e77f5ab257f
Opcode Fuzzy Hash: 55fedd6c8b4ece8cc91d9ed6db3affefabb0ada953b47256d8891876e850eade
Instruction Fuzzy Hash: A511E560F003116AD609F3A8DC7BD7F7A6B9BE1204F4005289906972C1EEA09E468BE0

Function 02949E48 Relevance: 9.2, APIs: 6, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 02949E62

Part of subcall function 02949D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02949E6F), ref: 02949DCD
Part of subcall function 02949D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,02949E6F), ref: 02949DDC
Part of subcall function 02949D97: Sleep.KERNEL32(00002710,?,?,?,02949E6F), ref: 02949E09
Part of subcall function 02949D97: CloseHandle.KERNEL32(00000000,?,?,?,02949E6F), ref: 02949E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 02949E9E
GetFileAttributesW.KERNEL32(00000000), ref: 02949EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 02949EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 02949F40

Part of subcall function 0295B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,029A5900,?,00000000,00000000,00000000,00000000,00000000), ref: 0294A049

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: b8b31297a6b7fd2caede6e64f3dba5235e2d491a051ddd234fceaff90a7579d6
Instruction ID: 9adfd7d73dabb308f16310e036e01f2b5e02da5509c10478562edf0d9c730591
Opcode Fuzzy Hash: b8b31297a6b7fd2caede6e64f3dba5235e2d491a051ddd234fceaff90a7579d6
Instruction Fuzzy Hash: 0A519F71B043005BDB09FB70D864EBF779BAFD1314F440A2DF88A971E0DF6199859A92

Function 029498A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,029499A9,?,00000000,00000000), ref: 0294992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0294993A
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 02949946

Part of subcall function 0294A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0294A884
Part of subcall function 0294A876: wsprintfW.USER32 ref: 0294A905

Strings

Offline Keylogger Started, xrefs: 029498C7, 029498CE, 029498FB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 8674834ee2b31571c167e17e9721d343105a5dd2301eff043e6639b6d835b7d7
Instruction ID: 182ac381cdd805616482f9a8e404ed41ae95d3f95a1e89a9647cb4d7cc16ce16
Opcode Fuzzy Hash: 8674834ee2b31571c167e17e9721d343105a5dd2301eff043e6639b6d835b7d7
Instruction Fuzzy Hash: 1E11ECB56003087EF224BA39CC95CBF7B9DDEC12A4B40066DF84A12181EE605E55CBF2

Function 02944915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,029B3EE8,029B45A8,00000000,?,?,?,?,?,02954D8A,?,00000001), ref: 02944946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,029B3EE8,029B45A8,00000000,?,?,?,?,?,02954D8A,?,00000001), ref: 02944994
CreateThread.KERNEL32(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 029449A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0294495C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: fcbb760f45e72a934890c56d084ba92a4c42104104e141353ebfe93d2cd1843b
Instruction ID: f1c5e0870a23eb38413e1b17a9ad2c7e4b084c0ab852ccf538e64a72f2a5f711
Opcode Fuzzy Hash: fcbb760f45e72a934890c56d084ba92a4c42104104e141353ebfe93d2cd1843b
Instruction Fuzzy Hash: F0110271A142A47BDB21ABBA8848FDFBF9CAF867A4F44041AE40952141CF749455CFF2

Function 029526D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 029526E1
RegSetValueExA.KERNEL32(?,029A6748,00000000,?,00000000,00000000,029B42F8,?,?,0294E5FB,029A6748,5.3.0 Pro), ref: 02952709
RegCloseKey.KERNEL32(?,?,?,0294E5FB,029A6748,5.3.0 Pro), ref: 02952714

Strings

pth_unenc, xrefs: 029526D6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 734a65c39ae92d14e8e26bb9e61295b50e6bf1c2506157fa7c84c30fc3adf2c9
Instruction ID: 22dea13d6efe34a7f53a97d7faff3a7a9833eadccc46c43ebdec5f74f11cb254
Opcode Fuzzy Hash: 734a65c39ae92d14e8e26bb9e61295b50e6bf1c2506157fa7c84c30fc3adf2c9
Instruction Fuzzy Hash: 19F06772940118BBCB01AFA0EC15EFA776DEF44690B108614FD06A6050EF31AE14EB60

Function 02944688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 02944778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0294478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 02944797
CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 029447A0

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 87b39ba1aa9c844a6b21bfd7dc97ee7b8bc442a2c49ef090f917eae8cf3e73a6
Instruction ID: 80d750756526801e3e5c801a5f2b91d91cc3d3398039b3f673da825d3945d60b
Opcode Fuzzy Hash: 87b39ba1aa9c844a6b21bfd7dc97ee7b8bc442a2c49ef090f917eae8cf3e73a6
Instruction Fuzzy Hash: 9E418075618340ABC714FB64CC54EBFB7EEAFD5320F000A1DF89692190EF64D9499B62

Function 0295B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,029A5900,00000000,00000000,0294C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0295B5CE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0295B5EB
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0295B5FF
CloseHandle.KERNEL32(00000000), ref: 0295B60C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: ccc5ec39a7f81a894d408bf92db5d6a59e921a59948a981c1a64370a64a22a99
Instruction ID: 80ff030e5f02989b39c1c6f1a74e95e262e237100587056b2fe23552c01eb346
Opcode Fuzzy Hash: ccc5ec39a7f81a894d408bf92db5d6a59e921a59948a981c1a64370a64a22a99
Instruction Fuzzy Hash: 6C01F9B13552257FE6148D68DC99FBBB39CEB4237CF100A29F951C21C4DB218D068B34

Function 02949D97 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,02949E6F), ref: 02949DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,02949E6F), ref: 02949DDC
Sleep.KERNEL32(00002710,?,?,?,02949E6F), ref: 02949E09
CloseHandle.KERNEL32(00000000,?,?,?,02949E6F), ref: 02949E10

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: aa47d3a98dac1c348d0a981193a108cc359177b376ef3ed8613fc532bcb7d6ed
Instruction ID: 0fc658fcfa790ca97b656416f80776c84934c804f7d8ff228af43dc85e499a9d
Opcode Fuzzy Hash: aa47d3a98dac1c348d0a981193a108cc359177b376ef3ed8613fc532bcb7d6ed
Instruction Fuzzy Hash: 9F112970E846506EF732A76896A9F7F7B9FAB91219F040C0CF18653582DF2068A18765

Function 02944468 Relevance: 4.6, APIs: 3, Instructions: 92synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD
WaitForSingleObject.KERNEL32(?,00000000,02954CE9,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000), ref: 0294450E
SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000,?,?,?,?,?,02954CE9), ref: 0294453C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID:
API String ID: 3963590051-0
Opcode ID: cff54a5646430e5d3886eda07cff175cb3f62aa4e9efba0dfede265ec027b6ed
Instruction ID: e9f0913495af875b91433e78a8070cc2532f9239f645eba11f7ec706a112801e
Opcode Fuzzy Hash: cff54a5646430e5d3886eda07cff175cb3f62aa4e9efba0dfede265ec027b6ed
Instruction Fuzzy Hash: 282164B2900119ABDF04FBA4DC84DEEB76DFF54324B000529F916A3590EF74A508CAA0

Function 02952513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02952537
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02952554
RegCloseKey.KERNEL32(?), ref: 0295255F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 90ab17c0ba47db0b4b7f81966df1de6622c29fa9fab9674ddb744edd682ecb9f
Instruction ID: 219d0a55e676d601cc37bbc442c86532675a3ba2569ee40b8b92e6127d9bf3a0
Opcode Fuzzy Hash: 90ab17c0ba47db0b4b7f81966df1de6622c29fa9fab9674ddb744edd682ecb9f
Instruction Fuzzy Hash: 92F0A4B6E40128BBDF209BA5DC58EEF7F7DEB44660F004465BE06E2100DB309A56DBA0

Function 0295265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,029B42F8), ref: 02952679
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02952692
RegCloseKey.KERNEL32(00000000), ref: 0295269D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 5c6d9223ed718e0a78ce6269c2e54e96458b175a54499b55a0259e1880f85701
Instruction ID: 9924b541ea6d31c30a15db05c9640aa041e19d51841ca8d10a794dfc6a4d0f19
Opcode Fuzzy Hash: 5c6d9223ed718e0a78ce6269c2e54e96458b175a54499b55a0259e1880f85701
Instruction Fuzzy Hash: E4016D71805129BBCF21AFA1DC05EEF7F79EF01360F004151BE0462020DB328A65DBA0

Function 029524B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 029524D7
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,029B42F8), ref: 029524F5
RegCloseKey.KERNEL32(?), ref: 02952500

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 0947465e33f7ecb6e36cf0bb3d50a8041cac5f723ee2d63d09ac1909a662ecfe
Instruction ID: 6bc2a467ed251b5d206dd2c5d0abf859a520c72da46444c255850a0edeb12104
Opcode Fuzzy Hash: 0947465e33f7ecb6e36cf0bb3d50a8041cac5f723ee2d63d09ac1909a662ecfe
Instruction Fuzzy Hash: 0DF017B6E40218BFDF119FE49C15BEEBBBCEB04754F1044A1FE05E6180D6719B24AB90

Function 02955D30 Relevance: 4.5, APIs: 3, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001C96F,00000000,00000000,00000000), ref: 02955D4A
ShowWindow.USER32(00000009), ref: 02955D64
SetForegroundWindow.USER32 ref: 02955D70

Part of subcall function 0295BEB0: AllocConsole.KERNEL32(029B4358), ref: 0295BEB9
Part of subcall function 0295BEB0: ShowWindow.USER32(00000000,00000000), ref: 0295BED2
Part of subcall function 0295BEB0: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0295BEF7

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID:
API String ID: 3446828153-0
Opcode ID: 2350265b5f030305ee7115b16ae7f111a38f133916898812163c90d479d6c68f
Instruction ID: 8e02ae057fd86465aeec511fc06dbfbcce0d849b19ff257690a62544e4ecb5f0
Opcode Fuzzy Hash: 2350265b5f030305ee7115b16ae7f111a38f133916898812163c90d479d6c68f
Instruction Fuzzy Hash: 2DF0BEB5A982109AD221EBA4FC25EFBB76AEF90310F404C2AEC0AC1451DF604864CB65

Function 0295246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0294B996,029A60E0), ref: 02952485
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0294B996,029A60E0), ref: 02952499
RegCloseKey.KERNEL32(?,?,?,0294B996,029A60E0), ref: 029524A4

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 118a554e5c7d0418ba5d50f92db39bb948408a5d1602979bdc8c94249e466d18
Instruction ID: f5d30fcbb12609a0990ae665d953cbc0a7e2cf4b58bdd84fc5e3cfa22d919a48
Opcode Fuzzy Hash: 118a554e5c7d0418ba5d50f92db39bb948408a5d1602979bdc8c94249e466d18
Instruction Fuzzy Hash: E6E06D71D45134BBDF318FE29C0DEEBBF6CEF067A0B004040BC09A2201D6218E50E6E0

Function 029527D5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,029A5554), ref: 029527E3
RegSetValueExA.KERNEL32(029A5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 029527FE
RegCloseKey.ADVAPI32(029A5554,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 02952809

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: b1f2978f7f249ebf4bc6a3335b5216b3839c79ed3d2e46753e4c86d35a31c00e
Instruction ID: 3ce5a1cdf6871c3a6a0a93640d317d491eabc049655d59ea8c731c165a7b078f
Opcode Fuzzy Hash: b1f2978f7f249ebf4bc6a3335b5216b3839c79ed3d2e46753e4c86d35a31c00e
Instruction Fuzzy Hash: 56E06571A40114BBEF119FD19C06FEE7B6CEB05BA4F004050FF05E6180D7718A14D7A0

Function 0294455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,0294460E,00000000,?,?), ref: 0294456A
SetEvent.KERNEL32(?,?,?,0294460E,00000000,?,?), ref: 02944588
recv.WS2_32(?,?,?,00000000), ref: 0294459F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: 72aca136481de8a90b9bbc53f9d991348d0a62e2ed579b21c9258dea57ddf197
Instruction ID: 321a8c7cdefcd2ac60403734296a9b25d1cd378ebb579b0d50f258f14db08bef
Opcode Fuzzy Hash: 72aca136481de8a90b9bbc53f9d991348d0a62e2ed579b21c9258dea57ddf197
Instruction Fuzzy Hash: B9F08276558212BFDB014B54EC08E5AFBA6FF88720F108A1AF514522A09B71AC20CB51

Function 02955250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0295526E

Strings

open, xrefs: 02955268

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: open
API String ID: 587946157-2758837156
Opcode ID: e19293cac809b20423d3cbc0eac220509db47d9989cafa4534b93d3a3dc6201f
Instruction ID: f83c34f8bc1f0ad35a3565d5cce8680ee6ea5b1061d19cd13daf3a56ed458326
Opcode Fuzzy Hash: e19293cac809b20423d3cbc0eac220509db47d9989cafa4534b93d3a3dc6201f
Instruction Fuzzy Hash: EDE012B56443059AD214FAB4EC94EFFB36AABD0310F404C2EA50E46081EF605989DA61

Function 0295A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0295A959

Strings

@, xrefs: 0295A94F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 3f6709b454e6c9bf0248d2ef58ad69df2f8b077ee507003d7ad10454a68282a9
Instruction ID: 9063b6d4aec2a133b01d92562d861fc8c85d6182356eba198df33dd2cc081d5c
Opcode Fuzzy Hash: 3f6709b454e6c9bf0248d2ef58ad69df2f8b077ee507003d7ad10454a68282a9
Instruction Fuzzy Hash: 12D067B99053289FCB20EFA9E945A8DBBF8FB48214F004569E946E3344E774E9058B94

Function 02954B9B Relevance: 3.2, APIs: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02954BC0
GetTickCount.KERNEL32 ref: 02954C3C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID:
API String ID: 180926312-0
Opcode ID: a972d2516d60ae808b71740d84daafcdb37f67c06824b5e0d1740088431484d4
Instruction ID: f007225c279d5ada41d192667da6cfdb79b3e90ecf9f2d66c1660ff6687a68d0
Opcode Fuzzy Hash: a972d2516d60ae808b71740d84daafcdb37f67c06824b5e0d1740088431484d4
Instruction Fuzzy Hash: 495140716083509BC624FB64D8A0EFFB3EAAFD1710F40492DA84E57190EF70A989CB56

Function 02955749 Relevance: 3.1, APIs: 2, Instructions: 63sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 02955745
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 029557A7

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID:
API String ID: 1931167962-0
Opcode ID: c726eeff8f7a82d9bf746ad2c416032f7319aba6176941b69aead0feb082aee7
Instruction ID: 39d69dfe5b6678e45c78d063d11dee0a3f6c01df3df57e34e730cd1eabb9d1d7
Opcode Fuzzy Hash: c726eeff8f7a82d9bf746ad2c416032f7319aba6176941b69aead0feb082aee7
Instruction Fuzzy Hash: 13118275A043019BC624FBB4D864DBF77ABAFD4314F404D2EE88A82180EE709988CB52

Function 029441F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 02944212

Part of subcall function 02944262: WSAStartup.WS2_32(00000202,00000000), ref: 02944277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 02944252

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 046ac4e4c226370065ed575d6320500c26add9626051e74fa9662e97b03ffc1c
Instruction ID: 263cd39dd0e2a89f45bb386a02e875b2e9daab4bae074c74802530e41bfe9980
Opcode Fuzzy Hash: 046ac4e4c226370065ed575d6320500c26add9626051e74fa9662e97b03ffc1c
Instruction Fuzzy Hash: D1017CB0858B909ED7358F38B445BA6BFE5AB0A314F045E5EF5DA87B91C7B1A440CF10

Function 0295AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0295AC74
GetWindowTextW.USER32(00000000,?,00000100), ref: 0295AC87

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 909c81d94c99fc83c300e91b5d556e6421ecdf0097b75f44b2358de26b3b94fe
Instruction ID: 0f7a7c923cbc0d7ad1833b99ef06e2542af0d3f3c9657b0267a0b3c4de3f02f0
Opcode Fuzzy Hash: 909c81d94c99fc83c300e91b5d556e6421ecdf0097b75f44b2358de26b3b94fe
Instruction Fuzzy Hash: 37E080B5E5031467FB20B7B4AC4EFEAB76CA744710F0004D9B519D21C2EDB09904CBE4

Function 02953F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,029B1B28,029B4358,00000000,02954240,00000000,00000001), ref: 02953FBC
WSASetLastError.WS2_32(00000000), ref: 02953FC1

Part of subcall function 02953E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02953E86
Part of subcall function 02953E37: LoadLibraryA.KERNEL32(?), ref: 02953EC8
Part of subcall function 02953E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02953EE8
Part of subcall function 02953E37: FreeLibrary.KERNEL32(00000000), ref: 02953EEF
Part of subcall function 02953E37: LoadLibraryA.KERNEL32(?), ref: 02953F27
Part of subcall function 02953E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02953F39
Part of subcall function 02953E37: FreeLibrary.KERNEL32(00000000), ref: 02953F40
Part of subcall function 02953E37: GetProcAddress.KERNEL32(00000000,?), ref: 02953F4F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: f7e0cc7ef3ba4fece0abd98beb848d8d83e00e2567d71094abc3c8210c710ec0
Instruction ID: abc5786e40f24c0f23187c75a00c80a32413c84b4ff12880797d0e17dc00f99f
Opcode Fuzzy Hash: f7e0cc7ef3ba4fece0abd98beb848d8d83e00e2567d71094abc3c8210c710ec0
Instruction Fuzzy Hash: 7BD01272B841316BB355969D6D40EBAEBDCDFD6660716046AF804D2100DA508C1687A5

Function 0295567A Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

waveInStop.WINMM ref: 02955686
waveInClose.WINMM ref: 02955692

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: wave$CloseStop
String ID:
API String ID: 3638528417-0
Opcode ID: 0c69847d99f9bfefdaabfa03339bc39b8d66bc0b8d58abdd1aa9e744749440d6
Instruction ID: adbab03dc7d6bae691bbe45a8d2f9d7addffff4407536406b26bb2e6a636b311
Opcode Fuzzy Hash: 0c69847d99f9bfefdaabfa03339bc39b8d66bc0b8d58abdd1aa9e744749440d6
Instruction Fuzzy Hash: 11E0863695C250CBC319EBA8E524EFEB7A2EBD1311F410C2DD40D82451EF7115A9DF62

Function 0294BED7 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0294D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,029A556C,00000003,00000000), ref: 0294BEE6
GetLastError.KERNEL32 ref: 0294BEF1

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID:
API String ID: 1925916568-0
Opcode ID: fde9d0678ce2079a6699fce2bcfb7db7af1c37a0d9cf12da449b120248d11685
Instruction ID: 5b92af447f18674fdf24f3e2106a2222fa5feff7c7292ff7054c117301115552
Opcode Fuzzy Hash: fde9d0678ce2079a6699fce2bcfb7db7af1c37a0d9cf12da449b120248d11685
Instruction Fuzzy Hash: 90D012B4AA83009BDB0817B8795DBBE3595ABC4742F04091AB10BC51C0CF6488605911

Function 02949517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02949531

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: a0f7d36c93a29414cec89811efe14eede90d354344d5ec8db113a5deac6dfe73
Instruction ID: c62dd7e2d0b72a2ceaaddbb3694d97623f1d5ab6b3cdf35f40679047dca1ca94
Opcode Fuzzy Hash: a0f7d36c93a29414cec89811efe14eede90d354344d5ec8db113a5deac6dfe73
Instruction Fuzzy Hash: 0F11B931D002099FDB19EF64D950DEF7BB6EFA4310B10442EE85663291EF70A965CF90

Function 02954F36 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

StrToIntA.SHLWAPI(00000000,00000000), ref: 02954F49

Part of subcall function 0295BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0295BC6C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: aed16b5aa620c18639a19ced30658596308645b3f629bb7d5ee24ed9cbddcda8
Instruction ID: 0874ff97c69fa88325517ed1c085c858721e3500e8944a19af0e4ce190956129
Opcode Fuzzy Hash: aed16b5aa620c18639a19ced30658596308645b3f629bb7d5ee24ed9cbddcda8
Instruction Fuzzy Hash: 62014C766043008AC618FB70D861EFFB3E3AFD4714F40082ED44E97190EF609A89CB52

Function 02949A97 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(029B40F8,?,?,?), ref: 02949B02

Part of subcall function 0294AD56: GetKeyState.USER32(00000011), ref: 0294AD5B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CallHookNextState
String ID:
API String ID: 3280314413-0
Opcode ID: b0ee3bfc2c1cfe39f85e40623538c03be8d6bc00177d38e39a1bca14a8f64ce8
Instruction ID: 1f56a71152de09f245b3bfe76f3523bdc7322429c0027f7ed1ba28a916e65649
Opcode Fuzzy Hash: b0ee3bfc2c1cfe39f85e40623538c03be8d6bc00177d38e39a1bca14a8f64ce8
Instruction Fuzzy Hash: 6CF0F4322482855BEA18AEBC9CE4D7F775AEBC6319F00042EF40246954CFA5C418CB10

Function 02955020 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,0000000A), ref: 02955027

Part of subcall function 0294E6A3: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0294E6C1
Part of subcall function 0294E6A3: Process32FirstW.KERNEL32(00000000,?), ref: 0294E6E5
Part of subcall function 0294E6A3: Process32NextW.KERNEL32(00000000,0000022C), ref: 0294E6F4

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process32$CreateCurrentFirstNextProcessSnapshotToolhelp32send
String ID:
API String ID: 199960123-0
Opcode ID: 554498a3066f0dbaaae832581cea94aa1f9bf7c7d0885d53ea9ec5c282b2a3a9
Instruction ID: 4d15e9a66bc1ef5c2c805ed1025ca5c8292adefc4f114fffec6f1727a145d861
Opcode Fuzzy Hash: 554498a3066f0dbaaae832581cea94aa1f9bf7c7d0885d53ea9ec5c282b2a3a9
Instruction Fuzzy Hash: 76011276A482004BC214FBB4E864EFFB3E6AFD0310F50482DE94D86190EFB49989DF56

Function 0295517D Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,00000000), ref: 029551AA

Part of subcall function 02956A68: EnumWindows.USER32(Function_00016751,00000000), ref: 02956A80

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: EnumTextWindowWindows
String ID:
API String ID: 2480600497-0
Opcode ID: 4387fc24c69896a414483500a977aaebc94c33aeae80039b7006ff38f363e074
Instruction ID: 617d5fedfe4daf7b1f29ddaa81d577c5ddafcc8ccb2300c218dcdda8108c8cb6
Opcode Fuzzy Hash: 4387fc24c69896a414483500a977aaebc94c33aeae80039b7006ff38f363e074
Instruction Fuzzy Hash: 2CF012756583418AC614FA74E855EFF73AA9FD0710F40482EE40E86090EF609988CF51

Function 02986AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0eba2dc42589c2d2ddd7af72a08e36d445ecb6b0c355e09724b80b00dc79a9f7
Instruction ID: 2531626fc7afc910c39f113af4d6c4bd5239a6fdcc9ee32dfa69165e163422eb
Opcode Fuzzy Hash: 0eba2dc42589c2d2ddd7af72a08e36d445ecb6b0c355e09724b80b00dc79a9f7
Instruction Fuzzy Hash: D7E09B3164C16556EA213A69DD04F6B7ACD9F817BCF0D012DDC199E1D0DF50D40085F5

Function 02955145 Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 02955164

Part of subcall function 0295AD19: OpenProcess.KERNEL32(00000001,00000000,00000000,?,?,0295509E,00000000), ref: 0295AD21
Part of subcall function 0295AD19: TerminateProcess.KERNEL32(00000000,00000000,?,?,0295509E,00000000), ref: 0295AD2F
Part of subcall function 0295AD19: CloseHandle.KERNEL32(00000000,?,?,0295509E,00000000), ref: 0295AD3B

Part of subcall function 02956A68: EnumWindows.USER32(Function_00016751,00000000), ref: 02956A80

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process$CloseEnumHandleOpenTerminateThreadWindowWindows
String ID:
API String ID: 2526979043-0
Opcode ID: a0f14ec263eb68b79520af16571d49d222b61263b2bceceb576482edc02696eb
Instruction ID: 9ca9028c555e5765178afa3507b0c988a8705c2a12c96ce9f886ac27bf1ce1ba
Opcode Fuzzy Hash: a0f14ec263eb68b79520af16571d49d222b61263b2bceceb576482edc02696eb
Instruction Fuzzy Hash: 70F0377564834086C514FBB0E854EBFB3AAAFD0310F400D2EE95D86090DF605985CF51

Function 0295513D Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000003), ref: 0295512E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9ea313cabb418372e4a518c2de929b385ce88e95ac72e1e5f74e287bc6a0628e
Instruction ID: f23deb255190c14edf651eb5d27f75e5267abe4920dccf4f43b7f5c52c3ac1e6
Opcode Fuzzy Hash: 9ea313cabb418372e4a518c2de929b385ce88e95ac72e1e5f74e287bc6a0628e
Instruction Fuzzy Hash: 50E01A7565834186C624FAB4E855FFFB366AFE0710F80482ED41E8A490EFB09988DE51

Function 02955139 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000003), ref: 0295512E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2928c4600b8da959e7ce6a23b07869062ca1e4005e78c926a7b8978600d2c1df
Instruction ID: 828bb06d85350aff1d1668a59b5b0c8f2465bf345a63cb85976024ca233065eb
Opcode Fuzzy Hash: 2928c4600b8da959e7ce6a23b07869062ca1e4005e78c926a7b8978600d2c1df
Instruction Fuzzy Hash: A5E0927564830086C114FAB0E815FFFB366AFD0710F40482ED40E8A080EFB05888CA51

Function 02955141 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000003), ref: 0295512E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 631e413b6cc6cae6e74860a64f953bb064c71f9e9a11aadfea82e3090045031e
Instruction ID: b45fd3a2f13c01375ad3d68c6c8f7a75ff274f06dfdda44f48d0bf8d2113f64c
Opcode Fuzzy Hash: 631e413b6cc6cae6e74860a64f953bb064c71f9e9a11aadfea82e3090045031e
Instruction Fuzzy Hash: 73E01A7565834186C624FAB4E855FFFB366AFE0710F80482ED41E8A490EFB09988DA51

Function 02955112 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000003), ref: 0295512E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9abab721544d9c97bc3ffcfbd0f2a139746fd4308b94dcba784067256bc86556
Instruction ID: da65c33386f54bf577555a8629c0a3aab7a23452075ff7d023f55567baca2386
Opcode Fuzzy Hash: 9abab721544d9c97bc3ffcfbd0f2a139746fd4308b94dcba784067256bc86556
Instruction Fuzzy Hash: 06E01A7564834086C624FAB4E865FFFB36AAFE0710F40082ED40E8A490EFB05A89DA51

Function 029550ED Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CloseWindow.USER32(00000000), ref: 02955107

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseWindow
String ID:
API String ID: 2868366576-0
Opcode ID: 8df106bf76901c9f572b2765358ca9c869661cb681a169c265685a5e8d03dda7
Instruction ID: 520300bc4b44546233add58a69884b48f7cecd5e94aa6f485b7c495cfddb7b3e
Opcode Fuzzy Hash: 8df106bf76901c9f572b2765358ca9c869661cb681a169c265685a5e8d03dda7
Instruction Fuzzy Hash: C3E04F7564834086C624FBB4E854EFFB366AFE0310F404C3ED40E86080EF709989DE51

Function 02955702 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000), ref: 02955715

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01e228b94afaa3f3072002a6eda3c97606a566fa915727641f55902ee121f85a
Instruction ID: bb5cebd0d6527a291cedf3ccc88e1f3348f60be5b2d30eb77a848b42f6f8ab95
Opcode Fuzzy Hash: 01e228b94afaa3f3072002a6eda3c97606a566fa915727641f55902ee121f85a
Instruction Fuzzy Hash: FAE0467561820086C624FAB4E860EFFB3AAAFE0310F40482ED40E86080EF609989CA52

Function 02944262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 02944277

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 64a3358f8160f8a2549456fc05e2014156da980c5865f37ca439ccf3db59049d
Instruction ID: 889996889c0250772ec77a54ab6b0932af0f6b32d7d30b8cc9df980c39968151
Opcode Fuzzy Hash: 64a3358f8160f8a2549456fc05e2014156da980c5865f37ca439ccf3db59049d
Instruction Fuzzy Hash: 44D0C7629985084AD51165B4590B8B4775CD317611F0007655875825C2E541262C82A6

Function 0294262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 02942636

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction ID: e86422731d6ec0829863cb0f264bc67b96ef15e006d34662f485bfe40858ec9b
Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction Fuzzy Hash: 04A0123300C2016A85852B10DC00C0ABF92FBD0360F20C40EF08604070CF3250B0EB01

Non-executed Functions

Function 02946F06 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02946F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 02946FF8
DeleteFileW.KERNEL32(00000000), ref: 02947018

Part of subcall function 0295B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B489
Part of subcall function 0295B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B4BB
Part of subcall function 0295B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B50C
Part of subcall function 0295B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B561
Part of subcall function 0295B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B568

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Part of subcall function 02946BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,029A5454,?,?,00000000,02947273,00000000,?,0000000A,00000000), ref: 02946C38
Part of subcall function 02946BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,02947273,00000000,?,0000000A,00000000), ref: 02946C80
Part of subcall function 02946BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,02947273,00000000,?,0000000A,00000000,00000000), ref: 02946CC0
Part of subcall function 02946BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 02946CDD

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

Part of subcall function 02944468: WaitForSingleObject.KERNEL32(?,00000000,02954CE9,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000), ref: 0294450E
Part of subcall function 02944468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000,?,?,?,?,?,02954CE9), ref: 0294453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02947416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 029474F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0294773A
DeleteFileA.KERNEL32(?), ref: 029478CC

Part of subcall function 02947A8C: __EH_prolog.LIBCMT ref: 02947A91
Part of subcall function 02947A8C: FindFirstFileW.KERNEL32(00000000,?,029A5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02947B4A
Part of subcall function 02947A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02947B6E

Sleep.KERNEL32(000007D0), ref: 02947976
StrToIntA.SHLWAPI(00000000,00000000), ref: 029479BA

Part of subcall function 0295BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0295BC6C

Strings

Browsing directory: , xrefs: 029474B6
Downloaded file: , xrefs: 029472A8
open, xrefs: 02947410
Failed to download file: , xrefs: 02947321
Deleted file: , xrefs: 0294703A
Downloading file: , xrefs: 029471F3
Unable to rename file!, xrefs: 0294768F
Executing file: , xrefs: 0294742F
Unable to delete: , xrefs: 02947078

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 2918587301-1507758755
Opcode ID: 4333e5f6407bbab2ea51b0c492cdffa69f8d2742b8de3ce42090d336069e16f0
Instruction ID: 8a1995376ef46b464dbf64d588735b7e86b7cdf6cf4123cfb5472fcc6c70b72b
Opcode Fuzzy Hash: 4333e5f6407bbab2ea51b0c492cdffa69f8d2742b8de3ce42090d336069e16f0
Instruction Fuzzy Hash: 0C427372A043005BD618F7B4D865EBFB7ABAFD1710F400A5DE84A57290EF609A49CF93

Function 02945042 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0294508E

Part of subcall function 029734CF: EnterCriticalSection.KERNEL32(029B0D18,029B5D2C,?,0294AEAC,029B5D2C,02996D97,?,00000000,00000000), ref: 029734D9
Part of subcall function 029734CF: LeaveCriticalSection.KERNEL32(029B0D18,?,0294AEAC,029B5D2C,02996D97,?,00000000,00000000), ref: 0297350C

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

__Init_thread_footer.LIBCMT ref: 029450CB
CreatePipe.KERNEL32(029B5CEC,029B5CD4,029B5BF8,00000000,029A556C,00000000), ref: 0294515E
CreatePipe.KERNEL32(029B5CD8,029B5CF4,029B5BF8,00000000), ref: 02945174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,029B5C08,029B5CDC), ref: 029451E7

Part of subcall function 02973519: EnterCriticalSection.KERNEL32(029B0D18,?,029B5D2C,?,0294AE8B,029B5D2C,?,00000000,00000000), ref: 02973524
Part of subcall function 02973519: LeaveCriticalSection.KERNEL32(029B0D18,?,0294AE8B,029B5D2C,?,00000000,00000000), ref: 02973561

Sleep.KERNEL32(0000012C,00000093,?), ref: 0294523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02945264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 02945291

Part of subcall function 029738A5: __onexit.LIBCMT ref: 029738AB

WriteFile.KERNEL32(00000000,00000000,?,00000000,029B3F98,029A5570,00000062,029A5554), ref: 0294538E
Sleep.KERNEL32(00000064,00000062,029A5554), ref: 029453A8
TerminateProcess.KERNEL32(00000000), ref: 029453C1
CloseHandle.KERNEL32 ref: 029453CD
CloseHandle.KERNEL32 ref: 029453D5
CloseHandle.KERNEL32 ref: 029453E7
CloseHandle.KERNEL32 ref: 029453EF

Strings

cmd.exe, xrefs: 029450F5
SystemDrive, xrefs: 02945109

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 3815868655-3633465311
Opcode ID: 348bab97bc4d7e9b8fa72f22b7d1b4191d220fb3b53cef8f59978303ee7c8104
Instruction ID: a1732d4f295fd6aa1fc8d6858470f7e62a3ff0bc9f9dfd209be8b3fe0a9e11aa
Opcode Fuzzy Hash: 348bab97bc4d7e9b8fa72f22b7d1b4191d220fb3b53cef8f59978303ee7c8104
Instruction Fuzzy Hash: DA91F8B1A48304AFD606BBB8EE50D7F77ABABD0345FC2092DF80A96181DF605C548F61

Function 02950F36 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 02950F45

Part of subcall function 029527D5: RegCreateKeyA.ADVAPI32(80000001,00000000,029A5554), ref: 029527E3
Part of subcall function 029527D5: RegSetValueExA.KERNEL32(029A5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 029527FE
Part of subcall function 029527D5: RegCloseKey.ADVAPI32(029A5554,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 02952809

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 02950F81
CreateThread.KERNEL32(00000000,00000000,02951637,00000000,00000000,00000000), ref: 02950FE6

Part of subcall function 029524B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 029524D7
Part of subcall function 029524B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,029B42F8), ref: 029524F5
Part of subcall function 029524B7: RegCloseKey.KERNEL32(?), ref: 02952500

CloseHandle.KERNEL32(00000000), ref: 02950F90

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0295125A

Strings

Remcos restarted by watchdog!, xrefs: 02950F9B
WinDir, xrefs: 02951056, 029510AB
rmclient.exe, xrefs: 02951125
fsutil.exe, xrefs: 0295114A
\system32\, xrefs: 02951044
Watchdog launch failed!, xrefs: 029511BE
WDH, xrefs: 02950FF0, 02950FF6, 02951260
\SysWOW64\, xrefs: 0295109C
svchost.exe, xrefs: 02951100
Watchdog module activated, xrefs: 02950FBF, 02951210

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 65172268-13974260
Opcode ID: 0f61a790fd4880152fcc8b7bf7907181311947ec252ba78e438236481488dd02
Instruction ID: 4168caf40b124a1b34efd961c31c277ffe5a923173e4f1ae4ce1fd929ace2681
Opcode Fuzzy Hash: 0f61a790fd4880152fcc8b7bf7907181311947ec252ba78e438236481488dd02
Instruction Fuzzy Hash: 3E71A131A0430157D618FB70D965DBFB7EAAFE1724F40092DF88A521D0EFA09A49CF96

Function 0294B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0294B3B4
FindClose.KERNEL32(00000000), ref: 0294B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0294B4F1
FindClose.KERNEL32(00000000), ref: 0294B517

Strings

\key3.db, xrefs: 0294B47B
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0294B357
UserProfile, xrefs: 0294B365
[Firefox StoredLogins not found], xrefs: 0294B3D9
\logins.json, xrefs: 0294B439
[Firefox StoredLogins Cleared!], xrefs: 0294B504

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 45850eaf48a361488eff7524ba27dc3d1efa11e54015cd88a41b5b7906679499
Instruction ID: cec21f1e9e5c3c030aced4cd90ace45438ad452bd59c1d6a407bfa5c72684527
Opcode Fuzzy Hash: 45850eaf48a361488eff7524ba27dc3d1efa11e54015cd88a41b5b7906679499
Instruction Fuzzy Hash: 7C512171E142195BDB14FBF4DC65EEEB73AAFA0314F400169E40A66090EF709A85CE94

Function 0294B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0294B5B2
FindClose.KERNEL32(00000000), ref: 0294B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0294B68C
FindClose.KERNEL32(00000000), ref: 0294B6B2
FindClose.KERNEL32(00000000), ref: 0294B6D1

Strings

[Firefox cookies found, cleared!], xrefs: 0294B6E0
[Firefox Cookies not found], xrefs: 0294B5D7, 0294B69F
\cookies.sqlite, xrefs: 0294B62F
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0294B555
UserProfile, xrefs: 0294B563

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 96ff6e39fd6abf76572a0a97b71b59be79dcdc133fa081af8ef4bfdb979c36fc
Instruction ID: 8c33be1062a60d95f3d53b9094a906722ce003f2fd413d52b66f12e89db38d1c
Opcode Fuzzy Hash: 96ff6e39fd6abf76572a0a97b71b59be79dcdc133fa081af8ef4bfdb979c36fc
Instruction Fuzzy Hash: 1B416171E142196BDB14F7B4DC65DFEB77EAF91328F400569E40A93080EF709A85CE91

Function 0294E219 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,029B4358), ref: 0294E233
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,029B4358), ref: 0294E25E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0294E27A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0294E2FD
CloseHandle.KERNEL32(00000000,?,?,029B4358), ref: 0294E30C

Part of subcall function 029527D5: RegCreateKeyA.ADVAPI32(80000001,00000000,029A5554), ref: 029527E3
Part of subcall function 029527D5: RegSetValueExA.KERNEL32(029A5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 029527FE
Part of subcall function 029527D5: RegCloseKey.ADVAPI32(029A5554,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 02952809

CloseHandle.KERNEL32(00000000,?,?,029B4358), ref: 0294E371

Strings

ieinstal.exe, xrefs: 0294E3D6
ielowutil.exe, xrefs: 0294E417
C:\Program Files(x86)\Internet Explorer\, xrefs: 0294E3BF
Inj, xrefs: 0294E515

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 726551946-1743721670
Opcode ID: 9fdbaf981c73942fdef33f31e4203a3d58f3c938c8acbea9ee10297b2f101632
Instruction ID: 77283eabeae1cd4a4cafa110bbb4b2ed843cda4cb1e2cb142cc66e508064861a
Opcode Fuzzy Hash: 9fdbaf981c73942fdef33f31e4203a3d58f3c938c8acbea9ee10297b2f101632
Instruction Fuzzy Hash: 4E714C755483418BCB28EB60D9A0EEFB7AABFD1354F44092DE5CA43190EF709A49CF52

Function 02958754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON

Download Yara Rule

Strings

6, xrefs: 02958935
5, xrefs: 0295892B
7, xrefs: 0295894C
3, xrefs: 02958876
0, xrefs: 0295877D
2, xrefs: 02958816
4, xrefs: 029588DA
1, xrefs: 029587B6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 7f7be4cd441c161c10abb7e55055df1c7c9ce79d1b76d4febbaa4fe2ebe8d9b0
Instruction ID: d7180d8485de789415de9cf6e32687f8eca593bfe64ee426f91c27c39256ca7f
Opcode Fuzzy Hash: 7f7be4cd441c161c10abb7e55055df1c7c9ce79d1b76d4febbaa4fe2ebe8d9b0
Instruction Fuzzy Hash: 47617C38609351AEDB00EF20D8A1FAE7BE6AFC5751F40489CE991576E4DF309A48CB53

Function 02946764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 02946788
CoGetObject.OLE32(?,00000024,029A59B0,00000000), ref: 029467E9

Strings

[+] CoGetObject SUCCESS, xrefs: 029467F8
Elevation:Administrator!new:, xrefs: 029467A9
[-] CoGetObject FAILURE, xrefs: 029467F1, 02946800
[+] CoGetObject, xrefs: 029467C8
[+] ucmAllocateElevatedObject, xrefs: 0294676F
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0294677D, 02946782, 029467C1
$, xrefs: 029467A2

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: 077b49d68c25e0d93e07882a0267f1fa6191dc6c4025928c0392a3851e9ad2bc
Instruction ID: df701c07995c93b66e543e560d3a4a1cdb88d088b528ce7bd11054ab8ae40a1d
Opcode Fuzzy Hash: 077b49d68c25e0d93e07882a0267f1fa6191dc6c4025928c0392a3851e9ad2bc
Instruction Fuzzy Hash: B21116B2E10218AFEB14E7A8C855EAEB7BDDB85720F950069E905E3140DA749A04CEB4

Function 029598C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,029B48F8), ref: 029598D8
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 02959927
GetLastError.KERNEL32 ref: 02959935
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0295996D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: ad69aaa0002d2e00757e0b35ffe99843c456eba2cfcbb7280453029a5692ffd1
Instruction ID: 55d79caafb2c2984b34934a536d55692e1063dd5b8e8357874f9abe58fe23165
Opcode Fuzzy Hash: ad69aaa0002d2e00757e0b35ffe99843c456eba2cfcbb7280453029a5692ffd1
Instruction Fuzzy Hash: FF815A71508304AFD318EB60D894EAFB7A9BFD4714F50092EF48656190EF70EA49CFA6

Function 0295B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B489
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B4BB
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B529
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B536

Part of subcall function 0295B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B50C

FindClose.KERNEL32(00000000,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B561
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B568
GetLastError.KERNEL32(?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B570
FindClose.KERNEL32(00000000,?,?,?,?,?,?,029B42E0,029B42F8), ref: 0295B583

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: e5a2d12e19fed293b03036f86a79d06fa8edb5f9e70783d939dc00a559c92831
Instruction ID: d688a4a1f51c384fae8971c32fc285818187896451143b930f11069fc5b6bc6a
Opcode Fuzzy Hash: e5a2d12e19fed293b03036f86a79d06fa8edb5f9e70783d939dc00a559c92831
Instruction Fuzzy Hash: 1E31807295822CAADB24DAB4DC58FEEB7BCAF45318F4409D6F905D2040EB719789CF20

Function 02952F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0295301A
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 02953026

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 029531ED
GetProcAddress.KERNEL32(00000000), ref: 029531F4

Strings

SHDeleteKeyW, xrefs: 029531E3
Shlwapi.dll, xrefs: 029531E8

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 32c8d831a5968f52c44dba58283e976972042bb85181410658a2028071c98f62
Instruction ID: c5293ddfbc6f25a3544076f4b0292b53c310d0b554f22b233dddf419684db0b0
Opcode Fuzzy Hash: 32c8d831a5968f52c44dba58283e976972042bb85181410658a2028071c98f62
Instruction Fuzzy Hash: 53B1C472B043106BCA18FB78CCA5DBF779A9FD0754F400A5DEC4A931D1EF609A49CA92

Function 0294B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0294B257
GetLastError.KERNEL32 ref: 0294B261

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0294B287
UserProfile, xrefs: 0294B227
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0294B222
[Chrome StoredLogins not found], xrefs: 0294B27B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: f74b18f06268a4debd57b0f5aa2d274775931bb2bf764f51508a2c06aaed7bbc
Instruction ID: f588f612c9f1d02c7c342a337c9f860488ed807a7ee3657a5fcb71591f2f1a79
Opcode Fuzzy Hash: f74b18f06268a4debd57b0f5aa2d274775931bb2bf764f51508a2c06aaed7bbc
Instruction Fuzzy Hash: 6401F472F94204B79B04BAB8DD7ACFF3729A9B1618B900219E40B531D4FF51DA85CAC1

Function 02956AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 02956AC4
OpenProcessToken.ADVAPI32(00000000), ref: 02956ACB
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 02956ADD
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 02956AFC
GetLastError.KERNEL32 ref: 02956B02

Strings

SeShutdownPrivilege, xrefs: 02956AD7

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 9f1f8db36dcfa6a2e87adb76cd317dac4950c6e5a4ed76845b97c00f9af7d30c
Instruction ID: 2d4e6a03909570b0a87bd16677c9e763230aa64e72490a93d91c3a0a7c9447e2
Opcode Fuzzy Hash: 9f1f8db36dcfa6a2e87adb76cd317dac4950c6e5a4ed76845b97c00f9af7d30c
Instruction Fuzzy Hash: 17F0DAB5855129BBDB109BD5DC0DEFFBFBCEF05665F000451B806A2140DA744A14CAB1

Function 02992F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 02993046

Strings

1#SNAN, xrefs: 02994245
1#IND, xrefs: 0299423E
1#INF, xrefs: 02994253
1#QNAN, xrefs: 0299424C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e65022623c6823fedd1ecd174e0d436c01da7e2785b55f08ebc7059f357923f1
Instruction ID: fbe8d56f4fb814d29dae4dcee80be19b51f9c958773e6a5f0db8c5dcf0296b14
Opcode Fuzzy Hash: e65022623c6823fedd1ecd174e0d436c01da7e2785b55f08ebc7059f357923f1
Instruction Fuzzy Hash: A6C24C71E086288FDF25CE28DD407EAB7B9EB84325F1545EAD80DE7240E775AE818F44

Function 029489A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 029489AE

Part of subcall function 029441F1: socket.WS2_32(?,00000001,00000006), ref: 02944212

Part of subcall function 0294428C: connect.WS2_32(?,?,?), ref: 029442A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 02948A8D
FindNextFileW.KERNEL32(00000000,?), ref: 02948AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 02948AF7

Part of subcall function 02944468: WaitForSingleObject.KERNEL32(?,00000000,02954CE9,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000), ref: 0294450E
Part of subcall function 02944468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,029B3EE8,029B45A8,00000000,?,?,?,?,?,02954CE9), ref: 0294453C

Part of subcall function 029447EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 029447FD
Part of subcall function 029447EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944808
Part of subcall function 029447EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944811

__CxxThrowException@8.LIBVCRUNTIME ref: 02948DA1

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: e000880983430485e89c77e873704e63305e60f9ee07e43829016a9e1200a032
Instruction ID: 94aac9bfcf1078d2798a8e1f34baf509b24acd84f6adb4069a41f1c2f4961c05
Opcode Fuzzy Hash: e000880983430485e89c77e873704e63305e60f9ee07e43829016a9e1200a032
Instruction Fuzzy Hash: 77A16F729002089BDB14FBA4DC91EEEB77AAF94310F504669E50AA71D0EF746B49CF90

Function 02959BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0295981A,00000000,00000000), ref: 02959BCD
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0295981A,00000000,00000000), ref: 02959BE2
CloseServiceHandle.ADVAPI32(00000000,?,?,0295981A,00000000,00000000), ref: 02959BEF
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0295981A,00000000,00000000), ref: 02959BFA
CloseServiceHandle.ADVAPI32(00000000,?,?,0295981A,00000000,00000000), ref: 02959C0C
CloseServiceHandle.ADVAPI32(00000000,?,?,0295981A,00000000,00000000), ref: 02959C0F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: ae0991be13eb602076681477dfe37de184964c9b52cfba825e1ed9bafbd59fe3
Instruction ID: 62eeb722cd7134cbbcfce694d680088ee0ff2d445cb65fbd2945c24530db3d22
Opcode Fuzzy Hash: ae0991be13eb602076681477dfe37de184964c9b52cfba825e1ed9bafbd59fe3
Instruction Fuzzy Hash: 37F0E9B1954224AFE2109A749CC8EFF2A6CDF86270B000819F44593140CF64CD559AB1

Function 029911E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0299127C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 029912A5
GetACP.KERNEL32 ref: 029912BA

Strings

OCP, xrefs: 02991237
ACP, xrefs: 02991201

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d823a72e0d97f12ec07afcef3067202c84a3bef632a55154ff41aab0010fdfe7
Instruction ID: d854993a68251fb40b0dd5c0eb3e3ccbaba88947659666f1315a875b54df68e4
Opcode Fuzzy Hash: d823a72e0d97f12ec07afcef3067202c84a3bef632a55154ff41aab0010fdfe7
Instruction Fuzzy Hash: 6621A432B54102A6DF34EF5CDA00BAF73AABB44E74B564965E90DDB100F732D941CB90

Function 0295A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0295A650
LoadResource.KERNEL32(00000000,?,?,0294E183,00000000), ref: 0295A664
LockResource.KERNEL32(00000000,?,?,0294E183,00000000), ref: 0295A66B
SizeofResource.KERNEL32(00000000,?,?,0294E183,00000000), ref: 0295A67A

Strings

SETTINGS, xrefs: 0295A643

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: f91a509e6845f31e1b75a6dda9fbe98ad282d271f36f973d58f15b786cbee99a
Instruction ID: 2d2d9a12a6616c2d6ffecfe168ce6e0f36aaadc242638464f744327d7fed6625
Opcode Fuzzy Hash: f91a509e6845f31e1b75a6dda9fbe98ad282d271f36f973d58f15b786cbee99a
Instruction Fuzzy Hash: A3E01279A84310ABCB321BA9AC5CDA7BF79EBC67767000817F90582254DA314420CB50

Function 02950B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 029505B9: SetLastError.KERNEL32(0000000D,02950B38,?,00000000), ref: 029505BF

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02950B15), ref: 02950BC4
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 02950C2A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 02950C31
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02950D3F
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02950B15), ref: 02950D69

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: d8fcd7c21624e6c09f18ece20ccadd236faed8b1047c54ce9de1c523756b017a
Instruction ID: 230d3b3e6d8445ef23ea541a1d0c8b5ca56ae27b84b897b8b043d1c26087469a
Opcode Fuzzy Hash: d8fcd7c21624e6c09f18ece20ccadd236faed8b1047c54ce9de1c523756b017a
Instruction Fuzzy Hash: E761C370700321ABDB20DF69C984B26BBEAFF8C754F044059FD498B286EBB5E455CB91

Function 029913B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

Part of subcall function 02986EBF: _free.LIBCMT ref: 02986F1E
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F2B

GetUserDefaultLCID.KERNEL32 ref: 029914C3
IsValidCodePage.KERNEL32(00000000), ref: 0299151E
IsValidLocale.KERNEL32(?,00000001), ref: 0299152D
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 02991575
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 02991594

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 99fe46f80570f74ecd5395e67b8392ed25bb44a321fd32aa07fe20cf75463c6c
Instruction ID: 57612f06d3092980afadfa02be58ec24e88432e23efbc4999d09dd569ca4bfc3
Opcode Fuzzy Hash: 99fe46f80570f74ecd5395e67b8392ed25bb44a321fd32aa07fe20cf75463c6c
Instruction Fuzzy Hash: 7C515F75A002069BEF20DFA9CC40BBE73BDBF49724F084569E91DAB180E7709950CB61

Function 02947A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02947A91
FindFirstFileW.KERNEL32(00000000,?,029A5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02947B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02947B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02947C76

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 179074d55f6e998404d2b93c1679488ad917f896e0686fe2c337ac7bc4d1c6e3
Instruction ID: 00591f5b4ea203ede1141de172e86096aca9c8e18f0480a9b141474316ca5d88
Opcode Fuzzy Hash: 179074d55f6e998404d2b93c1679488ad917f896e0686fe2c337ac7bc4d1c6e3
Instruction Fuzzy Hash: E75185729002089ACF14FBB4DD95DEEBB7AAF90350F900159E80A97190EF349B89CF90

Function 02946128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 02946234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 02946318

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 0294627F, 029463A7
open, xrefs: 0294622E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\2LDJIyMl2r.exe$open
API String ID: 2825088817-1133757589
Opcode ID: f9bfa0f10fcade0536c1367d5048b0b0fdce819ee04d6a548b9a70854d771b9d
Instruction ID: 9664c42a1fea4e97e71b8958d938360f36e7dc03979b211656c22da632e3b41f
Opcode Fuzzy Hash: f9bfa0f10fcade0536c1367d5048b0b0fdce819ee04d6a548b9a70854d771b9d
Instruction Fuzzy Hash: D861E5B1B04340A7DE14FA74C864DBF77AB9FC2714F40091EE88A5B1C0EF648A49CB92

Function 0295BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0295BC6C

Part of subcall function 029526D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 029526E1
Part of subcall function 029526D2: RegSetValueExA.KERNEL32(?,029A6748,00000000,?,00000000,00000000,029B42F8,?,?,0294E5FB,029A6748,5.3.0 Pro), ref: 02952709
Part of subcall function 029526D2: RegCloseKey.KERNEL32(?,?,?,0294E5FB,029A6748,5.3.0 Pro), ref: 02952714

Strings

Control Panel\Desktop, xrefs: 0295BBB2, 0295BBE5, 0295BC35
WallpaperStyle, xrefs: 0295BBB7, 0295BBEA, 0295BC3A
TileWallpaper, xrefs: 0295BC56

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 015e7e05ff3c9783b5a3e934ff8b3defbc6a76bde8e1ca8a17690dc83822be18
Instruction ID: 23f10860bb8ce75bd1d3f5ff2eaa635222af2c8717cc7bb714274868a3309dd1
Opcode Fuzzy Hash: 015e7e05ff3c9783b5a3e934ff8b3defbc6a76bde8e1ca8a17690dc83822be18
Instruction Fuzzy Hash: D1117522F8036433F418713D4E3FF6E6D07D3E6A68FD10159EE062A6C9ED824A9203D6

Function 02990A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

IsValidCodePage.KERNEL32(00000000), ref: 02990B61
_wcschr.LIBVCRUNTIME ref: 02990BF1
_wcschr.LIBVCRUNTIME ref: 02990BFF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 02990CA2

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 47da4c03621fbe60fb329ca00e7f709f4ed3af6238b4126f4b39e065371dc7f6
Instruction ID: 32bfbb6e3bd0f0990449299e439a6eef795f7b38a101cd2b12d772dac2ca40eb
Opcode Fuzzy Hash: 47da4c03621fbe60fb329ca00e7f709f4ed3af6238b4126f4b39e065371dc7f6
Instruction Fuzzy Hash: 41610B72600306AADF24AB7DDC45BBA73ADEF84734F14042AE925D7180FB74D945CBA0

Function 02948DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02948DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 02948E24
FindNextFileW.KERNEL32(00000000,?), ref: 02948E4D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: 9fe26bddd28509e195bb94401e56bd1930f7c314e6a25bcc07ab1b3332deb7e5
Instruction ID: 683a27ee0c8aca7d022b5383f1adf51a4a4b479dc74b1fdfc79c6511894bd7e8
Opcode Fuzzy Hash: 9fe26bddd28509e195bb94401e56bd1930f7c314e6a25bcc07ab1b3332deb7e5
Instruction Fuzzy Hash: 7A7152329101189BDB19FBA4DD90DEEB77ABF94314F10426AE45AA7090EF706F49CF90

Function 02988057 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02988067

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

GetTimeZoneInformation.KERNEL32 ref: 02988079
WideCharToMultiByte.KERNEL32(00000000,?,029B179C,000000FF,?,0000003F,?,?), ref: 029880F1
WideCharToMultiByte.KERNEL32(00000000,?,029B17F0,000000FF,?,0000003F,?,?,?,029B179C,000000FF,?,0000003F,?,?), ref: 0298811E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: f765e695e36647de167bcd026dba90fbd15da8bff0f227f9f95d3a9713a1e5f1
Instruction ID: 149fbaf91e8974c9fc5624da39a19bdb372d6e5732f6940c2927de257f7b7aa3
Opcode Fuzzy Hash: f765e695e36647de167bcd026dba90fbd15da8bff0f227f9f95d3a9713a1e5f1
Instruction Fuzzy Hash: D731D771D48209EFCB12EF68CD808B9BBF8FF457507584AAEE05997290D7309951CB60

Function 02990E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

Part of subcall function 02986EBF: _free.LIBCMT ref: 02986F1E
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02990EBE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02990F0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02990FCF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: bd76b4e1ba59f615cb86d0227af08397ee3418663fcfd7d8a5aa276809bb686c
Instruction ID: cca76f572bea79f2a1cfe865a5f44513568a4452f7be2d1639f4d821dce955ed
Opcode Fuzzy Hash: bd76b4e1ba59f615cb86d0227af08397ee3418663fcfd7d8a5aa276809bb686c
Instruction Fuzzy Hash: 3D61CF719502079BDF289F28CC82BBA77ACFF04324F1440B9EC19D6584E736EA91CB50

Function 0297A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,02974403), ref: 0297A755
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,02974403), ref: 0297A75F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,02974403), ref: 0297A76C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 017705d6ab7e8d87580ac023e163f790464ec9be36b80f0a714199360dae9181
Instruction ID: 1911c53a0feedf1c90e2be690849949c0f2178a6d3751ee133fc8aef20754c01
Opcode Fuzzy Hash: 017705d6ab7e8d87580ac023e163f790464ec9be36b80f0a714199360dae9181
Instruction Fuzzy Hash: BB31B474D5122D9BCB21DF69D9887DDB7B8BF48310F5046DAE81CA7250EB309B818F54

Function 0297293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,029726C2,00000024,?,?,?), ref: 0297294C
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0296CBBE,?), ref: 02972962
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0296CBBE,?), ref: 02972974

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 9c74a6f04d8007a97eca3c27fa8ef9b9a23ddc1f0ee9f57c3f0eb7b85dd0968d
Instruction ID: 2c28c578ff9d2cf7419882e43c4a88f788e5f22e0e831f6aa0cbdf6e912aaf07
Opcode Fuzzy Hash: 9c74a6f04d8007a97eca3c27fa8ef9b9a23ddc1f0ee9f57c3f0eb7b85dd0968d
Instruction Fuzzy Hash: A7E0923176C211BBEB310F26EC08FA76B58EBC5B70F240D28F611E40D4C6614451C618

Function 02982554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0298252A,?,029ADAE0,0000000C,02982681,?,00000002,00000000), ref: 02982575
TerminateProcess.KERNEL32(00000000,?,0298252A,?,029ADAE0,0000000C,02982681,?,00000002,00000000), ref: 0298257C
ExitProcess.KERNEL32 ref: 0298258E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b76e8a7d72ec497b97ab45276b0fcd42f2ac75c5e13b3612477638c074842cc4
Instruction ID: 75179ba13b8f5e4083d9c6d64e68f190dd55a7b6692d51a44df769a349117768
Opcode Fuzzy Hash: b76e8a7d72ec497b97ab45276b0fcd42f2ac75c5e13b3612477638c074842cc4
Instruction Fuzzy Hash: B2E04F31860184AFCF017F98D828A9D7F6EEB50351B084410FC0A86120CF35DA91CA80

Function 02987597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0298374A,?,00000004), ref: 029875EA

Strings

GetLocaleInfoEx, xrefs: 029875A8, 029875B2

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 024a40e0bf49f48d39cf02abb61af2485bc41ad1e7c5623d5b101dd76e51b0ac
Instruction ID: 3d7a3392c13a433d14112e42447a6ccb667fa346f84476ea12f5021c815a97de
Opcode Fuzzy Hash: 024a40e0bf49f48d39cf02abb61af2485bc41ad1e7c5623d5b101dd76e51b0ac
Instruction Fuzzy Hash: BBF09671A80208B7DF017FA9DC06EBEBB69DF44B21F140555BC0556150DF719D20DAA4

Function 02980E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction ID: f6390c956787d8547442ba4fda3708a7c9698ff08702b18bac0bf643fd954aac
Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction Fuzzy Hash: C8022D71E002199FDF14DFA9C8806AEB7F5FF88324F19826AD919E7344D731A946CB84

Function 02958C69 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 02958EBF
FindNextFileW.KERNEL32(00000000,?,?), ref: 02958F8B

Part of subcall function 0295B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID:
API String ID: 341183262-0
Opcode ID: 8a5bfdfaf2995f018aa3d6ecde11ab33044873574ee42dadb74f9bbbb1570c37
Instruction ID: b37d97f091ed800656b307e42855ba21c569a9392b8667eae029e575751deaa6
Opcode Fuzzy Hash: 8a5bfdfaf2995f018aa3d6ecde11ab33044873574ee42dadb74f9bbbb1570c37
Instruction Fuzzy Hash: 5A8121756043405BD718FB60D860EEFB7AAAFD1710F40492DF99A47190EF709A89CF92

Function 02946AC2 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02946ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 02946BA5

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: 4c9f1895fb8ee9470928899e80ab7e908571420da1a74412de91df963ac6fa14
Instruction ID: 66080d937ff860df9dc4ba35c6e57d9fe812eaf66b8d63e1ac317e58faaa1957
Opcode Fuzzy Hash: 4c9f1895fb8ee9470928899e80ab7e908571420da1a74412de91df963ac6fa14
Instruction Fuzzy Hash: 22218F725083005BC714FBA0D9A4DEFB7ADAFD1364F400A2DE59A52090EF34AA4DCE52

Function 029920D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,029920CD,?,?,00000008,?,?,02995412,00000000), ref: 029922FF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0a68083a8a7c4f339c9cfd79f46eb9db601c2b976c9a2f9c45a38803b46beb27
Instruction ID: 3e38a16283d21c8066fde64dfb8d5919da8acca5b360906bc502b085409885df
Opcode Fuzzy Hash: 0a68083a8a7c4f339c9cfd79f46eb9db601c2b976c9a2f9c45a38803b46beb27
Instruction Fuzzy Hash: 70B13F31910609AFDB19CF2CC48AB647BE5FF45368F258658ED99CF2A1C335E992CB40

Function 02972A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 02972A55

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5b1cb7587c50fa2309549eee5d18622be475c3ccf32dbcefe7a32b6e5a64b804
Instruction ID: 00ee82e14c94c13967e43ced9a07a90299dc1c31e208b2121f5ac9186a5d66dc
Opcode Fuzzy Hash: 5b1cb7587c50fa2309549eee5d18622be475c3ccf32dbcefe7a32b6e5a64b804
Instruction Fuzzy Hash: 8D029332B183008FD714DF39D951A2EF3E2BFC8754F19492DE989AB390EA74E9058B45

Function 029910BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

Part of subcall function 02986EBF: _free.LIBCMT ref: 02986F1E
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F2B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0299110E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 789b2d959025336998be38037ec22fee8c53422e5d1402f2b951c7650250af8e
Instruction ID: 6f5d453d2974388cbf729d831836181ba272eeacc510f9be7cca93d8fba8bfc1
Opcode Fuzzy Hash: 789b2d959025336998be38037ec22fee8c53422e5d1402f2b951c7650250af8e
Instruction Fuzzy Hash: 5621807291020BBBDF28AB28DC45BBA73ADFB44320F14017AED05D6240EB35A954CF50

Function 02990D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

EnumSystemLocalesW.KERNEL32(02990E6A,00000001), ref: 02990DB4

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: f2d02c376a0e32c4a898fe56c43045f8c1d06ac2ef9d8e24a584ba07232118a6
Instruction ID: c283fa462c5d71f0efd81b4d5c76a5588c8c6ad00636b031281815815ba3408b
Opcode Fuzzy Hash: f2d02c376a0e32c4a898fe56c43045f8c1d06ac2ef9d8e24a584ba07232118a6
Instruction Fuzzy Hash: 141106376007059FDF18AF3CC8906BAB796FF80328B18442CE99647A40D371B542CB40

Function 029912EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,02991088,00000000,00000000,?), ref: 02991316

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 9a6da7194b03a952206cd127a22138a28aa4899bcdb2f3721e6d3e4189d2fd08
Instruction ID: 9bb8a911fedda16a6c89ba708252636eeb830449b18582af0756e269d83f1c71
Opcode Fuzzy Hash: 9a6da7194b03a952206cd127a22138a28aa4899bcdb2f3721e6d3e4189d2fd08
Instruction Fuzzy Hash: DCF08632910117ABDF286A69C806BFA776CFB40774F090869EC1DA7540EB74E955C6E0

Function 02990DDD Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

EnumSystemLocalesW.KERNEL32(029910BA,00000001), ref: 02990E29

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 90b81917ebc87e6a9b2162ab2010096d6c7c4dfff25334e45a9c5bd6dcad684e
Instruction ID: e72ed455397ddd047ed36043fea6cf67a046095bf8163915848ac76fc08daddb
Opcode Fuzzy Hash: 90b81917ebc87e6a9b2162ab2010096d6c7c4dfff25334e45a9c5bd6dcad684e
Instruction Fuzzy Hash: D5F0C2362103059FDF146E7DD890A7A7B9AEFC1378B05842DFA458B680D772A842CA50

Function 029870AE Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 02984ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0298225B,00000000,029ADAC0,0000000C,02982216,?,?,?,02988739,?,?,02986F74,00000001,00000364), ref: 02984ADB

EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,029ADC48,0000000C), ref: 029870E6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 994e4a6cf4c50fcc7bb1d9f16dc9d3705cfc0fc726d1c85f6784daf3e0d48062
Instruction ID: cd2df586e28b657db5e5b3309e747b3ded7982d2496fc8472245fbdf99a2a4c8
Opcode Fuzzy Hash: 994e4a6cf4c50fcc7bb1d9f16dc9d3705cfc0fc726d1c85f6784daf3e0d48062
Instruction Fuzzy Hash: 95F08772AA0200AFEB01EFB8D945BAE77F1EB84720F108556E810CB290DB7089109F51

Function 02990CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

EnumSystemLocalesW.KERNEL32(02990C4E,00000001), ref: 02990D2E

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 63d4d707affa5750ecd8b5a92e9db91a13bffe7ec6fed24197fda73df5dfe1e8
Instruction ID: 941c168aef6135c4033e74f8b4e73da05a954928998a2dbf5ce9e4ace942f9fe
Opcode Fuzzy Hash: 63d4d707affa5750ecd8b5a92e9db91a13bffe7ec6fed24197fda73df5dfe1e8
Instruction Fuzzy Hash: 46F0E53630020597DF15AF3DD85577ABF99EFC1724B0A4459EA198B280C776A882C7A0

Function 02973CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,029739B1), ref: 02973CDC

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 314cfad90e684bfc42b4fdcae732cde69ae2bfc4f105d3cef5969df03e65133b
Instruction ID: 2b1da50dfa43cd154335ad193a872a09a46861bbd3bcde7de0cf1f6e828ccdbf
Opcode Fuzzy Hash: 314cfad90e684bfc42b4fdcae732cde69ae2bfc4f105d3cef5969df03e65133b
Instruction Fuzzy Hash:

Function 0297C9DD Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0297CB4D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: 4dd706fa977b31458f7180d39c069849c428e618083dd45daa1fb2f553c7b230
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: FC518771704B459BDF3CC97885A57BE63CE9F82349F08091FE882DB281D315EA46C766

Function 0297CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0297CD7C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: b88825abadeeba601a3dab626d79a16c5714e7dea8fe5604a7d824988a5ae90e
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: 84519C71200B449BDF388A7885957FF2BDE9F82708F0C0D5BD882DB6A1D715EA42C766

Function 02966E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 02966EC4

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 383cb5a0da327ccadec614ab62952c86697dd8c1fada6e574051662f1da26724
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: 834134B29187058FC314CE29C18066BFBE5FBC9354F149A2EF99693350D779E980CB82

Function 0298C739 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36574cfffcf9d61d725cf48ba9dbd3ecc39a15f96e686c5f055c3abc2bb6943f
Instruction ID: 464c607aa20cd59b15df6a8e614de6197156459e407e5fa6ed9903e6b3d1d5e1
Opcode Fuzzy Hash: 36574cfffcf9d61d725cf48ba9dbd3ecc39a15f96e686c5f055c3abc2bb6943f
Instruction Fuzzy Hash: 16325662D69F010DD727A538D962335A28CEFB73D4F18DB37F81AB5A95EB29C4838110

Function 0295E5DF Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03e8169b8829c6d07a26ad6209e8f6899c708728c6439a514f36513b63221ba
Instruction ID: 7be89eeb46319db91658d87ebfe1d3cc9cac33ebf7af637774159002ecda389e
Opcode Fuzzy Hash: d03e8169b8829c6d07a26ad6209e8f6899c708728c6439a514f36513b63221ba
Instruction Fuzzy Hash: 1132B171B097669BD715CF28C48076AB7EABF84308F044A6DFCD58B281D776DA05CB82

Function 029667CB Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb0cf2cb3fe45ab968d4feb87ded02fde74ca2c4e9c7c7a3e55b2e27feaed46
Instruction ID: 633fe9fbdf920bd45f684ab70a3e871574a864ed29e2b08a98450cb4787b14c2
Opcode Fuzzy Hash: ebb0cf2cb3fe45ab968d4feb87ded02fde74ca2c4e9c7c7a3e55b2e27feaed46
Instruction Fuzzy Hash: B5027D71B146518FC318CF2EE89167AF7E1BF89301746892AE585D7385DB34E522CB90

Function 02966254 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09157d463f83be9d86d27225691851ee4064a3ae97cad70a168256967beb7f6b
Instruction ID: aafb6010b3167e47390adf84efad50cce00c1bc7c49b4ba4d75f5ba514aa6650
Opcode Fuzzy Hash: 09157d463f83be9d86d27225691851ee4064a3ae97cad70a168256967beb7f6b
Instruction Fuzzy Hash: FFF1FA71A183558FC318DF59E89187AB3E5FF89301B46092EE5C2D7381CB34E62ADB91

Function 02971377 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4187124875bd17bb44bb90ae2b8f045c527a07a9762039713f268afba9b5bb3f
Instruction ID: 679296dbfa3a69f52295d535dfb79e4a1a0e90b04d564b376c257e432bb6fc87
Opcode Fuzzy Hash: 4187124875bd17bb44bb90ae2b8f045c527a07a9762039713f268afba9b5bb3f
Instruction Fuzzy Hash: F6D162759083158BDB25DE68C880A6FB7E9FFC4754F040A2DF8D997240EB34DA49CB82

Function 0295D071 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
Instruction ID: a18f5da9f5f7ca52d57264815689e63b2652ca866c97b6f98f63474f8785b5f5
Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
Instruction Fuzzy Hash: 44B19E3911429A8ACB05EF68C4913F63BA1EF6A300F4850B9EC9CCF756E3359506EB74

Function 02976A8D Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 08fcbdf0eb5740c17436d0eb75b9bc3bbbac63fb9b6abdab14b15774f6843a2b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 3A91637220C8A34ADB6D463E857413EFFED9A822A570E079ED4F2CA1C5FF24D164D620

Function 02976D48 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: eefbc1f4dd10fe63a50bb3c5019b3d22f15c4bcfb45eb2211744ceb6fc314494
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: C99184722088E34EDB69463AC53413EFFED5E821A530A07AEE4F2CA1C5FF24C564D620

Function 029767C6 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5429aac0c476b0dec941d3d6159ec19c542582334ead6fd6b9f49266b1eea368
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 449184722099A34ADB2D463E847417EFFED5A822A570E079ED4F2CB1C5FF24D164DA20

Function 0297D098 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29338ca64b89e146ab42e6271ed30a4f2048090c663f4dcf9be8921cbfe80ce0
Instruction ID: c3da7d873fc215953486bf45d829da061ec9bd461579cc3689fe471428ad6007
Opcode Fuzzy Hash: 29338ca64b89e146ab42e6271ed30a4f2048090c663f4dcf9be8921cbfe80ce0
Instruction Fuzzy Hash: E9619B71704309A6DE3C9A388994BBF23ADEF8A708F14191AE983DB280D752D943C775

Function 0297CE3B Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b768f0718bd5df2d8ac0eff893976198445f32a9bd33b3d774cfb914d704c7fa
Instruction ID: 6bb8e1b4a955da68a522b1fe086fc1687a45adec2378b135611c183f28716793
Opcode Fuzzy Hash: b768f0718bd5df2d8ac0eff893976198445f32a9bd33b3d774cfb914d704c7fa
Instruction Fuzzy Hash: 93613871600709A6DB385A288995BBE639DEF85708F44092BE943DF2C0D751EE42CB6A

Function 0297651C Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 842bede3ba45a64bac54b8d85de9ad7a864155b2c466ed722e5fe10253e3122d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3E8171722099A34EDB69463E857413EFFED5A822E570A0B9ED4F2CA1C5FF20D164D620

Function 02966FAD Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8749c3e02f09703c6f10a050fe37d36f6c016455d40f81e60994d79259781052
Instruction ID: 967703beb1dc40856cb209cfacebe4c3a4e707539c209b037a9598165492d11b
Opcode Fuzzy Hash: 8749c3e02f09703c6f10a050fe37d36f6c016455d40f81e60994d79259781052
Instruction Fuzzy Hash: 28612B329083059BC308DF74D585A6BB7E9FFDC718F550E2EF48996150E731EA488B92

Function 02977150 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 94431355b585d262a488ebf8002e4104e904fb264ec46d7e1fcd2dd7050a380d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: EE112B7724118243E624C6BDD8B46F7E7ADEBC622972D437AD0414B75CD322E1459B00

Function 02957F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02957FB9
CreateCompatibleDC.GDI32(00000000), ref: 02957FC4

Part of subcall function 02958452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 02958482

CreateCompatibleBitmap.GDI32(?,00000000), ref: 02958045
DeleteDC.GDI32(?), ref: 0295805D
DeleteDC.GDI32(00000000), ref: 02958060
SelectObject.GDI32(00000000,00000000), ref: 0295806B
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 02958093
GetIconInfo.USER32(?,?), ref: 029580CB
DeleteObject.GDI32(?), ref: 029580FA
DeleteObject.GDI32(?), ref: 02958107
DrawIcon.USER32(00000000,?,?,?), ref: 02958114
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 02958144
GetObjectA.GDI32(?,00000018,?), ref: 02958173
LocalAlloc.KERNEL32(00000040,00000028), ref: 029581BC
LocalAlloc.KERNEL32(00000040,00000001), ref: 029581DF
GlobalAlloc.KERNEL32(00000000,?), ref: 02958248
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0295826B
DeleteDC.GDI32(?), ref: 0295827F
DeleteDC.GDI32(00000000), ref: 02958282
DeleteObject.GDI32(00000000), ref: 02958285
GlobalFree.KERNEL32(00CC0020), ref: 02958290
DeleteObject.GDI32(00000000), ref: 02958344
GlobalFree.KERNEL32(?), ref: 0295834B
DeleteDC.GDI32(?), ref: 0295835B
DeleteDC.GDI32(00000000), ref: 02958366
DeleteDC.GDI32(?), ref: 02958398
DeleteDC.GDI32(00000000), ref: 0295839B
DeleteObject.GDI32(?), ref: 029583A1

Strings

DISPLAY, xrefs: 02957FB2

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
String ID: DISPLAY
API String ID: 1765752176-865373369
Opcode ID: d89001936b71cd537560768470d596cea800beca5b3519a9d05527664144d0ba
Instruction ID: 2372762a8e6449e71f3c0010fd42c1cdce20b95b74479aae82beeed00ec2a568
Opcode Fuzzy Hash: d89001936b71cd537560768470d596cea800beca5b3519a9d05527664144d0ba
Instruction Fuzzy Hash: 4CC18C71A48354AFD720DF64DC44BABBBE9FF88754F40092DF98A97250DB30A944CB62

Function 02957245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0295728C
GetProcAddress.KERNEL32(00000000), ref: 0295728F
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 029572A0
GetProcAddress.KERNEL32(00000000), ref: 029572A3
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 029572B4
GetProcAddress.KERNEL32(00000000), ref: 029572B7
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 029572C8
GetProcAddress.KERNEL32(00000000), ref: 029572CB
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0295736C
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02957384
GetThreadContext.KERNEL32(?,00000000), ref: 0295739A
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 029573C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02957440
TerminateProcess.KERNEL32(?,00000000), ref: 02957454
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0295748B
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02957558
SetThreadContext.KERNEL32(?,00000000), ref: 02957575
ResumeThread.KERNEL32(?), ref: 02957582
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0295759A
GetCurrentProcess.KERNEL32(?), ref: 029575A5
TerminateProcess.KERNEL32(?,00000000), ref: 029575BF
GetLastError.KERNEL32 ref: 029575C7

Strings

ZwCreateSection, xrefs: 02957272
ZwUnmapViewOfSection, xrefs: 029572A5
ntdll, xrefs: 02957277, 02957296, 029572AA, 029572BE
ZwMapViewOfSection, xrefs: 02957291
ZwClose, xrefs: 029572B9

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 8914ee938afbd4cfbdf89901a2fe51d9344a7b63674672c28c082640fa6f7318
Instruction ID: ac66877e989887abacd024b5a9c2958a039cb6bd870fe1eb54baa86a39e244df
Opcode Fuzzy Hash: 8914ee938afbd4cfbdf89901a2fe51d9344a7b63674672c28c082640fa6f7318
Instruction Fuzzy Hash: CEA16CB1A48304AFD710DFA5CC45BABBBECFF88358F440829FA8986150DB71E554CB65

Function 0294C28E Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 270registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02951699: TerminateProcess.KERNEL32(00000000,pth_unenc,0294E670), ref: 029516A9
Part of subcall function 02951699: WaitForSingleObject.KERNEL32(000000FF), ref: 029516BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000,?,00000000), ref: 0294C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0294C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0294C3B7
SetFileAttributesW.KERNEL32(00000000), ref: 0294C3E7

Part of subcall function 0294AFBA: TerminateThread.KERNEL32(029499A9,00000000,029B42F8,pth_unenc,0294BF26,029B42E0,029B42F8,?,pth_unenc), ref: 0294AFC9
Part of subcall function 0294AFBA: UnhookWindowsHookEx.USER32(029B40F8), ref: 0294AFD5
Part of subcall function 0294AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0294AFE3

Part of subcall function 0295B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,029A5900,00000000,00000000,0294C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0295B5CE

ShellExecuteW.SHELL32(?,open,00000000), ref: 0294C632
ExitProcess.KERNEL32 ref: 0294C63E

Strings

On Error Resume Next, xrefs: 0294C427
""", 0, xrefs: 0294C555
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0294C56F
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0294C418
open, xrefs: 0294C62C
while fso.FileExists(", xrefs: 0294C45A
\update.vbs, xrefs: 0294C3E9
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0294C5E1
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0294C2DF
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0294C330
fso.DeleteFile ", xrefs: 0294C4A8
"), xrefs: 0294C443
wend, xrefs: 0294C4F7
fso.DeleteFolder ", xrefs: 0294C519
Temp, xrefs: 0294C3EE
exepath, xrefs: 0294C365

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1536747724
Opcode ID: 2028efdded5405e34e673583587af6d9681e820d94a30af48d3def2698dcb545
Instruction ID: 65b3566b0807d7e824c8a582736801fc58599fc42aec98ac4cd47a1c86b5709d
Opcode Fuzzy Hash: 2028efdded5405e34e673583587af6d9681e820d94a30af48d3def2698dcb545
Instruction Fuzzy Hash: 5C91A231A043005AD718FB24D960EBFB7DAAFD1714F54052EE88A93191EF60AD89CE96

Function 029512B5 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,029B42F8,?,00000000), ref: 029512D4
ExitProcess.KERNEL32 ref: 0295151D

Part of subcall function 0295265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,029B42F8), ref: 02952679
Part of subcall function 0295265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02952692
Part of subcall function 0295265D: RegCloseKey.KERNEL32(00000000), ref: 0295269D

Part of subcall function 0295B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0295135B
OpenProcess.KERNEL32(00100000,00000000,0294E154,?,?,?,?,00000000), ref: 0295136A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 02951375
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0295137C
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 02951382

Part of subcall function 029527D5: RegCreateKeyA.ADVAPI32(80000001,00000000,029A5554), ref: 029527E3
Part of subcall function 029527D5: RegSetValueExA.KERNEL32(029A5554,000000AF,00000000,00000004,00000001,00000004,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 029527FE
Part of subcall function 029527D5: RegCloseKey.ADVAPI32(029A5554,?,?,?,0294B94C,029A60E0,00000001,000000AF,029A5554), ref: 02952809

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 029513B3
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0295140F
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02951429
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0295143B

Part of subcall function 0295B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0295B5EB
Part of subcall function 0295B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0295B5FF
Part of subcall function 0295B58F: CloseHandle.KERNEL32(00000000), ref: 0295B60C

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02951483
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 029514C4
OpenProcess.KERNEL32(00100000,00000000,0294E154,?,?,?,?,00000000), ref: 029514D9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 029514E4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 029514EB
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 029514F1

Part of subcall function 0295B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,029A5900,00000000,00000000,0294C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0295B5CE

Strings

.exe, xrefs: 0295142F
open, xrefs: 0295147D
WDH, xrefs: 02951389, 029514F8
temp_, xrefs: 0295141D
exepath, xrefs: 02951308

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: .exe$WDH$exepath$open$temp_
API String ID: 4250697656-3088914985
Opcode ID: 0821f312eec0760a02e5bb686edb111d16c6c382bae924e284a221d2b60667b4
Instruction ID: b2c18faf705be7566bc37c70870886723e33f9da7d0688f2833aceaac4a012e8
Opcode Fuzzy Hash: 0821f312eec0760a02e5bb686edb111d16c6c382bae924e284a221d2b60667b4
Instruction Fuzzy Hash: 4051A3B1F442156BEB14EBA4AC59FFF736E9B84324F000955B90AA71C0DF749E468F90

Function 0295A1BB Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0295A2B2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0295A2C6
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,029A5554), ref: 0295A2EE
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,029B3EE8,00000000), ref: 0295A2FF
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0295A340
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0295A358
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0295A36D
SetEvent.KERNEL32 ref: 0295A38A
WaitForSingleObject.KERNEL32(000001F4), ref: 0295A39B
CloseHandle.KERNEL32 ref: 0295A3AB
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0295A3CD
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0295A3D7

Strings

pause audio, xrefs: 0295A33B
status audio mode, xrefs: 0295A368
resume audio, xrefs: 0295A353
stop audio, xrefs: 0295A3C8
close audio, xrefs: 0295A3D2
alias audio, xrefs: 0295A22E
stopped, xrefs: 0295A373
open ", xrefs: 0295A246
play audio, xrefs: 0295A2C1
" type , xrefs: 0295A24B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: f37a13c96038eb0fae35563ac31bdc6ee24d266f399d7491ac799b6f7f1b9138
Instruction ID: f2d8246084e0019b5fee9a5848166b6229d8e45f704909c74a07a2cb54f49a4a
Opcode Fuzzy Hash: f37a13c96038eb0fae35563ac31bdc6ee24d266f399d7491ac799b6f7f1b9138
Instruction Fuzzy Hash: F851C271B883046FE314F764DCA1EBF7B9EAFD1358F10092DF44A82190DE605D598BA6

Function 0294BF04 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02951699: TerminateProcess.KERNEL32(00000000,pth_unenc,0294E670), ref: 029516A9
Part of subcall function 02951699: WaitForSingleObject.KERNEL32(000000FF), ref: 029516BC

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,029B42F8,?,pth_unenc), ref: 0294C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0294C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,029B42F8,?,pth_unenc), ref: 0294C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,029B42F8,?,pth_unenc), ref: 0294C065

Part of subcall function 0294AFBA: TerminateThread.KERNEL32(029499A9,00000000,029B42F8,pth_unenc,0294BF26,029B42E0,029B42F8,?,pth_unenc), ref: 0294AFC9
Part of subcall function 0294AFBA: UnhookWindowsHookEx.USER32(029B40F8), ref: 0294AFD5
Part of subcall function 0294AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0294AFE3

Part of subcall function 0295AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,029A5900,0294C07B,.vbs,?,?,?,?,?,029B42F8), ref: 0295AB5F

ShellExecuteW.SHELL32(00000000,open,00000000,029A5900,029A5900,00000000), ref: 0294C280
ExitProcess.KERNEL32 ref: 0294C287

Strings

On Error Resume Next, xrefs: 0294C102
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0294C0F3
open, xrefs: 0294C27A
while fso.FileExists(", xrefs: 0294C136
.vbs, xrefs: 0294C06F
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0294C22F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0294BF55
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0294BFA6
fso.DeleteFile ", xrefs: 0294C183
"), xrefs: 0294C11F
wend, xrefs: 0294C1D2
fso.DeleteFolder ", xrefs: 0294C1F8
pth_unenc, xrefs: 0294BF0A
Temp, xrefs: 0294C0B4
exepath, xrefs: 0294BFEF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-3018399277
Opcode ID: 665414913d8ef18dfd2feb954f8e5b0f937f9d4db045ead63470077c7ff79a33
Instruction ID: 3c3c0853d3fb91ff10682ea6733b25dfda2b1da405abf7709795a7813b7e61e9
Opcode Fuzzy Hash: 665414913d8ef18dfd2feb954f8e5b0f937f9d4db045ead63470077c7ff79a33
Instruction Fuzzy Hash: 0781A131A043005BD719FB20E970EBFB7DAAFD1304F54092EF88A97191EE6099498F92

Function 02941BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02941C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 02941C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 02941C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 02941C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 02941CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02941CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02941CCF
WriteFile.KERNEL32(00000000,029B1B02,00000002,00000000,00000000), ref: 02941CE0
WriteFile.KERNEL32(00000000,029B1B04,00000004,00000000,00000000), ref: 02941CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 02941D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 02941D11
WriteFile.KERNEL32(00000000,029B1B0E,00000002,00000000,00000000), ref: 02941D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 02941D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 02941D42

Strings

WAVE, xrefs: 02941C98
data, xrefs: 02941D2C
RIFF, xrefs: 02941C78
fmt , xrefs: 02941CA8

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: f3cb62c77c80f692274e0b2bde98d1cc48f03e52946415e8a989776474ba412c
Instruction ID: b76f429e26edc1dc4f30ac1e4fce7ff7415b2952ad04e290cc02fe623b422bd2
Opcode Fuzzy Hash: f3cb62c77c80f692274e0b2bde98d1cc48f03e52946415e8a989776474ba412c
Instruction Fuzzy Hash: 024160716543187AE211DA55DD86FBB7FECEB85F50F40081AFA44D6080D760E909DBB3

Function 029464E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\2LDJIyMl2r.exe,00000001,029468B2,C:\Users\user\Desktop\2LDJIyMl2r.exe,00000003,029468DA,029B42E0,02946933), ref: 029464F4
GetProcAddress.KERNEL32(00000000), ref: 029464FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0294650E
GetProcAddress.KERNEL32(00000000), ref: 02946511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 02946522
GetProcAddress.KERNEL32(00000000), ref: 02946525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 02946536
GetProcAddress.KERNEL32(00000000), ref: 02946539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0294654A
GetProcAddress.KERNEL32(00000000), ref: 0294654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0294655E
GetProcAddress.KERNEL32(00000000), ref: 02946561

Strings

RtlInitUnicodeString, xrefs: 029464EE
C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 029464E1
NtAllocateVirtualMemory, xrefs: 02946508
LdrEnumerateLoadedModules, xrefs: 02946558
ntdll.dll, xrefs: 029464E8, 029464F3, 0294650D, 02946521, 02946535, 02946549, 0294655D
RtlReleasePebLock, xrefs: 02946544
RtlAcquirePebLock, xrefs: 02946530
NtFreeVirtualMemory, xrefs: 0294651C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\2LDJIyMl2r.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-2053768255
Opcode ID: 2c7c5b0add3dd3b3220572601ab5bfeb7e07b0e70f77ce5ca7c0ed836c81fbc4
Instruction ID: 0cfe1edb8dc31d1df0e69e983f877477d37a77995ef2c8824ff88498c448ea6a
Opcode Fuzzy Hash: 2c7c5b0add3dd3b3220572601ab5bfeb7e07b0e70f77ce5ca7c0ed836c81fbc4
Instruction Fuzzy Hash: 97015EE4F9432625AB217B7E1C74C2BAEEC9E91195309082AA505D3155EF74C000CEB4

Function 0294BC67 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0294BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,029B4358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0294BC8E
CopyFileW.KERNEL32(C:\Users\user\Desktop\2LDJIyMl2r.exe,00000000,00000000,00000000,00000000,00000000,?,029B4358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0294BD3E
_wcslen.LIBCMT ref: 0294BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0294BDDC
CopyFileW.KERNEL32(C:\Users\user\Desktop\2LDJIyMl2r.exe,00000000,00000000), ref: 0294BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0294BE31
_wcslen.LIBCMT ref: 0294BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0294BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,029B4358,0000000E), ref: 0294BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,029A5900,029A5900,00000001), ref: 0294BEB9
ExitProcess.KERNEL32 ref: 0294BED0

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 0294BCFF, 0294BD04, 0294BD37, 0294BDEC, 0294BDF1, 0294BDF8, 0294BE59
open, xrefs: 0294BEB2
del, xrefs: 0294BE63
6, xrefs: 0294BD48

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Users\user\Desktop\2LDJIyMl2r.exe$del$open
API String ID: 1579085052-2797154509
Opcode ID: d0ee534d156d5feceb1bee7647a50b9213c01288c9615dd7c5cf133ab41c907c
Instruction ID: 27e1f91d1ad15cb84b39689879a611f984e97aebbe0f06de1720c2488ff31566
Opcode Fuzzy Hash: d0ee534d156d5feceb1bee7647a50b9213c01288c9615dd7c5cf133ab41c907c
Instruction Fuzzy Hash: 93510361B183006BD709B734ED71F7F6B9FAFC1718F40081CF58A862D1DEA4D9458AA6

Function 0295B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0295B1D6
_memcmp.LIBVCRUNTIME ref: 0295B1EE
lstrlenW.KERNEL32(?), ref: 0295B207
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0295B242
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0295B255
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0295B299
lstrcmpW.KERNEL32(?,?), ref: 0295B2B4
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0295B2CC
_wcslen.LIBCMT ref: 0295B2DB
FindVolumeClose.KERNEL32(?), ref: 0295B2FB
GetLastError.KERNEL32 ref: 0295B313
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0295B340
lstrcatW.KERNEL32(?,?), ref: 0295B359
lstrcpyW.KERNEL32(?,?), ref: 0295B368
GetLastError.KERNEL32 ref: 0295B370

Strings

?, xrefs: 0295B26D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 4afc6a8acf64314c1b33bcb2e418fd43fd4cb360fdd6a7e7c974b767f2c365ab
Instruction ID: f5a4704d1618fb282fc03411073c5921767c377ffb7720b33fb526047b85c0e7
Opcode Fuzzy Hash: 4afc6a8acf64314c1b33bcb2e418fd43fd4cb360fdd6a7e7c974b767f2c365ab
Instruction Fuzzy Hash: 22418371A48315ABD720DFA4D848AEFB7ECFB95718F400D2AF941D2164EB70C558CBA2

Function 0298E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0298E2A0
_free.LIBCMT ref: 0298E2C6
_free.LIBCMT ref: 0298E2EF
_free.LIBCMT ref: 0298E327
_free.LIBCMT ref: 0298E358
_free.LIBCMT ref: 0298E399
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0298E41A
_free.LIBCMT ref: 0298E433
_wcschr.LIBVCRUNTIME ref: 0298E470
_free.LIBCMT ref: 0298E4DC
_free.LIBCMT ref: 0298E502
_free.LIBCMT ref: 0298E52B
_free.LIBCMT ref: 0298E560
_free.LIBCMT ref: 0298E591
_free.LIBCMT ref: 0298E5D2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0298E657
_free.LIBCMT ref: 0298E670

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 4b1c5386c0828eae2c7df95233524d778be5c9b2f81ee47b83e5b375c8fcb564
Instruction ID: a015756e79011c829dd79e801a55435bbf0011a68214da62a4fecb2c6913dc20
Opcode Fuzzy Hash: 4b1c5386c0828eae2c7df95233524d778be5c9b2f81ee47b83e5b375c8fcb564
Instruction Fuzzy Hash: 7FD12671D04304AFDB26BF7488A0ABE7BADAF45310F0D456DF9899B280E7329551CF90

Function 02953E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 02953E86
LoadLibraryA.KERNEL32(?), ref: 02953EC8
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02953EE8
FreeLibrary.KERNEL32(00000000), ref: 02953EEF
LoadLibraryA.KERNEL32(?), ref: 02953F27
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 02953F39
FreeLibrary.KERNEL32(00000000), ref: 02953F40
GetProcAddress.KERNEL32(00000000,?), ref: 02953F4F
FreeLibrary.KERNEL32(00000000), ref: 02953F66

Strings

freeaddrinfo, xrefs: 02953E63
\ws2_32, xrefs: 02953EB0
\wship6, xrefs: 02953F0F
getnameinfo, xrefs: 02953E53
getaddrinfo, xrefs: 02953E44, 02953EE2, 02953F33

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 3641e674b520162e22d04dc200908894260c026d08955beb9058de4b0977527d
Instruction ID: fb9224491a9982b779448110b5d592915966f1c8774bdc452cb03c691e149154
Opcode Fuzzy Hash: 3641e674b520162e22d04dc200908894260c026d08955beb9058de4b0977527d
Instruction Fuzzy Hash: E5312AB1A05325A7E321DB69DD48E9FB7ECAF847D8F440AA8FC4493200D730D5548BE9

Function 0295CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0295CAE9
GetCursorPos.USER32(?), ref: 0295CAF8
SetForegroundWindow.USER32(?), ref: 0295CB01
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0295CB1B
Shell_NotifyIconA.SHELL32(00000002,029B3B50), ref: 0295CB6C
ExitProcess.KERNEL32 ref: 0295CB74
CreatePopupMenu.USER32 ref: 0295CB7A
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0295CB8F

Strings

Close, xrefs: 0295CB80

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 6b52208de550c7ef9e2eccb5a96acc5347b4d4caeeaf70c59419e590fc774df0
Instruction ID: 57f0f5afad450e0f4c09e9122dd5eb67704359d6d71f3ff76c83a914170e81ba
Opcode Fuzzy Hash: 6b52208de550c7ef9e2eccb5a96acc5347b4d4caeeaf70c59419e590fc774df0
Instruction Fuzzy Hash: 12211DB1A98215FFEB069FA8ED0EEB97F79EB04311F044959B906940A0DBB19920DB14

Function 02984F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02984FAD
_free.LIBCMT ref: 02984FC3
_free.LIBCMT ref: 02984FD4
_free.LIBCMT ref: 02984FE5
_free.LIBCMT ref: 02984FFC
GetCPInfo.KERNEL32(?,?), ref: 02985044

Part of subcall function 02991C1B: _free.LIBCMT ref: 02991C86

_free.LIBCMT ref: 029851F0
_free.LIBCMT ref: 02985203
_free.LIBCMT ref: 02985211
_free.LIBCMT ref: 0298521C
_free.LIBCMT ref: 0298525E
_free.LIBCMT ref: 02985266
_free.LIBCMT ref: 0298526E
_free.LIBCMT ref: 02985276
_free.LIBCMT ref: 02985284

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 52882022de2919b68c2242a8c0a65695dbe2ac0def471f76dc1fa20813749dc7
Instruction ID: bb261d5165a4bf8df11ca89f5bf4d9aff217a580d172f27055eb7fae06a488de
Opcode Fuzzy Hash: 52882022de2919b68c2242a8c0a65695dbe2ac0def471f76dc1fa20813749dc7
Instruction Fuzzy Hash: 8FB19271900305AFDB11EFA8C880BEEBBF9FF49304F594469E459AB241DB75A849CF60

Function 0299006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 029900B1

Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F300
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F312
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F324
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F336
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F348
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F35A
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F36C
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F37E
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F390
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F3A2
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F3B4
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F3C6
Part of subcall function 0298F2E3: _free.LIBCMT ref: 0298F3D8

_free.LIBCMT ref: 029900A6

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

_free.LIBCMT ref: 029900C8
_free.LIBCMT ref: 029900DD
_free.LIBCMT ref: 029900E8
_free.LIBCMT ref: 0299010A
_free.LIBCMT ref: 0299011D
_free.LIBCMT ref: 0299012B
_free.LIBCMT ref: 02990136
_free.LIBCMT ref: 0299016E
_free.LIBCMT ref: 02990175
_free.LIBCMT ref: 02990192
_free.LIBCMT ref: 029901AA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fb941165f5af96365e589971c01fb954967aa557896cf7bed9b1982aa1189755
Instruction ID: 17b12964805bb136f0ec8baf037e4f2eda58c965c61daf33d34ba53fa8d94678
Opcode Fuzzy Hash: fb941165f5af96365e589971c01fb954967aa557896cf7bed9b1982aa1189755
Instruction Fuzzy Hash: 40311C32600705AFEF32AE39D844B5A77EEAF90364F188419E469DB151DF32A994CF20

Function 02947DEF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 02947F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 02947FC2
__aulldiv.LIBCMT ref: 02947FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0294810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02948128
CloseHandle.KERNEL32(00000000), ref: 02948200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0294821A
CloseHandle.KERNEL32(00000000), ref: 02948256

Strings

Uploading file to Controller: , xrefs: 02948077
ReadFile error, xrefs: 0294822E
SetFilePointerEx error, xrefs: 02948266

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 1884690901-2596673759
Opcode ID: b03e4b9975d1968ca9709eebcfb17051867aff8d19a781a267e0924786d28c0c
Instruction ID: f780a187bbd21914a73b998f5decccf30cfb06565cdd5145c05d671844e3a15b
Opcode Fuzzy Hash: b03e4b9975d1968ca9709eebcfb17051867aff8d19a781a267e0924786d28c0c
Instruction Fuzzy Hash: 69B162716083409FD614FB64D890FAFB7EABFD4310F404A1DF88A56290EF74A949CB96

Function 0295B888 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0295B88A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0295B8BB
RegCloseKey.ADVAPI32(?), ref: 0295BB54

Strings

DisplayName, xrefs: 0295B8D1
InstallLocation, xrefs: 0295B911
InstallDate, xrefs: 0295B925
DisplayVersion, xrefs: 0295B8FD
UninstallString, xrefs: 0295B939
Publisher, xrefs: 0295B8E6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$UninstallString
API String ID: 1332880857-3730529168
Opcode ID: 8c4d01d05a6227f159806dad79544b7bee420f3f0af254d9e8ae88b955747e31
Instruction ID: 748bbb07e5e0358a92aba0bd8c5c28007cbd0d61983cec6f2549706a7f05f326
Opcode Fuzzy Hash: 8c4d01d05a6227f159806dad79544b7bee420f3f0af254d9e8ae88b955747e31
Instruction Fuzzy Hash: 1561DF715183419BD338EB20D960EEFB7E6BFD4314F10492EE58A86194EF709A89CF52

Function 0298F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0298F429
_free.LIBCMT ref: 0298F44D
_free.LIBCMT ref: 0298F45A
_free.LIBCMT ref: 0298F47F
_free.LIBCMT ref: 0298F48C
_free.LIBCMT ref: 0298F495
_free.LIBCMT ref: 0298F773
_free.LIBCMT ref: 0298F77B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 420e3852e271d83abbcaced269602f2533ad28fb815d08b4d923d07ae6f76d77
Instruction ID: f97520595334d7887b3a6fe2a82d34031f5c5d6d91fc3892fba91e9394a3b886
Opcode Fuzzy Hash: 420e3852e271d83abbcaced269602f2533ad28fb815d08b4d923d07ae6f76d77
Instruction Fuzzy Hash: 72C11472D40209AFEB20EBA8CC41FDA77FDAB48710F584155FA09FB281E6709981DF64

Function 029447EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 029447FD
SetEvent.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944808
CloseHandle.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944811
closesocket.WS2_32(000000FF), ref: 0294481F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944856
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 02944867
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0294486E
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02944880
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02944885
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0294488A
SetEvent.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 02944895
CloseHandle.KERNEL32(?,?,?,?,00000000,?,02944B8E,?,?,?,02944B26), ref: 0294489A

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 21e38cf618857dc462eecf0b664943b295ac35c4e5128f8487516fad826b7575
Instruction ID: d9cff186eb72fb7009fcb5789b5177e6676fa43b7db0f092e498211952eb7392
Opcode Fuzzy Hash: 21e38cf618857dc462eecf0b664943b295ac35c4e5128f8487516fad826b7575
Instruction Fuzzy Hash: 83214971454B449FCB216B66DC48A6AFBE6FF40325B104E2DE1E602AB0CF72B861DF44

Function 02951C81 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02951C9A

Part of subcall function 0295AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,029A5900,0294C07B,.vbs,?,?,?,?,?,029B42F8), ref: 0295AB5F

Part of subcall function 029576B6: CloseHandle.KERNEL32(02943AB9,?,?,02943AB9,029A5324), ref: 029576CC
Part of subcall function 029576B6: CloseHandle.KERNEL32(029A5324,?,?,02943AB9,029A5324), ref: 029576D5

Sleep.KERNEL32(0000000A,029A5324), ref: 02951DEC
Sleep.KERNEL32(0000000A,029A5324,029A5324), ref: 02951E8E
Sleep.KERNEL32(0000000A,029A5324,029A5324,029A5324), ref: 02951F30
DeleteFileW.KERNEL32(00000000,029A5324,029A5324,029A5324), ref: 02951F91
DeleteFileW.KERNEL32(00000000,029A5324,029A5324,029A5324), ref: 02951FC8
DeleteFileW.KERNEL32(00000000,029A5324,029A5324,029A5324), ref: 02952004
Sleep.KERNEL32(000001F4,029A5324,029A5324,029A5324), ref: 0295201E
Sleep.KERNEL32(00000064), ref: 02952060

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Strings

/stext ", xrefs: 02951D77, 02951E19, 02951EBB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "
API String ID: 1223786279-3856184850
Opcode ID: 0981fd17fe75787ac7d241f357192003ab2b1aa9368611b27dfda1c022bdc840
Instruction ID: f2861290f2bd0e8d23ebe46e97390739d5e60d16eca0871bc256206adc42aafe
Opcode Fuzzy Hash: 0981fd17fe75787ac7d241f357192003ab2b1aa9368611b27dfda1c022bdc840
Instruction Fuzzy Hash: B902F1356083414AD328FB70D8A0FEFB7D6AFE5714F50492DE88E46190EF709A89CB56

Function 02994982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02994650: CreateFileW.KERNEL32(00000000,00000000,?,02994A2B,?,?,00000000,?,02994A2B,00000000,0000000C), ref: 0299466D

GetLastError.KERNEL32 ref: 02994A96
__dosmaperr.LIBCMT ref: 02994A9D
GetFileType.KERNEL32(00000000), ref: 02994AA9
GetLastError.KERNEL32 ref: 02994AB3
__dosmaperr.LIBCMT ref: 02994ABC
CloseHandle.KERNEL32(00000000), ref: 02994ADC
CloseHandle.KERNEL32(?), ref: 02994C26
GetLastError.KERNEL32 ref: 02994C58
__dosmaperr.LIBCMT ref: 02994C5F

Strings

H, xrefs: 02994BE4

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 07222c33a65b6e5e0b1d3394bff9206f2ae6a9a05f94563102be87acb3737a6c
Instruction ID: 760635423bb6887b3f404c9c21ee4d930a33800d0e16abe59056cb1915a81fb4
Opcode Fuzzy Hash: 07222c33a65b6e5e0b1d3394bff9206f2ae6a9a05f94563102be87acb3737a6c
Instruction Fuzzy Hash: 95A12332A141448FDF1AEF6CD891BAE7BA5EB46334F18115EE815DB390DB318813CB55

Function 02953C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

65535, xrefs: 02953C6A
udp, xrefs: 02953D17, 02953D1F, 02953D23

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 487721bc317acfbd4f60d8b5f1fc3a0c8528be8a92cba74f573307778a4c0a9f
Instruction ID: 6078f5e06cf211fbb74269e52778460a7494a1eef6b6d2c8a84d2579b13bafe2
Opcode Fuzzy Hash: 487721bc317acfbd4f60d8b5f1fc3a0c8528be8a92cba74f573307778a4c0a9f
Instruction Fuzzy Hash: 8E410672748321ABD321DA69D805B3B77ECEF847D8F080CA9FC4596280D724C484CB6A

Function 0294C66D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 02951699: TerminateProcess.KERNEL32(00000000,pth_unenc,0294E670), ref: 029516A9
Part of subcall function 02951699: WaitForSingleObject.KERNEL32(000000FF), ref: 029516BC

Part of subcall function 0295265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,029B42F8), ref: 02952679
Part of subcall function 0295265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 02952692
Part of subcall function 0295265D: RegCloseKey.KERNEL32(00000000), ref: 0295269D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0294C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,029A5900,029A5900,00000000), ref: 0294C826
ExitProcess.KERNEL32 ref: 0294C832

Strings

CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0294C767
""", 0, xrefs: 0294C74F
open, xrefs: 0294C820
.vbs, xrefs: 0294C6CD
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0294C7D5
Temp, xrefs: 0294C708
exepath, xrefs: 0294C69F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 63fb821840b30b61748b6ce648db448753234e05db65d9df036fef84aa0854da
Instruction ID: d67c36f68b131415e021eca8a835ff13a4e6da897a402fce657727827799f91b
Opcode Fuzzy Hash: 63fb821840b30b61748b6ce648db448753234e05db65d9df036fef84aa0854da
Instruction Fuzzy Hash: E7410032E101185ADB18F764DC64DFFB77AAFE1710F50016AE40AA7191EF606E86CF94

Function 02979361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02941AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029793B9
GetLastError.KERNEL32(?,?,02941AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029793C6
__dosmaperr.LIBCMT ref: 029793CD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,02941AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 029793F9
GetLastError.KERNEL32(?,?,?,02941AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02979403
__dosmaperr.LIBCMT ref: 0297940A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,02941AD8,?), ref: 0297944D
GetLastError.KERNEL32(?,?,?,?,?,?,02941AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 02979457
__dosmaperr.LIBCMT ref: 0297945E
_free.LIBCMT ref: 0297946A
_free.LIBCMT ref: 02979471

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 3b8eb3c1832e95378fb1f4a7e62479cf937277f465b32a870e96c120d61417ac
Instruction ID: 0b9fe71a50080e97182019b94421605e2d42f6c33e7ada3de4e4742ba52ac085
Opcode Fuzzy Hash: 3b8eb3c1832e95378fb1f4a7e62479cf937277f465b32a870e96c120d61417ac
Instruction Fuzzy Hash: 8F31C3B280821AFFEF11AFA8CC44DBE7B7DEF44324B144169F8149A294DB318950DBA0

Function 02944E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02944E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02944F21
TranslateMessage.USER32(?), ref: 02944F30
DispatchMessageA.USER32(?), ref: 02944F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,029B3F80), ref: 02944FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0294502B

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Strings

DisplayMessage, xrefs: 02944F9E
CloseChat, xrefs: 02944FBB
GetMessage, xrefs: 02944FAA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: c9ea15ee2ea9255554d035a3a5a6f1845201f42e12f01a6da4763ebcfd3bc10c
Instruction ID: cf4e702524fc71e3f5f1bbf3fb08d1d4b8baeb2a91271c2d3a0393d766b5f3fa
Opcode Fuzzy Hash: c9ea15ee2ea9255554d035a3a5a6f1845201f42e12f01a6da4763ebcfd3bc10c
Instruction Fuzzy Hash: A1419276A083009BCB14FB78D954DAF77AAAFC5710F400A6DF91A87184EF34D915CB92

Function 02959C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959C94
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959CAB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959CB8
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959CC7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959CD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,029595F8,00000000,00000000), ref: 02959CDB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: df762d55eee10e348e43f3232031fd928f5df0030a42619901ef799537d30b56
Instruction ID: 1a9433c8e42ba6fa6b1c722b19aa99f5ca097d05e47a27e03ab28300a630c50f
Opcode Fuzzy Hash: df762d55eee10e348e43f3232031fd928f5df0030a42619901ef799537d30b56
Instruction Fuzzy Hash: 7B11C672E51128EFE711A7A8DCC5EFF7B6CDB46274B000415F90592140DF609D56ABF0

Function 02986DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02986DDF

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

_free.LIBCMT ref: 02986DEB
_free.LIBCMT ref: 02986DF6
_free.LIBCMT ref: 02986E01
_free.LIBCMT ref: 02986E0C
_free.LIBCMT ref: 02986E17
_free.LIBCMT ref: 02986E22
_free.LIBCMT ref: 02986E2D
_free.LIBCMT ref: 02986E38
_free.LIBCMT ref: 02986E46

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d383dc5408128418933fde317bc7fa469fa80cebfebaa90927461161a2e7e04c
Instruction ID: d049f43a6d372e10213c71b6207412acf82f8d08a6c60e9ad41663a71297873a
Opcode Fuzzy Hash: d383dc5408128418933fde317bc7fa469fa80cebfebaa90927461161a2e7e04c
Instruction Fuzzy Hash: BE114476510108AFCB06FF55C941CD93BBEEF54350B59C5A5BA088F621DA32EAA49F80

Function 02959128 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0295912D
GdiplusStartup.GDIPLUS(029B3AF0,?,00000000), ref: 0295915F
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 029591EB
Sleep.KERNEL32(000003E8), ref: 0295926D
GetLocalTime.KERNEL32(?), ref: 0295927C
Sleep.KERNEL32(00000000,00000018,00000000), ref: 02959365

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0295920E, 02959229, 029592A0
time_%04i%02i%02i_%02i%02i%02i, xrefs: 02959213

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 8caf96a61261348bf155508d199c0d9ae915633fc52ebaf577f5ec831f457ee0
Instruction ID: 5f2cf8e448d313d75074c8a38c1f0e99d1fde2b2992cc932d9ea6ca2a8fab412
Opcode Fuzzy Hash: 8caf96a61261348bf155508d199c0d9ae915633fc52ebaf577f5ec831f457ee0
Instruction Fuzzy Hash: FD518071E40254DADF18FBB4D864EFF7BAAAF95300F440469E44AA7181EF744E85CB90

Function 02995139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,02995DAF), ref: 0299515C

Strings

sqrt, xrefs: 029952E0
exp, xrefs: 02995221, 02995283
log, xrefs: 02995202, 0299520E
asin, xrefs: 029952C8
log10, xrefs: 029951A6, 029951F6
acos, xrefs: 029952D4
pow, xrefs: 02995240, 029952EC, 029952FF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 8b88465edcf58017501968f453ebb0fa3189088710540fd5053a38a9882ab050
Instruction ID: b3ee25ac6759816b1a6a75a9a65acad9937b27ba6df783d1f6b14fd30f4f80b1
Opcode Fuzzy Hash: 8b88465edcf58017501968f453ebb0fa3189088710540fd5053a38a9882ab050
Instruction Fuzzy Hash: 0D51727090460ACBCF16DFACE6481EFBBF8FF49324F964586D481A7254CB768924CB19

Function 029565FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0295665C

Part of subcall function 0295B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633

Sleep.KERNEL32(00000064), ref: 02956688
DeleteFileW.KERNEL32(00000000), ref: 029566BC

Strings

open, xrefs: 02956656
temp, xrefs: 0295660C
\sysinfo.txt, xrefs: 02956607
/t , xrefs: 0295663B
dxdiag, xrefs: 02956651

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 62c86bbe4d12a6985627378ed90289dd52a0b2aee9a8ca3724263df5bdfbd776
Instruction ID: a112fbf53ee80c04128bdb5d601b8f8ff104832878c5a9ae57539b70c2c5c791
Opcode Fuzzy Hash: 62c86bbe4d12a6985627378ed90289dd52a0b2aee9a8ca3724263df5bdfbd776
Instruction Fuzzy Hash: F53167319102199BDB14FBA0DCA1EFE777AAFD0714F400159E84A670D0EF606A8ACF94

Function 02946616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(029B4A28,00000000,029B42E0,00003000,00000004,00000000,00000001), ref: 02946647
GetCurrentProcess.KERNEL32(029B4A28,00000000,00008000,?,00000000,00000001,00000000,029468BB,C:\Users\user\Desktop\2LDJIyMl2r.exe), ref: 02946705

Strings

\explorer.exe, xrefs: 0294666A
PEB: %x, xrefs: 02946716
[-] NtAllocateVirtualMemory Error, xrefs: 029466AA
explorer.exe, xrefs: 029466BD, 029466E2
[+] NtAllocateVirtualMemory Success, xrefs: 0294667A
windir, xrefs: 02946654

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 92555d34e33445d248eb390f976ffeb724f42946828b1fdaf91c671a0e27c581
Instruction ID: 146ceb2b1bcac1cf0c5ab4311ec66b97aba690b4bdc52a180c3f8f5275e90a3d
Opcode Fuzzy Hash: 92555d34e33445d248eb390f976ffeb724f42946828b1fdaf91c671a0e27c581
Instruction Fuzzy Hash: 8631F4B2A84300AFE711ABA4DD64F7A77BDEB86712F41081CF50592141EF70D410AF68

Function 0295C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0295C988

Part of subcall function 0295CA1F: RegisterClassExA.USER32(00000030), ref: 0295CA6C
Part of subcall function 0295CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0295CA87
Part of subcall function 0295CA1F: GetLastError.KERNEL32 ref: 0295CA91

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0295C9BF
lstrcpynA.KERNEL32(029B3B68,Remcos,00000080), ref: 0295C9D9
Shell_NotifyIconA.SHELL32(00000000,029B3B50), ref: 0295C9EF
TranslateMessage.USER32(?), ref: 0295C9FB
DispatchMessageA.USER32(?), ref: 0295CA05
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0295CA12

Strings

Remcos, xrefs: 0295C9CA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: b1a2375ac990504fcc920f02c9b5232fa43ded35cf8eb34061754c9a435420aa
Instruction ID: 8593e240b9cdeeff40d09e4a81bf9d00f211f103cebf76c7f77b0b7e35d6093f
Opcode Fuzzy Hash: b1a2375ac990504fcc920f02c9b5232fa43ded35cf8eb34061754c9a435420aa
Instruction Fuzzy Hash: 550161B1DC8254ABE711EFA9ED1DEFABBBCAB85B14F004859F601D2044DBB49055CB18

Function 0298B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7765d16f424559de1334c14100e8091442e29b56d72c77018869a3250e0ea24
Instruction ID: b939f377745189f7166ca13e58acf0dfd0ea6e2b12fe17b3a4a9d6da75e0a15f
Opcode Fuzzy Hash: a7765d16f424559de1334c14100e8091442e29b56d72c77018869a3250e0ea24
Instruction Fuzzy Hash: 76C19D74D043499BDF11EFA8D860BADBBB9BF4A318F1C4489E414EB381C7749945CB60

Function 02992B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 02992BD6
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02992C59
__alloca_probe_16.LIBCMT ref: 02992C91
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02992CEC
__alloca_probe_16.LIBCMT ref: 02992D3B
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 02992D03

Part of subcall function 02986AFF: RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02992D7F
__freea.LIBCMT ref: 02992DAA
__freea.LIBCMT ref: 02992DB6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: fb9f00ebb87e54a0ff2ce295cdf03768797ec02a9391865bd0c63ba2ca2583fd
Instruction ID: a2e320096a06892383d73c79ccc7a5199c22a29995cd6fca974a0e38e02cd8b2
Opcode Fuzzy Hash: fb9f00ebb87e54a0ff2ce295cdf03768797ec02a9391865bd0c63ba2ca2583fd
Instruction Fuzzy Hash: 7F917072E10216ABDF259F7CD850EEEBBE9AF49724F18456AEC05EB140D725D840CBA0

Function 029843F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02986EBF: GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
Part of subcall function 02986EBF: _free.LIBCMT ref: 02986EF6
Part of subcall function 02986EBF: SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
Part of subcall function 02986EBF: _abort.LIBCMT ref: 02986F3D

_memcmp.LIBVCRUNTIME ref: 029846A3
_free.LIBCMT ref: 02984714
_free.LIBCMT ref: 0298472D
_free.LIBCMT ref: 0298475F
_free.LIBCMT ref: 02984768
_free.LIBCMT ref: 02984774

Strings

C, xrefs: 02984561

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: d1068eb8688d981972ae27e212b6c145738b0d1b7e0ceb10b20007497a544e95
Instruction ID: fd53b744dea2c804dfd2e5f6d6f3d6976d4e54bcb3ea0753761ff0c5c8fced65
Opcode Fuzzy Hash: d1068eb8688d981972ae27e212b6c145738b0d1b7e0ceb10b20007497a544e95
Instruction Fuzzy Hash: 44B11A75A0121A9FDB25EF28C884BADB7F9FF48314F1845AAD949A7350D731AE90CF40

Function 029539C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 02953B2B
udp, xrefs: 02953B01

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 9b96644c23533f0ddd96c9de31f8806b32487a8f6e6d03ad66ceefbd60b51a4c
Instruction ID: 49bbab088e99214acfa68537652f664547bcde2ecf8fca9b3b024d7b02de5783
Opcode Fuzzy Hash: 9b96644c23533f0ddd96c9de31f8806b32487a8f6e6d03ad66ceefbd60b51a4c
Instruction Fuzzy Hash: 6371CD31B083228FDB24DE59C48473BB7E8AF84799F0009AEFC8697251D774C944CB9A

Function 02950314 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 02950333
inet_ntoa.WS2_32(?), ref: 029503CE

Strings

StopForward, xrefs: 029504AF
StopReverse, xrefs: 029504C0
StartReverse, xrefs: 0295049E
StartForward, xrefs: 02950492
GetDirectListeningPort, xrefs: 029504D1

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 34957369992644068094ba0a0d8384a2cbff2ca106d0641722873e03fd6b6406
Instruction ID: 90e8bebcdc7a31f17a5227e3facaebfddc616f689b7b263f9c1a2abec79f5ff5
Opcode Fuzzy Hash: 34957369992644068094ba0a0d8384a2cbff2ca106d0641722873e03fd6b6406
Instruction Fuzzy Hash: D551B371F483109BCB05FB78D969A7E3BAA9FC4750F444A19E80E872D0EF249945CF92

Function 02956E27 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,029A5554), ref: 02956F24
CloseHandle.KERNEL32(00000000), ref: 02956F2D
DeleteFileA.KERNEL32(00000000), ref: 02956F3C
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 02956EF0

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

Strings

Temp, xrefs: 02956E48
@, xrefs: 02956ED2
<, xrefs: 02956ECB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1107811701-1032778388
Opcode ID: ea16f2f3a4c6f67db33d9689643458622d6ffd4aa55030d8c4334a1f7fbdeaab
Instruction ID: dbf11be7e49c4ee1010c6506385395ebd790291e04b5ebae1861d2a9634e8be3
Opcode Fuzzy Hash: ea16f2f3a4c6f67db33d9689643458622d6ffd4aa55030d8c4334a1f7fbdeaab
Instruction Fuzzy Hash: C0316D71E402199BDB14FBA4DC65FFEB77AAF90310F404168E50A6A0D0EF745A8ACF90

Function 02946BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,029A5454,?,?,00000000,02947273,00000000,?,0000000A,00000000), ref: 02946C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,02947273,00000000,?,0000000A,00000000), ref: 02946C80

Part of subcall function 02944468: send.WS2_32(?,00000000,00000000,00000000), ref: 029444FD

CloseHandle.KERNEL32(00000000,?,?,00000000,02947273,00000000,?,0000000A,00000000,00000000), ref: 02946CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 02946CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 02946D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 02946D18

Part of subcall function 0294455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0294460E,00000000,?,?), ref: 0294456A
Part of subcall function 0294455B: SetEvent.KERNEL32(?,?,?,0294460E,00000000,?,?), ref: 02944588

Strings

.part, xrefs: 02946C0F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 5ad02391a456cc8b33d33f9c6ebef6d775d0a4ecc832ae8192c9e551508cf025
Instruction ID: ea42a095f9ed6654f6a09b721d3da29f53c2f17eebad2b2ece78c37475f5234d
Opcode Fuzzy Hash: 5ad02391a456cc8b33d33f9c6ebef6d775d0a4ecc832ae8192c9e551508cf025
Instruction Fuzzy Hash: 6031DCB4948301AFC310EF60D984DAFB7ADFBC5755F00491EF98592150DF70AA488BA2

Function 02989950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0297D564,0297D564,?,?,?,02989BA1,00000001,00000001,1AE85006), ref: 029899AA
__alloca_probe_16.LIBCMT ref: 029899E2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,02989BA1,00000001,00000001,1AE85006,?,?,?), ref: 02989A30
__alloca_probe_16.LIBCMT ref: 02989AC7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02989B2A
__freea.LIBCMT ref: 02989B37

Part of subcall function 02986AFF: RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

__freea.LIBCMT ref: 02989B40
__freea.LIBCMT ref: 02989B65

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: c08e0d60bdb4d882492267594865276383a6217b02cbc159dbb75e9aab617b9d
Instruction ID: 66bd6d233c5c34947fea26f2119ee5e21a6486b0438959e3edd36d2f6e26a6e7
Opcode Fuzzy Hash: c08e0d60bdb4d882492267594865276383a6217b02cbc159dbb75e9aab617b9d
Instruction Fuzzy Hash: 8751D172610216AFEB25AE64CC81EBB77AEEB84764F19462DFC05D7240EB34DC40DA60

Function 02958ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 02958B08
SendInput.USER32(00000001,?,0000001C), ref: 02958B30
SendInput.USER32(00000001,0000001C,0000001C), ref: 02958B57
SendInput.USER32(00000001,0000001C,0000001C), ref: 02958B75
SendInput.USER32(00000001,0000001C,0000001C), ref: 02958B95
SendInput.USER32(00000001,0000001C,0000001C), ref: 02958BBA
SendInput.USER32(00000001,0000001C,0000001C), ref: 02958BDC
SendInput.USER32(00000001,?,0000001C), ref: 02958BFF

Part of subcall function 02958AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 02958AB7

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: d6bb1c655bdaf86f6ef364582bfd62e3b40ca342bb5172e504b7dae7357dbab2
Instruction ID: e53d43045c1170dfa630e8729cc893dc3c9df067e33a94966fa1ad60152eeeca
Opcode Fuzzy Hash: d6bb1c655bdaf86f6ef364582bfd62e3b40ca342bb5172e504b7dae7357dbab2
Instruction Fuzzy Hash: 02314271248359A9E311EF65D840F9FFBECAFC9B44F04090FB98457190DAA1D98C87A7

Function 0298F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0298F875
_free.LIBCMT ref: 0298F883
_free.LIBCMT ref: 0298F9B1
_free.LIBCMT ref: 0298F9BC

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cdf1781f5ce0891d97e1cfaf646b27323b4b8d991bae560f733711aab4dcdb96
Instruction ID: 98426ab398801a81e879f9a6762553454a3bdedf0540671451a0fcdec612eb97
Opcode Fuzzy Hash: cdf1781f5ce0891d97e1cfaf646b27323b4b8d991bae560f733711aab4dcdb96
Instruction Fuzzy Hash: 2B61C371D00205AFDB21EF68C841BAEBBF9FF44720F68556AE949EB640E7319981CF50

Function 0298A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0298A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0298A105
__fassign.LIBCMT ref: 0298A180
__fassign.LIBCMT ref: 0298A19B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0298A1C1
WriteFile.KERNEL32(?,FF8BC35D,00000000,0298A838,00000000,?,?,?,?,?,?,?,?,?,0298A838,?), ref: 0298A1E0
WriteFile.KERNEL32(?,?,00000001,0298A838,00000000,?,?,?,?,?,?,?,?,?,0298A838,?), ref: 0298A219

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f6f16839506e6bf824ad40a0c3058749f88da8bc589a5aa7594bebe77b722baa
Instruction ID: 9fd43d9cee884bc997dd071fde0ec71a04388fe6b29c0f620e372e6ba7ca23de
Opcode Fuzzy Hash: f6f16839506e6bf824ad40a0c3058749f88da8bc589a5aa7594bebe77b722baa
Instruction Fuzzy Hash: 1051D5B0E042099FCB20DFA8D881AEEBBF8FF49310F28455BE955E7241E7309951CB61

Function 02977A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 02977AAB
___except_validate_context_record.LIBVCRUNTIME ref: 02977AB3
_ValidateLocalCookies.LIBCMT ref: 02977B41
__IsNonwritableInCurrentImage.LIBCMT ref: 02977B6C
_ValidateLocalCookies.LIBCMT ref: 02977BC1

Strings

csm, xrefs: 02977B56

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 89463526adfde8f950e9f396c87ec3b13d3ce3a492f02b66e19bec0ecea21717
Instruction ID: be2118dd137d239d4adab3aecadfd2d644a1ca8f67fec76f4484d057df992a8b
Opcode Fuzzy Hash: 89463526adfde8f950e9f396c87ec3b13d3ce3a492f02b66e19bec0ecea21717
Instruction Fuzzy Hash: FD416234E002099BDF10DFA9C884AEEFBBAEF45328F1485A9E8155B291D7319A55CF90

Function 02941A8E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 02941AD3

Part of subcall function 02941BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 02941C54

waveInUnprepareHeader.WINMM(029B1AC0,00000020,00000000,?), ref: 02941B85
waveInPrepareHeader.WINMM(029B1AC0,00000020), ref: 02941BC3
waveInAddBuffer.WINMM(029B1AC0,00000020), ref: 02941BD2

Strings

%Y-%m-%d %H.%M, xrefs: 02941AC4
.wav, xrefs: 02941AEC

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 2aa91b370aea47e3d94a4eb1fd86aaac11dba355dae048912933d9b32d9fca8d
Instruction ID: ce22101f3bf5c8be2d8c38a4c6d14dfc5472be044007f7671f401238c348bd19
Opcode Fuzzy Hash: 2aa91b370aea47e3d94a4eb1fd86aaac11dba355dae048912933d9b32d9fca8d
Instruction Fuzzy Hash: A5317E319483009BD315EB24D960EAF7BEAFFD5310F40482DE19E82190EF706A59CF62

Function 0294B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 02952513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 02952537
Part of subcall function 02952513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 02952554
Part of subcall function 02952513: RegCloseKey.KERNEL32(?), ref: 0295255F

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0294B76C
PathFileExistsA.SHLWAPI(?), ref: 0294B779

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0294B703
[IE cookies not found], xrefs: 0294B741
Cookies, xrefs: 0294B6FE
[IE cookies cleared!], xrefs: 0294B7C6, 0294B7E6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 7b62ff9a103104ae84ea7e1d15fda9d78fc2fe1c5de875ffc74fffb5606f43d0
Instruction ID: 6325c1e55979ed0d70fb64955bf02882ee84839df57c28e35ea4a482d6a536d3
Opcode Fuzzy Hash: 7b62ff9a103104ae84ea7e1d15fda9d78fc2fe1c5de875ffc74fffb5606f43d0
Instruction Fuzzy Hash: FB218071E50218A6DF04F7F1DC76DEE776AAFD0318F440159D50667180EF609A8ACBD1

Function 02995903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cc48ceb09c7fa71532c119de1bfcc7336e5629f97566eb495dcb0441680302
Instruction ID: de767c3fc3731588860442cd1f8d057169531e43986aea09bc0daed6e4f042c8
Opcode Fuzzy Hash: f7cc48ceb09c7fa71532c119de1bfcc7336e5629f97566eb495dcb0441680302
Instruction Fuzzy Hash: EB11B472518255BFEF223FBADC44ABF7A6DEFC5770B96051AF815C7244DA718800CAA0

Function 0298FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0298FA22: _free.LIBCMT ref: 0298FA4B

_free.LIBCMT ref: 0298FD29

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

_free.LIBCMT ref: 0298FD34
_free.LIBCMT ref: 0298FD3F
_free.LIBCMT ref: 0298FD93
_free.LIBCMT ref: 0298FD9E
_free.LIBCMT ref: 0298FDA9
_free.LIBCMT ref: 0298FDB4

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: 2ddc29b83d6e9e1c983a937e023d987bd4b846b2ec215a5fdc93426fdf5b0329
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: FF116031651704B6E921FBB0CD05FCB77EE9F84710FC84C14B2AAAB460F635A5554A60

Function 02946815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\2LDJIyMl2r.exe), ref: 02946835

Part of subcall function 02946764: _wcslen.LIBCMT ref: 02946788
Part of subcall function 02946764: CoGetObject.OLE32(?,00000024,029A59B0,00000000), ref: 029467E9

CoUninitialize.OLE32 ref: 0294688E

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 02946815, 02946818, 0294686A
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0294681A
[+] before ShellExec, xrefs: 02946856
[+] ShellExec success, xrefs: 02946873

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\2LDJIyMl2r.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-3731244694
Opcode ID: 6f4b5af8bd3afc4ee0cdfe0d155bf51746e80bf5aeef0405bda2df9e23263154
Instruction ID: 34c6b87c327a1a9e536511103c7ba71e3671146820dcd3855fa649998741b091
Opcode Fuzzy Hash: 6f4b5af8bd3afc4ee0cdfe0d155bf51746e80bf5aeef0405bda2df9e23263154
Instruction Fuzzy Hash: 1501DEB27003006FF3286B54DC0AF7B675DDF8263AF61012EF94586280EF91A8004AB1

Function 0294B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0294B2E4
GetLastError.KERNEL32 ref: 0294B2EE

Strings

\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0294B2AF
UserProfile, xrefs: 0294B2B4
[Chrome Cookies not found], xrefs: 0294B308
[Chrome Cookies found, cleared!], xrefs: 0294B314

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: fb68f27f81a3470da3295017f8bbd5311ed281f7d2b27f68b37b5c8bf9e536a0
Instruction ID: d479d6004953b5b3e8071c19aad167a99415d17bfe94ee8eba72c9d30c1689b1
Opcode Fuzzy Hash: fb68f27f81a3470da3295017f8bbd5311ed281f7d2b27f68b37b5c8bf9e536a0
Instruction Fuzzy Hash: B601F472F902046B9B04BAB9DD7ACFF3729ADE061CB900119E007531C4FE51D985CAC1

Function 0295BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(029B4358), ref: 0295BEB9
ShowWindow.USER32(00000000,00000000), ref: 0295BED2
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0295BEF7

Strings

Remcos v, xrefs: 0295BF12
CONOUT$, xrefs: 0295BEE5
5.3.0 Pro, xrefs: 0295BF20

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$5.3.0 Pro$CONOUT$
API String ID: 2425139147-2527699604
Opcode ID: 4e18e62475b7419d01bb71d8c583b0cb4c412e4c32386b33245a650a1baad828
Instruction ID: 0c46681c504db999b8eb4e225382fcf65a1453e5d278402f7b964c1ef1927bf0
Opcode Fuzzy Hash: 4e18e62475b7419d01bb71d8c583b0cb4c412e4c32386b33245a650a1baad828
Instruction Fuzzy Hash: 2801A2B1ED03047BEA10FBF09D1BFEE77AD6B94705F540811B605E7081EAA5A1188F64

Function 029795FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 02979789
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029797A5
__allrem.LIBCMT ref: 029797BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029797DA
__allrem.LIBCMT ref: 029797F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0297980F

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
Instruction ID: 348363016c35c2e7ceccfcef292bd2e202a5e8e70378d4d841ce7d24f5927b19
Opcode Fuzzy Hash: 90d3cbeaf7f932440d57ef5c22d3b8f6324572cbadffe2a0eaa56fc6fd551e6e
Instruction Fuzzy Hash: 2281F872A007469BF724AE78CC41BAE73EEEF81764F18462AE515D6690E770D901CF90

Function 02984B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 02984B69
__cftoe.LIBCMT ref: 02984B9B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 12864e43354fa767f4b597314f41bc6aecb0b261b00b1ddf80f5cdca3d2801ee
Instruction ID: 32c3ee85ab3501f74cbedd68fd9eef852836b9719a5749a18b869971beca6dd6
Opcode Fuzzy Hash: 12864e43354fa767f4b597314f41bc6aecb0b261b00b1ddf80f5cdca3d2801ee
Instruction Fuzzy Hash: B651F536900206ABDB25BF68CD80FAE77BEAF88324F1C525EE915D6181EB35D500CA64

Function 02986159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 02986261
__freea.LIBCMT ref: 0298630B
__freea.LIBCMT ref: 02986329

Strings

am/pm, xrefs: 0298638C
a/p, xrefs: 029863F0

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 69c2af0b8a59afb0b3fca888b92f005b6b1b0ed042eccd855b4e16d4dbb88d69
Instruction ID: 66c1b34effffab33a0f3c5e2cd6a9c84c017312cfc121b4d099e450574b06bc2
Opcode Fuzzy Hash: 69c2af0b8a59afb0b3fca888b92f005b6b1b0ed042eccd855b4e16d4dbb88d69
Instruction Fuzzy Hash: 0FD12171900206CBDF29AF68C985BBEBBBDFF05314F1C415AEA15AF648D3359980CB61

Function 02959DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,02959507,00000000,00000000), ref: 02959DFC
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,02959507,00000000,00000000), ref: 02959E10
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,02959507,00000000,00000000), ref: 02959E1D
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,02959507), ref: 02959E52
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,02959507,00000000,00000000), ref: 02959E64
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,02959507,00000000,00000000), ref: 02959E67

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 7f63ae2e8622f052e1a1c12140260cf04f4a6d9a4bb87bfebb3fc2ba992543d3
Instruction ID: 2d7dd6b80a9bc0f6a94b57d214d1eedcb34bcd3af10291bb6f214376fd7ba30e
Opcode Fuzzy Hash: 7f63ae2e8622f052e1a1c12140260cf04f4a6d9a4bb87bfebb3fc2ba992543d3
Instruction Fuzzy Hash: 97012871788234BAF7119678AD4EFBB3E6CDB42270F000609F929961C0EF90CA4986F0

Function 02977E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02977DFD,029777B1), ref: 02977E14
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02977E22
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02977E3B
SetLastError.KERNEL32(00000000,?,02977DFD,029777B1), ref: 02977E8D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: caf09718ba5f9e6d7da10926302e518467cd848fc28c762f9d6b581fea2dab8d
Instruction ID: 3b9e57c22db58b14f7758fa53eb77d05eefe0d151d8f7f3581e30b2373780c69
Opcode Fuzzy Hash: caf09718ba5f9e6d7da10926302e518467cd848fc28c762f9d6b581fea2dab8d
Instruction Fuzzy Hash: BB01A73266D3155EEB2525F87C8DABF6A5EEF41778B20073AF524491F0EF218C11E584

Function 02986EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0297E260,0297931C,0297E260,00000000,?,0297B955,FF8BC35D,00000000), ref: 02986EC3
_free.LIBCMT ref: 02986EF6
_free.LIBCMT ref: 02986F1E
SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F2B
SetLastError.KERNEL32(00000000,FF8BC35D,00000000), ref: 02986F37
_abort.LIBCMT ref: 02986F3D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4837aa77af0df78f59d6b66ee5235ac4351bc6d11314c4aac4b84bb526db936e
Instruction ID: 51ffaaf14cd7c088caeb91541a5fb36642fec4bee4280107d3413bd203a519be
Opcode Fuzzy Hash: 4837aa77af0df78f59d6b66ee5235ac4351bc6d11314c4aac4b84bb526db936e
Instruction Fuzzy Hash: 2CF02D3695870167C72376786E04FAF252F9FC17B0F2D0428F4059A181FF30C5114621

Function 02959C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C2F
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C43
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C50
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C5F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C71
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0295979B,00000000,00000000), ref: 02959C74

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 1a1d88faea67ac732a0b656401238ae52ecbae7acdb4026f778c500c09eef37c
Instruction ID: d7e5e8d5bba600980f726d16c0d3703779dcf6af5de4854257d7cab69caac52c
Opcode Fuzzy Hash: 1a1d88faea67ac732a0b656401238ae52ecbae7acdb4026f778c500c09eef37c
Instruction Fuzzy Hash: 62F09676990224BBE711ABA8DC89EFF7B6CDB85670F000415F90592141DF64CD558AF1

Function 02959D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959D96
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959DAA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959DB7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959DC6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959697,00000000,00000000), ref: 02959DDB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: e3a0798ca131eced0c3dd88fd6cd7cf03aeb1c740704b10013ad0867e8517c24
Instruction ID: 0342abfea0f20f9f64504e72dd68c80d054e59ff5d4cd717e9b1302030be3be9
Opcode Fuzzy Hash: e3a0798ca131eced0c3dd88fd6cd7cf03aeb1c740704b10013ad0867e8517c24
Instruction Fuzzy Hash: F9F0F6B6950224BBE311ABA8DC89EFF3B6CDF85270F000415FD0592140DF64DE558AF0

Function 02959D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D31
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D45
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D52
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D61
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D73
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,02959719,00000000,00000000), ref: 02959D76

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c7d7784302a0002ccec31fbb7b7834a0d1856aa344e8bc6a4d6eaa4c42afff96
Instruction ID: 023024024fa2d8b09088b3f55237443a1336ebbfbcb5e89b144d1ae6c24f5eec
Opcode Fuzzy Hash: c7d7784302a0002ccec31fbb7b7834a0d1856aa344e8bc6a4d6eaa4c42afff96
Instruction Fuzzy Hash: 1DF096B6950224BBE311ABA89C89EFF3B6CDF85670F000415FA0696140DF68DD568AF0

Function 0295A81D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 02952584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 029525A6
Part of subcall function 02952584: RegQueryValueExW.ADVAPI32(?,0294E0BA,00000000,00000000,?,00000400), ref: 029525C5
Part of subcall function 02952584: RegCloseKey.ADVAPI32(?), ref: 029525CE

Part of subcall function 0295B15B: GetCurrentProcess.KERNEL32(?,?,?,0294C914,WinDir,00000000,00000000), ref: 0295B16C

_wcslen.LIBCMT ref: 0295A8F6

Strings

.exe, xrefs: 0295A848
http\shell\open\command, xrefs: 0295A82D
program files\, xrefs: 0295A8DC, 0295A8E3, 0295A8F5
program files (x86)\, xrefs: 0295A8F0

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-4246244872
Opcode ID: 12d746e3248406ff7744e8f97c988100976fb0eda72f2a1790a665bd73551936
Instruction ID: 6e110cd7f243ee9395168954beef3c608b979447e40c503eb9d0c8890af52fac
Opcode Fuzzy Hash: 12d746e3248406ff7744e8f97c988100976fb0eda72f2a1790a665bd73551936
Instruction Fuzzy Hash: 7421A762B002186BEF08FBB48CA5DAF37AF9FD5358F15053DE806A72C0ED609D594B60

Function 0295CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0295CA6C
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0295CA87
GetLastError.KERNEL32 ref: 0295CA91

Strings

MsgWindowClass, xrefs: 0295CA28
0, xrefs: 0295CA2D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 6a3b1ad128f960d774e6e9154c206dc782e98243da7965392b7cc93b1f169a1e
Instruction ID: bc26971704b596127a335fa76158a6907ef24f9e6c4b7d455a58fac42dff40e1
Opcode Fuzzy Hash: 6a3b1ad128f960d774e6e9154c206dc782e98243da7965392b7cc93b1f169a1e
Instruction Fuzzy Hash: 7F0108B1D1431EAB8B01DFEAD8C49EFFBFDFE49258B50062AF414B2100E7704A458BA0

Function 029469BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02946A00
CloseHandle.KERNEL32(?), ref: 02946A0F
CloseHandle.KERNEL32(?), ref: 02946A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 029469FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 029469F6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 28c64c76e2aad1135b12ba823d52db2e59d2a4b89be926507e879f19ca49f592
Instruction ID: 8746362b6b4b3b03bc4e3463a22e699f5661da56c112139caae5f6fdf3217b4d
Opcode Fuzzy Hash: 28c64c76e2aad1135b12ba823d52db2e59d2a4b89be926507e879f19ca49f592
Instruction Fuzzy Hash: 37F030B6D402A87ADB20AAD6DC0DEDFBF7DFBC1B20F400419B605A6154D6705154CAB4

Function 029825D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0298258A,?,?,0298252A,?,029ADAE0,0000000C,02982681,?,00000002), ref: 029825F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0298260C
FreeLibrary.KERNEL32(00000000,?,?,?,0298258A,?,?,0298252A,?,029ADAE0,0000000C,02982681,?,00000002,00000000), ref: 0298262F

Strings

mscoree.dll, xrefs: 029825F2
CorExitProcess, xrefs: 02982604

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dba21f6c729dc3553f5d5d7199ef628465d7e8e69a897b0061301d2b79a3646d
Instruction ID: 129a659f3841f5681c36c7a0b61ab6869ea20dcdf9519b90bfa48b70c2f8e74d
Opcode Fuzzy Hash: dba21f6c729dc3553f5d5d7199ef628465d7e8e69a897b0061301d2b79a3646d
Instruction Fuzzy Hash: FBF0AF30E5420CFBDB119FA9D809BEDBFB8EF48765F0404A9F805A2140EF308D50CA94

Function 02944AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02944AED
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0294483F,00000001), ref: 02944AF9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0294483F,00000001), ref: 02944B04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0294483F,00000001), ref: 02944B0D

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

Strings

KeepAlive | Disabled, xrefs: 02944AC6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: c7d6aab969ffc8f8815374396a970c9d7b1bd1e92d47de3ec8eeb70ded66f039
Instruction ID: c8c179dfeb5f2039bd6c728b0b4c34de95a731779f5845b6d22dd95a53e47cda
Opcode Fuzzy Hash: c7d6aab969ffc8f8815374396a970c9d7b1bd1e92d47de3ec8eeb70ded66f039
Instruction Fuzzy Hash: B2F0BBB5E683006FEB1137B88D0DEBEBF99AB42334F004E5DF89282660DE204461CB52

Function 02959F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 02959F64
PlaySoundW.WINMM(00000000,00000000), ref: 02959F72
Sleep.KERNEL32(00002710), ref: 02959F79
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 02959F82

Strings

Alarm triggered, xrefs: 02959F3B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 468dbe2d3f9e0d83fa4b537892ad1ca24767222661be56df05a3e1dd7b1f7caa
Instruction ID: 687dce64b6ec2d6046276b860ea49125a535009083c807ead67f6c7c3072fb6c
Opcode Fuzzy Hash: 468dbe2d3f9e0d83fa4b537892ad1ca24767222661be56df05a3e1dd7b1f7caa
Instruction Fuzzy Hash: C3E04866F6412037A51032FE6D1EC7F7E6ADAC3B70741056EF90956144DD40091287F3

Function 0295BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0295BF02), ref: 0295BE79
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0295BF02), ref: 0295BE86
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0295BF02), ref: 0295BE93
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0295BF02), ref: 0295BEA6

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0295BE99

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 12d60e191f322496ec1f584a60f1247c3cfed6c3a8e4ea6b541fcbf2c6eeb13a
Instruction ID: 79332804ff444d95ac3c0bb546e0806de61e30906cbbec139c95896faa3691a2
Opcode Fuzzy Hash: 12d60e191f322496ec1f584a60f1247c3cfed6c3a8e4ea6b541fcbf2c6eeb13a
Instruction Fuzzy Hash: 7CE04FA2588248ABD72037F9AC4DCFB7B7CE785632B000916F6129028ADD7044548A70

Function 0298016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005b342bd3807617fbd6840e975899214c140a1250e2079dae88452e1a1b93b5
Instruction ID: 7688c7736029224abfb3be2c5afa66692e42166473bfab80c1ccaa4871313a6b
Opcode Fuzzy Hash: 005b342bd3807617fbd6840e975899214c140a1250e2079dae88452e1a1b93b5
Instruction Fuzzy Hash: 8B71B471D08316DBDB21EF99C884ABFBB79FF45324F1C062AE81567180D7B09949CBA1

Function 02983F7B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02986AFF: RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

_free.LIBCMT ref: 02984086
_free.LIBCMT ref: 0298409D
_free.LIBCMT ref: 029840BC
_free.LIBCMT ref: 029840D7
_free.LIBCMT ref: 029840EE

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: ed097ac53e92e5e558fda9478338e4c752d499de3308c43f0c64a216de8d7703
Instruction ID: 17fa2789d62ebb12e08e1c3fd81283eb26c6a4dc4e5d7dbbcf0dd7a9eaa7bdf3
Opcode Fuzzy Hash: ed097ac53e92e5e558fda9478338e4c752d499de3308c43f0c64a216de8d7703
Instruction Fuzzy Hash: 1551B372A00305AFDB21EF69DC40B6BB7F9EF94724F184569E809DB250E735E911CB80

Function 02943DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 02943E8A

Part of subcall function 02943FCD: __EH_prolog.LIBCMT ref: 02943FD2

Strings

GetFrame, xrefs: 02943F65
FreeFrame, xrefs: 02943F76
OpenCamera, xrefs: 02943F48
CloseCamera, xrefs: 02943F54

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: 8c6761d588dc556e0297d71f6080ee4a8f44b7575cbe3e8af53de83706d31bf9
Instruction ID: e02fbe8fdc77a273206fd6a1716ef71cd52979e3fe1dbda8f086c524d0dde48a
Opcode Fuzzy Hash: 8c6761d588dc556e0297d71f6080ee4a8f44b7575cbe3e8af53de83706d31bf9
Instruction Fuzzy Hash: 4E41E230F0831097DB05FB78D524EAE3BA65FC5700F100AA9E80A876C4EF309955CBCA

Function 0294E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0295B15B: GetCurrentProcess.KERNEL32(?,?,?,0294C914,WinDir,00000000,00000000), ref: 0295B16C

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0294E6C1
Process32FirstW.KERNEL32(00000000,?), ref: 0294E6E5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0294E6F4
CloseHandle.KERNEL32(00000000), ref: 0294E8AB

Part of subcall function 0295B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0294E4D0,00000000,?,?,029B4358), ref: 0295B19C

Part of subcall function 0295B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0295B395
Part of subcall function 0295B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0295B3A8

Process32NextW.KERNEL32(00000000,0000022C), ref: 0294E89C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: aeb2fb6718e0f83d525714bdc102528be0be85a7eba5ea75e03fd0f06756c43a
Instruction ID: 7acebed67016aaa822a78819e4f3e54d9a7281c54fd46388e072758261ca3359
Opcode Fuzzy Hash: aeb2fb6718e0f83d525714bdc102528be0be85a7eba5ea75e03fd0f06756c43a
Instruction Fuzzy Hash: ED41FF765183405BC325FB60D960EEFB7EAAFE4310F50492DE48E82190EF70AA49CF56

Function 02983098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0298310A
_free.LIBCMT ref: 0298312A

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b72cfd910ea2fc962169ae922aec08b72443b92569e5129ac57156e1f0970ad2
Instruction ID: 157bfc973ca9a152a66b792025a914c0a39fcd3eaeac5ba4378bfbc8348fa6ad
Opcode Fuzzy Hash: b72cfd910ea2fc962169ae922aec08b72443b92569e5129ac57156e1f0970ad2
Instruction Fuzzy Hash: 0841B836E002049FDB24EF78C880A6DB7B6EFC5B14F1985A9E915EB341DB31E901CB84

Function 0298FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0297E3ED,?,00000000,?,00000001,?,?,00000001,0297E3ED,?), ref: 0298FF20
__alloca_probe_16.LIBCMT ref: 0298FF58
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0298FFA9
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,029799BF,?), ref: 0298FFBB
__freea.LIBCMT ref: 0298FFC4

Part of subcall function 02986AFF: RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 069156735a046a72ebcdcd8efa1feab930ff946f583730a2136ac3eaebccb2e2
Instruction ID: b3f0a3a73f0de1ed785b48fb9234e14ce2cb5eeac9442a0389779a365e5cb555
Opcode Fuzzy Hash: 069156735a046a72ebcdcd8efa1feab930ff946f583730a2136ac3eaebccb2e2
Instruction Fuzzy Hash: 3E31EF72A1021AABDF25AF68DC40EAE7BA9EF45714B490179FC04D7180EB35CD60CBA0

Function 0294196B Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0294197B
waveInOpen.WINMM(029B1AF8,000000FF,029B1B00,Function_00001A8E,00000000,00000000,00000024), ref: 02941A11
waveInPrepareHeader.WINMM(029B1AC0,00000020,00000000), ref: 02941A66
waveInAddBuffer.WINMM(029B1AC0,00000020), ref: 02941A75
waveInStart.WINMM ref: 02941A81

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: ac8c0086b8baa73c0650bf2c0cffb70c487bd4b71e01ea92d63fba8d979f8984
Instruction ID: fece05d056bf8d77a177a6fd9e4652db8119b645f9bfe457c511e5eb1e1057ce
Opcode Fuzzy Hash: ac8c0086b8baa73c0650bf2c0cffb70c487bd4b71e01ea92d63fba8d979f8984
Instruction Fuzzy Hash: EA219775E982109BC706DF6ABB3897A7BEAFFD6751B00482EE00DD76A4DB705420CB14

Function 0294FBEF Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0294FBFC
int.LIBCPMT ref: 0294FC0F

Part of subcall function 0294CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0294CEF1
Part of subcall function 0294CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0294CF0B

std::_Facet_Register.LIBCPMT ref: 0294FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0294FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0294FC8D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: b200f20be0c4d477e841f2cb5b6068465bd4e8f25b77d02d7bf997c0e2f2294b
Instruction ID: 5ea73937ec60494ed3658af8ee9b6e6e9c0128dd71d67859a8487d3ee5ed1c28
Opcode Fuzzy Hash: b200f20be0c4d477e841f2cb5b6068465bd4e8f25b77d02d7bf997c0e2f2294b
Instruction Fuzzy Hash: AC11E672E00529ABCF15FBA4E950CEEB7BA9FC0754B110569E905A7180EF309F02CBD1

Function 0298E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0298E144
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0298E167

Part of subcall function 02986AFF: RtlAllocateHeap.NTDLL(00000000,02974403,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?,?,?,?), ref: 02986B31

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0298E18D
_free.LIBCMT ref: 0298E1A0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0298E1AF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 70e982c8b4107e36c0d6dda8fd76d63cc08745226008617cbf31459a63aa7a0e
Instruction ID: 9b7df541287f5a99a801174d0c28e5d7b154f4252cd76a2ed05d81a206b72b00
Opcode Fuzzy Hash: 70e982c8b4107e36c0d6dda8fd76d63cc08745226008617cbf31459a63aa7a0e
Instruction Fuzzy Hash: 7C01F7B2A552117F73257ABAAC9CCBBBE6EDEC2EB530C0528FC04C6104DF618C0185B0

Function 0294FED2 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0294FEDF
int.LIBCPMT ref: 0294FEF2

Part of subcall function 0294CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0294CEF1
Part of subcall function 0294CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0294CF0B

std::_Facet_Register.LIBCPMT ref: 0294FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0294FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0294FF70

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 01058638a4c642cc25039cd2583fab4e086362b463b1871541b59ada2f120ec0
Instruction ID: 3da87dcaf3a4da04f4daa815799619fa8dfa91068bbe69637e1c346034f38ea4
Opcode Fuzzy Hash: 01058638a4c642cc25039cd2583fab4e086362b463b1871541b59ada2f120ec0
Instruction Fuzzy Hash: 8A11C272900519ABCF09FBA4C554CEEB77AAFC1318B1006A9E505A76C0EF30AF05CF91

Function 02986F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(02974403,02974403,?,02985359,02986B42,?,?,02977227,?,?,?,?,?,0294CC87,02974403,?), ref: 02986F48
_free.LIBCMT ref: 02986F7D
_free.LIBCMT ref: 02986FA4
SetLastError.KERNEL32(00000000,?,02974403), ref: 02986FB1
SetLastError.KERNEL32(00000000,?,02974403), ref: 02986FBA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9e80a4a6f07816f3ea422547cbf66cf419b1636ec1761368b403c80711f00610
Instruction ID: 24636936acf149674c87017b8475fb56c81c321b5901c7f0d8a59269926dd07a
Opcode Fuzzy Hash: 9e80a4a6f07816f3ea422547cbf66cf419b1636ec1761368b403c80711f00610
Instruction Fuzzy Hash: 2801F47A68C70027D71376B45D84E6F6A3EDFC23B072D0938F919AA280FF34C8158A20

Function 0298F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0298F7B5

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

_free.LIBCMT ref: 0298F7C7
_free.LIBCMT ref: 0298F7D9
_free.LIBCMT ref: 0298F7EB
_free.LIBCMT ref: 0298F7FD

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fe036c3eec70496c0fac30229028ded192acafe572516cfddbd866f8dd300aec
Instruction ID: b8f56adb21480f206b1002bf111f5f11dab8820db29c10bed51eaa0467136136
Opcode Fuzzy Hash: fe036c3eec70496c0fac30229028ded192acafe572516cfddbd866f8dd300aec
Instruction Fuzzy Hash: 8CF01733908200BB9626FE68E5C5D2A73FEAB907547AC5C09F409DB940CB31F8E18E60

Function 029832E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02983305

Part of subcall function 02986AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?), ref: 02986ADB
Part of subcall function 02986AC5: GetLastError.KERNEL32(?,?,0298FA50,?,00000000,?,00000000,?,0298FCF4,?,00000007,?,?,02990205,?,?), ref: 02986AED

_free.LIBCMT ref: 02983317
_free.LIBCMT ref: 0298332A
_free.LIBCMT ref: 0298333B
_free.LIBCMT ref: 0298334C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 57251644bd0f310a0882aa567c971d9eb6297c96171a3ff6b7c77b5350b65b7f
Instruction ID: a4d07587c04b7b4ff3f458e4bd4637113924100a071f335df6ff300976d966c2
Opcode Fuzzy Hash: 57251644bd0f310a0882aa567c971d9eb6297c96171a3ff6b7c77b5350b65b7f
Instruction Fuzzy Hash: C9F05E74C8D2209B9603BF14FF114AA3B7DBBAA75038C0907F4096A654EB366475DFA1

Function 029529AA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02952A1D
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 02952A4C
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 02952AED

Strings

[regsplt], xrefs: 02952B85

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: a02a545388f3cb515db9edc8b39ab2f8e650b0d318f93e4ada633369619daa98
Instruction ID: c764a2c7963e6183ecd5f1b9c16e40037b9968ab3ae01ed448215fbbad8fb847
Opcode Fuzzy Hash: a02a545388f3cb515db9edc8b39ab2f8e650b0d318f93e4ada633369619daa98
Instruction Fuzzy Hash: A0510C72508345AFD324EB60D894DEBB7EDFFC4704F40092DB99A92150EF70EA498B62

Function 029826D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2LDJIyMl2r.exe,00000104), ref: 02982714
_free.LIBCMT ref: 029827DF
_free.LIBCMT ref: 029827E9

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 0298270B, 02982712, 02982741, 02982779

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\2LDJIyMl2r.exe
API String ID: 2506810119-2848952420
Opcode ID: af2fc5670040aa34c3a991bc4036d292dc98fc5f0faa0ec417737b48b1eb1b5a
Instruction ID: 0b1b44080f90fa9040049dedcac24c39f2b771520191339a18e38eebade27214
Opcode Fuzzy Hash: af2fc5670040aa34c3a991bc4036d292dc98fc5f0faa0ec417737b48b1eb1b5a
Instruction Fuzzy Hash: 80317775E04244EFDB21EF55D980DAEBBFDEB85710F184467E80497240D7705A41CF60

Function 0294C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 0295B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,029A5900,00000000,00000000,0294C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0295B5CE

ShellExecuteW.SHELL32(?,open,00000000), ref: 0294C632
ExitProcess.KERNEL32 ref: 0294C63E

Strings

open, xrefs: 0294C62C
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0294C5E1

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateExecuteExitFileProcessShell
String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 2309964880-3562070623
Opcode ID: 114a23012a01e1d572af470e16d49eb9dae1487caa8f56e6bc4266f2f253c70c
Instruction ID: 5716a100425ddc25e4fb7df3b25e5bbb76e67f88043949ef62b0c4afc934eec8
Opcode Fuzzy Hash: 114a23012a01e1d572af470e16d49eb9dae1487caa8f56e6bc4266f2f253c70c
Instruction Fuzzy Hash: 632133355042015BC32CFB24E990CBFB7E6AFD1714F50492DF48A520A0EF70AA99CE56

Function 0294A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0294A884
wsprintfW.USER32 ref: 0294A905

Part of subcall function 02949D58: SetEvent.KERNEL32(?,?,?,0294AF3F,?,?,?,?,?,00000000), ref: 02949D84

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0294A88D
], xrefs: 0294A892

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 158f882c5f999cb1591d0c6f3af91de436433f4909fe3d581771d77828dff7c3
Instruction ID: 655405fc579197a16ac994c8e2bd82fe61c93238c96a1f86026b469dc5dd6377
Opcode Fuzzy Hash: 158f882c5f999cb1591d0c6f3af91de436433f4909fe3d581771d77828dff7c3
Instruction Fuzzy Hash: 90118676914118AACB1CFBA4EC50CFF77BDAE94321B00011EF44656190EF745A86CAE4

Function 0294A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0294A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0294A884
Part of subcall function 0294A876: wsprintfW.USER32 ref: 0294A905

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0294A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0294A69D
CreateThread.KERNEL32(00000000,00000000,029499C1,?,00000000,00000000), ref: 0294A6A9

Strings

Online Keylogger Started, xrefs: 0294A626, 0294A62F, 0294A659

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 31248ccdb7c751b1899f52974324811f10c504764b3c1af553a93cf8ba2919b5
Instruction ID: 19f816d87fad1628380b6b9f677015f4fcb2590210223fe3d9c640633194e42b
Opcode Fuzzy Hash: 31248ccdb7c751b1899f52974324811f10c504764b3c1af553a93cf8ba2919b5
Instruction Fuzzy Hash: 3701F991B403183EF62076798CD6DBF7E6ECAC12A8B40056CF54616281EE505D4687F5

Function 02944B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,02944B26), ref: 02944B40
CloseHandle.KERNEL32(?,?,?,?,02944B26), ref: 02944B98
SetEvent.KERNEL32(?,?,?,?,02944B26), ref: 02944BA7

Strings

Connection Timeout, xrefs: 02944B66

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 60ad5d8e21ed80a7cf45b8c2167af18ba0e8b23c72d026093ddfde20c2c14f0f
Instruction ID: eaf4d4e1ca4ec934a3600ecb28c6e8d781d3181b501f105e3b082d337754821f
Opcode Fuzzy Hash: 60ad5d8e21ed80a7cf45b8c2167af18ba0e8b23c72d026093ddfde20c2c14f0f
Instruction Fuzzy Hash: 2A014775E54B41AFE726AB7A8C55D6EFFE5EF412243400A2EE0D382B20DF209000CF52

Function 029464D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\2LDJIyMl2r.exe, xrefs: 02946927

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\2LDJIyMl2r.exe
API String ID: 0-2848952420
Opcode ID: 2c2b03376e767f40358ed394cba958f7cc2b6afdd94a3916efbde80b7d8b3b65
Instruction ID: 6de317e9e28763c41b93a79dd1a5e4676db1118f4a5937bd3ba5732479620eff
Opcode Fuzzy Hash: 2c2b03376e767f40358ed394cba958f7cc2b6afdd94a3916efbde80b7d8b3b65
Instruction Fuzzy Hash: FFF096F4FA53109BDE092A78EA28FBB364EABC6396F400D25E445DA240DF6084519A50

Function 02952774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,029B42E0), ref: 0295277F
RegSetValueExW.ADVAPI32(029B42E0,?,00000000,00000001,00000000,00000000,029B42F8,?,0294E5CB,pth_unenc,029B42E0), ref: 029527AD
RegCloseKey.ADVAPI32(029B42E0,?,0294E5CB,pth_unenc,029B42E0), ref: 029527B8

Strings

pth_unenc, xrefs: 02952778

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 8cd0c0320a019e3dd89dfcd8a8c4cac8419f0e2310ba82e7a6758e8e3fe1ce69
Instruction ID: 0da2fbe5404bb22751527ec9092499e9c9a0b6a413cfbcc49a05e63919447b9f
Opcode Fuzzy Hash: 8cd0c0320a019e3dd89dfcd8a8c4cac8419f0e2310ba82e7a6758e8e3fe1ce69
Instruction Fuzzy Hash: 12F06D71A40128BBDF109FA4ED45FEE776CAB40750F104914FD02A6050EB719B14DB60

Function 0294CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0294CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0294CE08

Part of subcall function 029747BD: _Yarn.LIBCPMT ref: 029747DC
Part of subcall function 029747BD: _Yarn.LIBCPMT ref: 02974800

__CxxThrowException@8.LIBVCRUNTIME ref: 0294CE2C

Strings

bad locale name, xrefs: 0294CE16

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 64dffca181d353015f33e0a77bc1cc6fbf4c55cb3bdab2d7b18d353280278099
Instruction ID: 659a10a7680eaba3155439418854ae94cad1ac39b542554ffea113acae3c41d1
Opcode Fuzzy Hash: 64dffca181d353015f33e0a77bc1cc6fbf4c55cb3bdab2d7b18d353280278099
Instruction Fuzzy Hash: 52F0CD31800208EAE728FB20D851DCEF3BAAF94740F80842DE596124D0FF30AA08CED0

Function 029551B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 029551F4

Strings

/C , xrefs: 029551D2
open, xrefs: 029551EE
cmd.exe, xrefs: 029551E9

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 2f8196bde7dc3ea040b312a075949cea284d4198520b2d9b7911adbd09004994
Instruction ID: 380c8ba54ea602de1b277d7ab7958a7666a83954dcfd3c302e16920b443b78c8
Opcode Fuzzy Hash: 2f8196bde7dc3ea040b312a075949cea284d4198520b2d9b7911adbd09004994
Instruction Fuzzy Hash: 57E0EDB0604300AE9708FB74DCA4DBFB7AEAED0748F505C1DB44B92191DE749A85CA55

Function 0294AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(029499A9,00000000,029B42F8,pth_unenc,0294BF26,029B42E0,029B42F8,?,pth_unenc), ref: 0294AFC9
UnhookWindowsHookEx.USER32(029B40F8), ref: 0294AFD5
TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0294AFE3

Strings

pth_unenc, xrefs: 0294AFBA

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 1b869533dc2a3fbf0b86d84c5f2fa2cde9906a2f5f24c649b907d4e30deb2e0a
Instruction ID: c040ba7a0691e426882bac9460001362dd2c0b04b80806d22959b1e9da414a3c
Opcode Fuzzy Hash: 1b869533dc2a3fbf0b86d84c5f2fa2cde9906a2f5f24c649b907d4e30deb2e0a
Instruction Fuzzy Hash: A7E01DF66A9256EFF3101FD49C95C7AF799EA441553140D7DF6C241110CE714C54C750

Function 029414D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 029414DF
GetProcAddress.KERNEL32(00000000), ref: 029414E6

Strings

User32.dll, xrefs: 029414DA
GetLastInputInfo, xrefs: 029414D5

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 161bfa832ab33447d40c23edd6095204dd70fe4374da287390da2d2db9380b72
Instruction ID: 5b98d031bd3416bef7e4047bd565783e1cfeebb62b3684dccfb3bf9359e000bf
Opcode Fuzzy Hash: 161bfa832ab33447d40c23edd6095204dd70fe4374da287390da2d2db9380b72
Instruction Fuzzy Hash: 62B092F4EE83809BEB212BE9A93D87CBBB4BAA87567044C08F00381140CE700120AF60

Function 02941430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0294143A
GetProcAddress.KERNEL32(00000000), ref: 02941441

Strings

GetCursorInfo, xrefs: 02941430
User32.dll, xrefs: 02941435

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 58b6f3ab74f8cdff0b1d3072ed4e1d019745f52b658f46b35806d1f8221e9f5e
Instruction ID: 910ba15e819be0933d9b9c29311af47a060450409b890eb6307637701d01b646
Opcode Fuzzy Hash: 58b6f3ab74f8cdff0b1d3072ed4e1d019745f52b658f46b35806d1f8221e9f5e
Instruction Fuzzy Hash: D8B092F4EE93099BEA215BE4AA3D86D7BA4EA956167040842F04381640CE700020AB60

Function 02988D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02988D96
__alldvrm.LIBCMT ref: 02988F97
__alldvrm.LIBCMT ref: 02988FB9

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction ID: f2588c0b0b9984963a7451eb5865b767c95b7fad2f009e7749696b2b1b176586
Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
Instruction Fuzzy Hash: F2A18C7290438A9FDB21EF18C8407AEBBEAFF55354F5C417DD5849B281D7389941CBA0

Function 029959CA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02995AF9

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cba4a517264f6cc39ee1a55ed7c3679b71182fc10c73d6d8d3453c9c24d6ce32
Instruction ID: 02809327ef00675b64268b989ec6a362d2b4fbe32a9d101943cd6bd7aa7a375a
Opcode Fuzzy Hash: cba4a517264f6cc39ee1a55ed7c3679b71182fc10c73d6d8d3453c9c24d6ce32
Instruction Fuzzy Hash: 10412E71A01101ABDF26BB7D8CC4BAF3BAAEF81370F9F0559F418D6190D77444498AA5

Function 02981A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44729213b6c9f28af67744e853cb2f85ec850b479487809795e35de60eb27877
Instruction ID: bb98b38167ce486248e4cc7d7381d8b7091b539c95ed64f1061cb5e14edf6d71
Opcode Fuzzy Hash: 44729213b6c9f28af67744e853cb2f85ec850b479487809795e35de60eb27877
Instruction Fuzzy Hash: 8341E672A00704AFD725AF7CCC40BAEBBE9EB84720F14452EE159DB680E7B195428B90

Function 0294B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0294B81B
Sleep.KERNEL32(00001388), ref: 0294B8A3

Strings

[Cleared browsers logins and cookies.], xrefs: 0294B8DE
Cleared browsers logins and cookies., xrefs: 0294B8EF

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 723de90c1ea4423fabeb7bb81e1c04c7b2512668d21e97468630aa03a4e79f27
Instruction ID: 5f4986e33ddc6df071162c15371204d67d1aeaf42d6f4ca9c39829d12f414f79
Opcode Fuzzy Hash: 723de90c1ea4423fabeb7bb81e1c04c7b2512668d21e97468630aa03a4e79f27
Instruction Fuzzy Hash: E131A105E4C3806ADA166BB81536FEA7F974ED365CF08599CE8C80B382DF53C40997A3

Function 02949C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0295B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0295B6F6
Part of subcall function 0295B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0295B6FF
Part of subcall function 0295B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0295B729

Sleep.KERNEL32(000001F4), ref: 02949C95
Sleep.KERNEL32(00000064), ref: 02949D1F

Strings

], xrefs: 02949C9D
[ , xrefs: 02949CB1

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 837a98662d45c0128088b8c1268b230249d61758e7c2924296ea921618dd02d9
Instruction ID: 2a3f1c65c49e81102a0e483ad6e16b0cce68c2f3b0b4b5fff58b8bd631478766
Opcode Fuzzy Hash: 837a98662d45c0128088b8c1268b230249d61758e7c2924296ea921618dd02d9
Instruction Fuzzy Hash: 2811B7319147009BD218F774DD26EAFB7AAAFD0710F40095DF487121D1EF61AA198FD6

Function 02982CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb94d80b7d8d0ae21cc07da0eebe002d849c1db3ed4bf14251f3c719c485443
Instruction ID: ddf3046aa12da98fad3c82a9cf74efb1f108e3f11b857d8a3b204785501df286
Opcode Fuzzy Hash: deb94d80b7d8d0ae21cc07da0eebe002d849c1db3ed4bf14251f3c719c485443
Instruction Fuzzy Hash: 2D01F2B2A092053EE7213A786CC0F77671DEF813B8B2C0B26F921991D4EB608C504460

Function 02982D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6fb9b873c2f72e02b99b7872ffbfdb0ad2609502749b2a2f30f9cb2f263147a
Instruction ID: 92bce6808344c7e8b5f50f9316e11dd33b361f9caa50d7385e141e80134589b0
Opcode Fuzzy Hash: d6fb9b873c2f72e02b99b7872ffbfdb0ad2609502749b2a2f30f9cb2f263147a
Instruction Fuzzy Hash: 6701F4B2A192167EE7213AB87CD0DAB6B5EDF813B832C0736F821A61C4FF348C104560

Function 029780F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0297810F

Part of subcall function 0297805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0297808B
Part of subcall function 0297805C: ___AdjustPointer.LIBCMT ref: 029780A6

_UnwindNestedFrames.LIBCMT ref: 02978124
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02978135
CallCatchBlock.LIBVCRUNTIME ref: 0297815D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: fb9e265e4ae430932d9514f8d15e4e2f49865eac8a9239df734c324be781d49c
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 29010832600148BBDF126E95CD49EEB7B6EFF88754F054518FE48A6120D732E861EBA0

Function 02987210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,029871B7,?,00000000,00000000,00000000,?,029874E3,00000006,FlsSetValue), ref: 02987242
GetLastError.KERNEL32(?,029871B7,?,00000000,00000000,00000000,?,029874E3,00000006,FlsSetValue,0299D328,FlsSetValue,00000000,00000364,?,02986F91), ref: 0298724E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,029871B7,?,00000000,00000000,00000000,?,029874E3,00000006,FlsSetValue,0299D328,FlsSetValue,00000000), ref: 0298725C

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: edadb3086e8fc5144a847f4dae5af3fdfd2321b6aebe67f7a8e564c7aa361ceb
Instruction ID: 4ef598fa93f2ab6bf8fc8b5aa2f093ef7dc39109d738e4e80386409e2c6529e5
Opcode Fuzzy Hash: edadb3086e8fc5144a847f4dae5af3fdfd2321b6aebe67f7a8e564c7aa361ceb
Instruction Fuzzy Hash: 3B01FC36A69226ABC7219DFD9C44EE6F79CAF05BB17280A20F906D3240DB20D810C6E1

Function 0295B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633
GetFileSize.KERNEL32(00000000,00000000), ref: 0295B647
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0295B66C
CloseHandle.KERNEL32(00000000), ref: 0295B67A

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: d56dc60dc54817ac7abf01355f9fb2f75358098e9166022520dae720767175db
Instruction ID: 6e1bacccbf4eb1b7ea8de22e8faccde504980a253cefb7c1be50cc509519f6d1
Opcode Fuzzy Hash: d56dc60dc54817ac7abf01355f9fb2f75358098e9166022520dae720767175db
Instruction Fuzzy Hash: 31F0F6B13562147FE6105A68BC94FBF779CDBC66B8F000629FC0192180DE614C054630

Function 0295850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 02958519
GetSystemMetrics.USER32(0000004D), ref: 0295851F
GetSystemMetrics.USER32(0000004E), ref: 02958525
GetSystemMetrics.USER32(0000004F), ref: 0295852B

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 1fa7f3cae8c2356f3743d4251267b66a6ecc1987414a62ad6c7e18427d46abb8
Instruction ID: cd25881294c078e17e383bbe1e79499e91ad1197666ba44088d5923307db6386
Opcode Fuzzy Hash: 1fa7f3cae8c2356f3743d4251267b66a6ecc1987414a62ad6c7e18427d46abb8
Instruction Fuzzy Hash: 5DF0D662B043355BDA00EA78484462FBBD7AFC02A0F150C6AEE099B341DEB4EC478BD5

Function 0295B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0295B395
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0295B3A8
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0295B3D3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0295B3DB

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 3a003607182f3089d8f6e3125b895e76e34a0070d8d47fe5a8ce3bcece49bfc1
Instruction ID: 3f6281396b148d92e9e9e746ea94a225076b563f869a73fb7c7f7ef0837dabd7
Opcode Fuzzy Hash: 3a003607182f3089d8f6e3125b895e76e34a0070d8d47fe5a8ce3bcece49bfc1
Instruction Fuzzy Hash: 1CF049717442256BD311A3989C39FBBF26CEB80695F000815FE41E2194EFB08C404764

Function 02981EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 02981F6D

Strings

pow, xrefs: 02981F45, 02981F62

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 5ead1b8df76f47304c16bfb9d9c0497a28559e1be46cfe631cbb7b2314d685dd
Instruction ID: 6e7c61f7d145aad3e9c581f917022cebe5472dfaeedaf0b0fd412e75ded2a9d8
Opcode Fuzzy Hash: 5ead1b8df76f47304c16bfb9d9c0497a28559e1be46cfe631cbb7b2314d685dd
Instruction Fuzzy Hash: 3C51AD72E0C10296CB197B18C94037A6BE8DB40B55F2C4D7AF4DA422D8EF3584E6DE66

Function 02943A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 02943A2A

Part of subcall function 0295AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,029A5900,0294C07B,.vbs,?,?,?,?,?,029B42F8), ref: 0295AB5F

Part of subcall function 029576B6: CloseHandle.KERNEL32(02943AB9,?,?,02943AB9,029A5324), ref: 029576CC
Part of subcall function 029576B6: CloseHandle.KERNEL32(029A5324,?,?,02943AB9,029A5324), ref: 029576D5

Part of subcall function 0295B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,02949F65), ref: 0295B633

Sleep.KERNEL32(000000FA,029A5324), ref: 02943AFC

Strings

/sort "Visit Time" /stext ", xrefs: 02943A76

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: b058a789b350edcf90dcedf3307f871eac52dfb781e7ee5f67c8c59b9287bfb3
Instruction ID: 0444ddd4d062f7d158433eb61059c09a24fd218d8d92a88b9f6096f78dc15a63
Opcode Fuzzy Hash: b058a789b350edcf90dcedf3307f871eac52dfb781e7ee5f67c8c59b9287bfb3
Instruction Fuzzy Hash: 59313035A102145ADB18F7B4DCA5EEEB7B7AFD0310F4005A9D44AA7190EF705A8ACE91

Function 029908DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 029909B9

Strings

OCP, xrefs: 02990932
ACP, xrefs: 029908FC

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: ec7383e38ecdc106183e520910be0a0479a6e24307c410b1fe2bb560314b0252
Instruction ID: 0c3ab6e922c01254394fd6b1e72ee7a7dca630b2c92a1b27a36048f7dda9d342
Opcode Fuzzy Hash: ec7383e38ecdc106183e520910be0a0479a6e24307c410b1fe2bb560314b0252
Instruction Fuzzy Hash: 3421C872A04201AEFF34DB5CC901BAB73AEABA4B75F5A4924ED69D7200F732D940C350

Function 0294AE58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 02973519: EnterCriticalSection.KERNEL32(029B0D18,?,029B5D2C,?,0294AE8B,029B5D2C,?,00000000,00000000), ref: 02973524
Part of subcall function 02973519: LeaveCriticalSection.KERNEL32(029B0D18,?,0294AE8B,029B5D2C,?,00000000,00000000), ref: 02973561

Part of subcall function 029738A5: __onexit.LIBCMT ref: 029738AB

__Init_thread_footer.LIBCMT ref: 0294AEA7

Part of subcall function 029734CF: EnterCriticalSection.KERNEL32(029B0D18,029B5D2C,?,0294AEAC,029B5D2C,02996D97,?,00000000,00000000), ref: 029734D9
Part of subcall function 029734CF: LeaveCriticalSection.KERNEL32(029B0D18,?,0294AEAC,029B5D2C,02996D97,?,00000000,00000000), ref: 0297350C

Strings

[Text copied to clipboard], xrefs: 0294AEF6
[End of clipboard], xrefs: 0294AEE9

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 2974294136-3686566968
Opcode ID: 0a953cf58ba35c8f5d09c11225aa9d372c186eb33993f4d469003042670c773e
Instruction ID: 5838e66506db62a4da2d78bad85d42ab65cdbbf076370db4c899cd6d7ef2f81d
Opcode Fuzzy Hash: 0a953cf58ba35c8f5d09c11225aa9d372c186eb33993f4d469003042670c773e
Instruction Fuzzy Hash: 7121A832A102199BDB18FBB4D8A0DEE7776AFD4310F900679D50667190EF706D8ACF94

Function 029449BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,029B3EE8,029B45A8,?,?,?,?,?,?,?,02954D7D,?,00000001,0000004C,00000000), ref: 029449F1

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

GetLocalTime.KERNEL32(?,029B3EE8,029B45A8,?,?,?,?,?,?,?,02954D7D,?,00000001,0000004C,00000000), ref: 02944A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 029449E5

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: b81c0b1884b0debde81128c6a88563e082e466b477ace685026b629cb090e4cc
Instruction ID: fdcfcb844aec79e859ef156899839f7a975112de6339a619bd5bda6ace95ea52
Opcode Fuzzy Hash: b81c0b1884b0debde81128c6a88563e082e466b477ace685026b629cb090e4cc
Instruction Fuzzy Hash: 2A21AA61E08390ABD712FBB88424B7F7BD99BD0319F881A0DD80903241EF601619DBAB

Function 0295A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

Strings

%02i:%02i:%02i:%03i , xrefs: 0295A6B5
| , xrefs: 0295A6D3

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 214a73b7c65c93fd12196b93da0cfd2cc2cc093dab7a2cdfb9e02dbfc1969e8a
Instruction ID: 3da6de668078609a8ad62eb4e174b757911d14ff0d9363ae976cce85dea97c48
Opcode Fuzzy Hash: 214a73b7c65c93fd12196b93da0cfd2cc2cc093dab7a2cdfb9e02dbfc1969e8a
Instruction Fuzzy Hash: 961142725183445BC704FBA4D864DBF73EAAFD4704F50492EF88982190EF74DA84DB55

Function 0294A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0294A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0294A884
Part of subcall function 0294A876: wsprintfW.USER32 ref: 0294A905

Part of subcall function 0295A686: GetLocalTime.KERNEL32(00000000), ref: 0295A6A0

CloseHandle.KERNEL32(?), ref: 0294A7CA
UnhookWindowsHookEx.USER32 ref: 0294A7DD

Strings

Online Keylogger Stopped, xrefs: 0294A777, 0294A77F, 0294A7A6

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 580daec90539631073dfab1e73cbe3bc22366f5bb26d3bc1b2042a0ec0642039
Instruction ID: ccb8ed520d864328d92d092bfaa50f7bda0ee43be5d7e68c21315ee261375852
Opcode Fuzzy Hash: 580daec90539631073dfab1e73cbe3bc22366f5bb26d3bc1b2042a0ec0642039
Instruction Fuzzy Hash: 83014235F442019BDB31BB38C82AFBEBFB69BC2321F80055CD48212181DFA15986CBD2

Function 0294AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0294AD5B

Part of subcall function 02949B10: GetForegroundWindow.USER32(?,?,029B40F8), ref: 02949B3F
Part of subcall function 02949B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 02949B4B
Part of subcall function 02949B10: GetKeyboardLayout.USER32(00000000), ref: 02949B52
Part of subcall function 02949B10: GetKeyState.USER32(00000010), ref: 02949B5C
Part of subcall function 02949B10: GetKeyboardState.USER32(?,?,029B40F8), ref: 02949B67
Part of subcall function 02949B10: ToUnicodeEx.USER32(029B414C,?,?,?,00000010,00000000,00000000), ref: 02949B8A
Part of subcall function 02949B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 02949BE3

Part of subcall function 02949D58: SetEvent.KERNEL32(?,?,?,0294AF3F,?,?,?,?,?,00000000), ref: 02949D84

Strings

[AltR], xrefs: 0294AD91
[AltL], xrefs: 0294AD9D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 4a6b47431027a00e5dc22866bdddf8f90c377ecdfd2e7dee707f0130522d6e79
Instruction ID: 4ea43ab884c5a1fb4acca08fb1e28d5d24e9fb045a6ca5f3b9aacd8b01bd66ab
Opcode Fuzzy Hash: 4a6b47431027a00e5dc22866bdddf8f90c377ecdfd2e7dee707f0130522d6e79
Instruction Fuzzy Hash: 30E09B21780221179858353EA53EEFE3E168FC1A75B81064DF4464F584DE45494147C2

Function 0294ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0294ADB5

Strings

[CtrlR], xrefs: 0294ADD2
[CtrlL], xrefs: 0294ADE3

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 70b1fbd5c03086cddd579827e756c74017bcf748a991a690dcf35a6a94046bbf
Instruction ID: 7066cc988e043d471342170280fbea0f96d039fb7b11f9ce48d6f573467d4fba
Opcode Fuzzy Hash: 70b1fbd5c03086cddd579827e756c74017bcf748a991a690dcf35a6a94046bbf
Instruction Fuzzy Hash: 88E0C221B8031117E928753DD63EEBE2E25CF82A72FC10658F8838B5C9DE498A5043C2

Function 0295297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0294BFB2,00000000,029B42E0,029B42F8,?,pth_unenc), ref: 02952988
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 02952998

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 02952986

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 35280138a039aa4f4e073007a50f77376d0b0a22b82d10f394a846bd45a6f35d
Instruction ID: 53a954d3469b0a4b5469d78d13314476d5a1d585b7a9ad455c5019323c84be10
Opcode Fuzzy Hash: 35280138a039aa4f4e073007a50f77376d0b0a22b82d10f394a846bd45a6f35d
Instruction Fuzzy Hash: 64E01274B50304BBEF108FA1DD06FEA77ACBB40B88F004554F905E5180E771D914A754

Function 0294AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0294AF84
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0294AFAF

Strings

pth_unenc, xrefs: 0294AF77

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: 73a7143f6a18bfcd18ecc68a01b6112e78e682632496cca2bd4db2560b9b5bc0
Instruction ID: 518cbc80c4a3497506bf514119f4109dc9e5ee383914cb294bff5fe7b0afec92
Opcode Fuzzy Hash: 73a7143f6a18bfcd18ecc68a01b6112e78e682632496cca2bd4db2560b9b5bc0
Instruction Fuzzy Hash: FEE0C2B69A03204BC610AF74DC54EEBBB9DBF45329F40491BE4D3D3220DF64A988CB90

Function 02951699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0294E670), ref: 029516A9
WaitForSingleObject.KERNEL32(000000FF), ref: 029516BC

Strings

pth_unenc, xrefs: 02951699

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 5523cef61f3384f6751acc737aad3fc780b8ec4287beefe05752ef05dd4c3e3a
Instruction ID: 50f4bc3885f5f1ad9a1bd1f72f37ea3c09f2230941a31452a64408e548f801e4
Opcode Fuzzy Hash: 5523cef61f3384f6751acc737aad3fc780b8ec4287beefe05752ef05dd4c3e3a
Instruction Fuzzy Hash: F7D02278DFD0049FD7424BA4AC18BA87B2DAF40331F108B03FA24402F0CB320070EA14

Function 0297FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,02941AD8), ref: 0297FAF4
GetLastError.KERNEL32 ref: 0297FB02
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0297FB5D

Memory Dump Source

Source File: 00000002.00000002.4103993985.0000000002940000.00000040.00000400.00020000.00000000.sdmp, Offset: 02940000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2940000_2LDJIyMl2r.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 89b69fcd8e2d3bd94d5935ade3f6dd70cde06f2cfe2391d277b68715def577dc
Instruction ID: e0552d100f265fa3f9d5fa5e0b6ff7a8b42a536fd6f5b11c9fd3799e9b7895af
Opcode Fuzzy Hash: 89b69fcd8e2d3bd94d5935ade3f6dd70cde06f2cfe2391d277b68715def577dc
Instruction Fuzzy Hash: EB412B31604246EFCF259FA8C854BBEBBA9EF45324F1541ADF85DBB5A4EB308900CB51

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2LDJIyMl2r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\data\registros.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

C:\Users\user\Favorites\my-web-app\backend\userModel.exe

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
2LDJIyMl2r.exe

Function 0295BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Function 029559C6 Relevance: 18.1, APIs: 12, Instructions: 80
clipboardmemoryCOMMON

Function 029499E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
windowCOMMON

Function 02949B10 Relevance: 12.1, APIs: 8, Instructions: 108
keyboardthreadCOMMON

Function 02955A45 Relevance: 12.0, APIs: 8, Instructions: 46
clipboardCOMMON

Function 0295A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
networkfileCOMMON

Function 029558B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97
libraryloadershutdownCOMMON

Function 0294E54F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Function 0294D767 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 799
COMMON

Function 02953FD4 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 813
sleepnetworkCOMMON

Function 0294428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Function 0294A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158
sleepCOMMON

Function 0294C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Function 0295A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Function 02949E48 Relevance: 9.2, APIs: 6, Instructions: 163
sleepCOMMON

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre