Edit tour

Windows Analysis Report
rZcI2tz327.exe

Overview

General Information

Sample name:	rZcI2tz327.exe renamed because original name is a hash value
Original sample name:	a543a1c165826c1cc9c6703e02ff50f398e80221ecd6df58b9bd125abf161ead.exe
Analysis ID:	1588946
MD5:	65648db3b2762142eb97ca37fb8e68be
SHA1:	75e2776f7f50a678afcfea55b998796e55141049
SHA256:	a543a1c165826c1cc9c6703e02ff50f398e80221ecd6df58b9bd125abf161ead
Tags:	exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

rZcI2tz327.exe (PID: 2120 cmdline: "C:\Users\user\Desktop\rZcI2tz327.exe" MD5: 65648DB3B2762142EB97CA37FB8E68BE)

WerFault.exe (PID: 1468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
rZcI2tz327.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
rZcI2tz327.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
rZcI2tz327.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
rZcI2tz327.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
rZcI2tz327.exe	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
rZcI2tz327.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
Process Memory Space: rZcI2tz327.exe PID: 2120	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rZcI2tz327.exe PID: 2120	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: rZcI2tz327.exe PID: 2120	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: rZcI2tz327.exe PID: 2120	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7725:$a1: Remcos restarted by watchdog! 0x12f2b:$a1: Remcos restarted by watchdog! 0x7c82:$a3: %02i:%02i:%02i:%03i 0x803a:$a3: %02i:%02i:%02i:%03i 0x13488:$a3: %02i:%02i:%02i:%03i 0x13840:$a3: %02i:%02i:%02i:%03i
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.0.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.0.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.0.rZcI2tz327.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
1.0.rZcI2tz327.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
1.0.rZcI2tz327.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
1.2.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.rZcI2tz327.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.rZcI2tz327.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
1.2.rZcI2tz327.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
1.2.rZcI2tz327.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: rZcI2tz327.exe

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Multi AV Scanner detection for submitted file

Source: rZcI2tz327.exe	Virustotal: Detection: 66%			Perma Link
Source: rZcI2tz327.exe	ReversingLabs: Detection: 79%

Yara detected Remcos RAT

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.2% probability

Machine Learning detection for sample

Source: rZcI2tz327.exe

Joe Sandbox ML: detected

Source: rZcI2tz327.exe, 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_13e6d195-6

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

Source: rZcI2tz327.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 192.210.150.26

Source: Joe Sandbox View

IP Address: 192.210.150.26 192.210.150.26

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: rZcI2tz327.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: rZcI2tz327.exe	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0041D071	1_2_0041D071
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_004520D2	1_2_004520D2
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0043D098	1_2_0043D098
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00437150	1_2_00437150
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_004361AA	1_2_004361AA
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00426254	1_2_00426254
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00431377	1_2_00431377
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0043651C	1_2_0043651C
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0041E5DF	1_2_0041E5DF
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0044C739	1_2_0044C739
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_004367C6	1_2_004367C6
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_004267CB	1_2_004267CB
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0043C9DD	1_2_0043C9DD
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00432A49	1_2_00432A49
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00436A8D	1_2_00436A8D
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0043CC0C	1_2_0043CC0C
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00436D48	1_2_00436D48
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00434D22	1_2_00434D22
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00426E73	1_2_00426E73
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00440E20	1_2_00440E20
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_0043CE3B	1_2_0043CE3B
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00412F45	1_2_00412F45
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00452F00	1_2_00452F00
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00426FAD	1_2_00426FAD

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: String function: 004338A5 appears 42 times
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: String function: 00433FB0 appears 55 times

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 224

Source: rZcI2tz327.exe

Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)

Source: rZcI2tz327.exe

Static PE information: No import functions for PE file found

Source: rZcI2tz327.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: rZcI2tz327.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.winEXE@2/5@0/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2120

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e855ee85-c69a-4622-81b3-d9bc71b22aa1

Jump to behavior

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: Software\	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: (CG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: Exe	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: (CG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: 0DG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: Inj	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: Inj	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: BG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: BG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: BG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: @CG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: BG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: exepath	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: @CG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: exepath	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: BG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: licence	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: `=G	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: XCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: dCG	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: Administrator	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: User	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: del	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: del	1_2_0040D767
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Command line argument: del	1_2_0040D767

Source: rZcI2tz327.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rZcI2tz327.exe	Virustotal: Detection: 66%
Source: rZcI2tz327.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\rZcI2tz327.exe "C:\Users\user\Desktop\rZcI2tz327.exe"
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 224

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Section loaded: apphelp.dll

Jump to behavior

Source: rZcI2tz327.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_004567E0 push eax; ret	1_2_004567FE
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00455EAF push ecx; ret	1_2_00455EC2
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: 1_2_00433FF6 push ecx; ret	1_2_00434009

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Code function: 1_2_0044F0D6 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

1_2_0044F0D6

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Code function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]

1_2_00442554

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Code function: 1_2_00433E0A cpuid

1_2_00433E0A

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\rZcI2tz327.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

1_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		1_2_0040B335
Source: C:\Users\user\Desktop\rZcI2tz327.exe	Code function: \key3.db		1_2_0040B335

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: rZcI2tz327.exe, type: SAMPLE
Source: Yara match	File source: 1.0.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.rZcI2tz327.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rZcI2tz327.exe PID: 2120, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	2 Credentials In Files	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rZcI2tz327.exe	66%	Virustotal		Browse
rZcI2tz327.exe	79%	ReversingLabs	Win32.Trojan.Remcos
rZcI2tz327.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
http://geoplugin.net/json.gp	rZcI2tz327.exe	false	high
http://upx.sf.net	Amcache.hve.5.dr	false	high
http://geoplugin.net/json.gp/C	rZcI2tz327.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.210.150.26	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588946
Start date and time:	2025-01-11 07:30:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rZcI2tz327.exe renamed because original name is a hash value
Original Sample Name:	a543a1c165826c1cc9c6703e02ff50f398e80221ecd6df58b9bd125abf161ead.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.winEXE@2/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 74
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.190.159.71, 13.107.246.45, 172.202.163.200, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rZcI2tz327.exe, PID 2120 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
01:31:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.210.150.26	C2R7VV2QmG.exe	Get hash	malicious	Remcos	Browse
	8kjlHXmbAY.exe	Get hash	malicious	Remcos	Browse
	NssBkEQKsI.exe	Get hash	malicious	Remcos	Browse
	l1QC9H0SNR.exe	Get hash	malicious	Remcos	Browse
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse
	FACTURA.xlsx	Get hash	malicious	Remcos	Browse
	7056ZCiFdE.exe	Get hash	malicious	Remcos	Browse
	uIarPolvHR.exe	Get hash	malicious	Remcos	Browse
	IB9876789000.bat.exe	Get hash	malicious	Remcos	Browse
	z49FACTURA-0987678.exe	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	Wk731bq71c.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	198.23.227.212
	C2R7VV2QmG.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	8kjlHXmbAY.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	OKkUGRkZV7.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	NssBkEQKsI.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	l1QC9H0SNR.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	MLxloAVuCZ.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rZcI2tz327.exe_6f42f6dceb419b4ed06bd0fa4b24d87b80cbe1c1_93a63288_415b337e-b06b-460b-b519-524a802985e7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6344097694814557
Encrypted:	false
SSDEEP:	96:FWFCN2MfIsFh/1yDfYQXIDcQzc6CmcE1cw3CFxD+HbHg6ZAX/d5FMT2SlPkpXmT4:gYN1fID0NXfPjEzuiFIZ24IO8igt
MD5:	718FFD6296CA5917017E0B7C2C941E12
SHA1:	B01A1D24C0B1151E765435266402CB83518DCABA
SHA-256:	575D29DB74E00BFC56504236A6BA5C20B81D103D070AF3641DB60E8814DDD546
SHA-512:	105BD23A89619D581DD73301D0366A2AE78B9B9AA76DD825AEBE985866A06D0081AF1377ACF1FA2581223616EB2C161FED9A08EB9EFFA12466CD7CFBC883346A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.0.6.6.4.8.0.5.4.5.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.0.6.6.5.1.6.4.8.2.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.5.b.3.3.7.e.-.b.0.6.b.-.4.6.0.b.-.b.5.1.9.-.5.2.4.a.8.0.2.9.8.5.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.9.7.1.6.c.0.-.d.c.f.8.-.4.c.4.b.-.b.0.3.4.-.b.6.c.b.0.3.e.b.5.2.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.Z.c.I.2.t.z.3.2.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.4.8.-.0.0.0.1.-.0.0.1.4.-.f.e.9.3.-.a.4.6.3.f.2.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.2.3.3.d.b.d.1.0.5.2.5.d.4.c.e.7.6.0.d.8.2.9.5.c.6.f.2.b.0.0.0.0.f.f.f.f.!.0.0.0.0.7.5.e.2.7.7.6.f.7.f.5.0.a.6.7.8.a.f.c.f.e.a.5.5.b.9.9.8.7.9.6.e.5.5.1.4.1.0.4.9.!.r.Z.c.I.2.t.z.3.2.7...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38A1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Jan 11 06:31:04 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	19460
Entropy (8bit):	2.021287281077602
Encrypted:	false
SSDEEP:	96:508s+NSsWyIs5Ui7nMcXdZKW4BdRIIiE2WI/WIWMIZF2U:N9gOfXdZSRIIiyF2
MD5:	0FA704EFA94DFB02D361CC0876F1AAA9
SHA1:	ED7D164869256D4EDE32F49FCCDF0DD4D98A0AE8
SHA-256:	C013C4770CD0034FED38096946100CD33E84906FD4E8C302D941CBB0B96A17B2
SHA-512:	A0EA2DFD77065D65086C609DB75CB2BBFCC8839E3075F68BECC6D3E43008D56EB0A83DD5F1390B055CEA30993E44ABB88A7BB8E54235EAB55AF35710AA33136F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......(..g............4...............<.......d...............T.......8...........T...........H....B......................................................................................................eJ......L.......GenuineIntel............T.......H...(..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38F0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8294
Entropy (8bit):	3.692278085000651
Encrypted:	false
SSDEEP:	192:R6l7wVeJAI62WL6YNqSUZh8gmfjJbWOopx189b+ysfp4qm:R6lXJX62WL6YwSUf8gmfjJbWON+xfm
MD5:	7EDEDC6F096C78CB78B28A0F857B489A
SHA1:	C6F4E598E513573CFF63DBAF7EBBE88E0992AE1F
SHA-256:	EED283471E9EF511A1414AA0D0D1AE6963EA668E6DCBC2EB6B8410AD5318E185
SHA-512:	6AF8CB414CA15583967B8ADDA4CCC7470C6CFC60BAC1B214E1ED35960A175F9067C50E1F0C31F0C1F1C5DFD727A5FDD0D00ED72171C2E2431C733D4AB774C52D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER394E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4585
Entropy (8bit):	4.459199173474407
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI98nWpW8VYmYm8M4JWBbuF81+q8l0a5AUjUFd:uIjffI72W7VOJWB5Gz5AUjUFd
MD5:	B19F38A4B6FDB40B25186DDB01DF4BE7
SHA1:	F79567A7FA112747CBF9844D7F90992AF387F7EE
SHA-256:	42728871EBA0330DF1BA4BE9E0A9520A01CE072D66A14258CEADF087FB8B35F0
SHA-512:	496A9BB403C18A2D70544F69286FB119B89FBDAB61F42B5964ABAA1DD1D6ABC6B2DD434169876D4D860B8627075A2BC48359F40C27569E67217EC81A285618CE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670893" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4166705108226845
Encrypted:	false
SSDEEP:	6144:vcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNT5+:Ui58oSWIZBk2MM6AFB1o
MD5:	C0C41725A199B96A57879FBEC63141DE
SHA1:	02367269349C37F76CF6DDE70FB745120937A7DF
SHA-256:	4367130B0731C008242B7106B0452EBCB8B20832B5BA4C557EEC3B528AF33716
SHA-512:	2F1A31523B79FA4C3762561A644B62AF0F66A90A6A7B916F8DB7A91F315F214EBD790E6828E4A57589CC50B8F594B822463C39D3D2ADFFE1ECB4ED77135116E9
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.F.c.c.................................................................................................................................................................................................................................................................................................................................................W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.583652248742108
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rZcI2tz327.exe
File size:	493'056 bytes
MD5:	65648db3b2762142eb97ca37fb8e68be
SHA1:	75e2776f7f50a678afcfea55b998796e55141049
SHA256:	a543a1c165826c1cc9c6703e02ff50f398e80221ecd6df58b9bd125abf161ead
SHA512:	439a61e3c571b61a1008801054aa3a1f6172da0967f001e87f9edba6627c012f34633e2b93ee4ce59567a14762d69932592ab6b6912d1e96fcab2bd47c78d7a4
SSDEEP:	12288:HuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVCbesvZDSq+DY:609AfNIEYsunZvZ49ZBs
TLSH:	BAA4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

File Icon


Icon Hash:	95694d05214c1b33

Static PE Info

General

Entrypoint:	0x433b3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
call 00007F8D50686EC3h
jmp 00007F8D5068681Fh
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push 00000017h
call 00007F8D506A8CF9h
test eax, eax
je 00007F8D506869A7h
mov ecx, dword ptr [ebp+08h]
int 29h
push 00000003h
call 00007F8D50686B64h
mov dword ptr [esp], 000002CCh
lea eax, dword ptr [ebp-00000324h]
push 00000000h
push eax
call 00007F8D50688E7Bh
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp-00000268h], cs
mov word ptr [ebp-0000028Ch], ds
mov word ptr [ebp-00000290h], es
mov word ptr [ebp-00000294h], fs
mov word ptr [ebp-00000298h], gs
pushfd
pop dword ptr [ebp-00000264h]
mov eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000026Ch], eax
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-00000260h], eax
mov dword ptr [ebp-00000324h], 00010001h
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp-00000270h], eax
lea eax, dword ptr [ebp-58h]
push 00000000h
push eax
call 00007F8D50688DF1h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e020	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x4890	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7b000	0x3b80	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c510	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6c5e8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6c548	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x56000	0x56000	30cda225e02a0d4dab478a6c7c094860	False	0.5738610555959303	data	6.62127843313247	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x57000	0x19000	0x18c00	1942a6f8c59dd24594626e6ea2a4d59a	False	0.5008384627525253	data	5.780246429890355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x70000	0x6000	0xe00	06414e748130e7e668ba2ba172d63448	False	0.22684151785714285	data	3.093339598098017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x76000	0x5000	0x4c00	99f469cfe48bdf39c312f1f804a6fedd	False	0.24568256578947367	data	3.7363757235213932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7b000	0x3b80	0x3c00	3a880743591ae3410d0dc26d7322ddd0	False	0.7569661458333333	data	6.695050823503309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7618c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_ICON	0x765f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27704918032786885
RT_ICON	0x76f7c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.23686679174484052
RT_ICON	0x78024	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22977178423236513
RT_RCDATA	0x7a5cc	0x281	DOS executable (COM, 0x8C-variant)			1.0171606864274572
RT_GROUP_ICON	0x7a850	0x3e	data	English	United States	0.8064516129032258

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	01:31:04
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\rZcI2tz327.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rZcI2tz327.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	65648DB3B2762142EB97CA37FB8E68BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1311804889.0000000000457000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:31:04
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 224
Imagebase:	0xf90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0040D767 Relevance: 72.5, APIs: 1, Strings: 40, Instructions: 799COMMON

Download Yara Rule

Strings

XCG, xrefs: 0040D838
BG, xrefs: 0040DCF6
del, xrefs: 0040E094, 0040E0F4
Administrator, xrefs: 0040E02C
Remcos Agent initialized, xrefs: 0040DD8C
XCG, xrefs: 0040DE78
XCG, xrefs: 0040DEF4
XCG, xrefs: 0040DF67
0DG, xrefs: 0040D914
XCG, xrefs: 0040DF93
User, xrefs: 0040E038
del, xrefs: 0040E078
Software\, xrefs: 0040D865
@CG, xrefs: 0040DC07
Exe, xrefs: 0040D8B1
XCG, xrefs: 0040DDBF
BG, xrefs: 0040DBF5
@CG, xrefs: 0040DCBE
BG, xrefs: 0040DBC0
XCG, xrefs: 0040DD01
XCG, xrefs: 0040DECB
license_code.txt, xrefs: 0040D7EF
Access Level: , xrefs: 0040E047
Inj, xrefs: 0040D977, 0040D98E
XCG, xrefs: 0040DB1D
XCG, xrefs: 0040DF27
XCG, xrefs: 0040DDD6
licence, xrefs: 0040DD25
`=G, xrefs: 0040DF48
BG, xrefs: 0040DC1C
XCG, xrefs: 0040DB75
XCG, xrefs: 0040D7FF
XCG, xrefs: 0040DAE9
(CG, xrefs: 0040D8A7
exepath, xrefs: 0040DC34, 0040DCDE
(CG, xrefs: 0040D904
dCG, xrefs: 0040DFC4
XCG, xrefs: 0040DEA3
XCG, xrefs: 0040DC4E
BG, xrefs: 0040DBB6

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
API String ID: 3519838083-3848254730
Opcode ID: 1b07bf25116a31bb86dc6f0e6de47d6ed2d14a6f0869acdb028c6e48f1c5b04c
Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
Opcode Fuzzy Hash: 1b07bf25116a31bb86dc6f0e6de47d6ed2d14a6f0869acdb028c6e48f1c5b04c
Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E

Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00453046

Strings

1#QNAN, xrefs: 0045424C
1#SNAN, xrefs: 00454245
1#INF, xrefs: 00454253
1#IND, xrefs: 0045423E

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44

Function 0040B335 Relevance: 7.6, Strings: 6, Instructions: 145COMMON

Download Yara Rule

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
UserProfile, xrefs: 0040B365
[Firefox StoredLogins not found], xrefs: 0040B3D9
\logins.json, xrefs: 0040B439
\key3.db, xrefs: 0040B47B
[Firefox StoredLogins Cleared!], xrefs: 0040B504

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 0-3681987949
Opcode ID: 9b37cf06c7371dfe7fb369d638f32dcd90aa78a84f257b47ba6275d451d582ac
Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
Opcode Fuzzy Hash: 9b37cf06c7371dfe7fb369d638f32dcd90aa78a84f257b47ba6275d451d582ac
Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D

Function 0040B21B Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040B287
UserProfile, xrefs: 0040B227
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
[Chrome StoredLogins not found], xrefs: 0040B27B

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 0-1062637481
Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE

Function 00412F45 Relevance: 4.1, Strings: 3, Instructions: 391COMMON

Download Yara Rule

Strings

pyu, xrefs: 00413026
SHDeleteKeyW, xrefs: 004131E3
Shlwapi.dll, xrefs: 004131E8

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: SHDeleteKeyW$Shlwapi.dll$pyu
API String ID: 0-2107985795
Opcode ID: ac434a3cdca221c3b08ebdb910891c02dcb675d05e0600c7f2f7fb6f30bc03af
Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
Opcode Fuzzy Hash: ac434a3cdca221c3b08ebdb910891c02dcb675d05e0600c7f2f7fb6f30bc03af
Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB

Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84

Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON

Download Yara Rule

Strings

0, xrefs: 00432A55

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A

Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

BG3i@, xrefs: 0043CE3D

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: BG3i@
API String ID: 0-2407888476
Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E

Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043CD7C

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E

Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@, xrefs: 00426EC4

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86

Function 0044C739 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105

Function 0041E5DF Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A

Function 004267CB Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95

Function 00426254 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56

Function 00431377 Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86

Function 0041D071 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24

Function 004520D2 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44

Function 00436A8D Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624

Function 00436D48 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624

Function 004367C6 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624

Function 0043D098 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E

Function 0043651C Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624

Function 0043C9DD Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E

Function 00426FAD Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A

Function 0044F0D6 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f4fbd3ccfb36ef96b7e13c4564505386e7043a9776b66ade7fb3581d495355
Instruction ID: 5a5866f07367cf7e751871e7eeaf169984807a97f5b5a9ec8d91b3626b4bc160
Opcode Fuzzy Hash: 19f4fbd3ccfb36ef96b7e13c4564505386e7043a9776b66ade7fb3581d495355
Instruction Fuzzy Hash: 8F31E931E01211DBEB149F5DD88179A77B1AB49324F29012FE905AB3E1CB78DD86CB8D

Function 00437150 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908

Function 00442554 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d420c085b4cbd1a0f14619f21da79696596f2760b2d56dfa882e7987f99df3a2
Instruction ID: 7a898c4108d0cdb2bf26ac2b9c21ec96bb1b4ad04da9bd453abcf4d965fd0a3d
Opcode Fuzzy Hash: d420c085b4cbd1a0f14619f21da79696596f2760b2d56dfa882e7987f99df3a2
Instruction Fuzzy Hash: 8EE04F31004648BFDF016F14ED189493F29EB10346F404475F80986532CFB9DE92CA88

Function 0044E20E Relevance: 22.9, APIs: 15, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E2A0
_free.LIBCMT ref: 0044E2C6
_free.LIBCMT ref: 0044E2EF
_free.LIBCMT ref: 0044E327
_free.LIBCMT ref: 0044E358
_free.LIBCMT ref: 0044E399
_free.LIBCMT ref: 0044E433
_wcschr.LIBVCRUNTIME ref: 0044E470
_free.LIBCMT ref: 0044E4DC
_free.LIBCMT ref: 0044E502
_free.LIBCMT ref: 0044E52B
_free.LIBCMT ref: 0044E560
_free.LIBCMT ref: 0044E591
_free.LIBCMT ref: 0044E5D2
_free.LIBCMT ref: 0044E670

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free$_wcschr
String ID:
API String ID: 565560161-0
Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D

Function 00444F3D Relevance: 21.3, APIs: 14, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444FAD
_free.LIBCMT ref: 00444FC3
_free.LIBCMT ref: 00444FD4
_free.LIBCMT ref: 00444FE5
_free.LIBCMT ref: 00444FFC

Part of subcall function 00451C1B: _free.LIBCMT ref: 00451C86

_free.LIBCMT ref: 004451F0
_free.LIBCMT ref: 00445203
_free.LIBCMT ref: 00445211
_free.LIBCMT ref: 0044521C
_free.LIBCMT ref: 0044525E
_free.LIBCMT ref: 00445266
_free.LIBCMT ref: 0044526E
_free.LIBCMT ref: 00445276
_free.LIBCMT ref: 00445284

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64

Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004500A6
___free_lconv_mon.LIBCMT ref: 004500B1

Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8

_free.LIBCMT ref: 004500C8
_free.LIBCMT ref: 004500DD
_free.LIBCMT ref: 004500E8
_free.LIBCMT ref: 0045010A
_free.LIBCMT ref: 0045011D
_free.LIBCMT ref: 0045012B
_free.LIBCMT ref: 00450136
_free.LIBCMT ref: 0045016E
_free.LIBCMT ref: 00450175
_free.LIBCMT ref: 00450192
_free.LIBCMT ref: 004501AA

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A

Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F429
_free.LIBCMT ref: 0044F44D
_free.LIBCMT ref: 0044F45A
_free.LIBCMT ref: 0044F47F
_free.LIBCMT ref: 0044F48C
_free.LIBCMT ref: 0044F495
_free.LIBCMT ref: 0044F773
_free.LIBCMT ref: 0044F77B

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58

Function 00405042 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 280COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E
__Init_thread_footer.LIBCMT ref: 004050CB

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

Strings

P\G, xrefs: 004053D7
SystemDrive, xrefs: 00405109
P\G, xrefs: 00405078
P\G, xrefs: 00405202
P\G, xrefs: 00405332
P\G, xrefs: 004052FE
cmd.exe, xrefs: 004050F5

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$__onexit
String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
API String ID: 1878262506-81343324
Opcode ID: d1fa14349c16bf2122f8636f393bd13dce0c8e315b4404d97288ec7c14753e2d
Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
Opcode Fuzzy Hash: d1fa14349c16bf2122f8636f393bd13dce0c8e315b4404d97288ec7c14753e2d
Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D

Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446DDF
_free.LIBCMT ref: 00446DEB
_free.LIBCMT ref: 00446DF6
_free.LIBCMT ref: 00446E01
_free.LIBCMT ref: 00446E0C
_free.LIBCMT ref: 00446E17
_free.LIBCMT ref: 00446E22
_free.LIBCMT ref: 00446E2D
_free.LIBCMT ref: 00446E38
_free.LIBCMT ref: 00446E46

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85

Function 0040BC67 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 204COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
_wcslen.LIBCMT ref: 0040BD54
_wcslen.LIBCMT ref: 0040BE34

Strings

del, xrefs: 0040BE63
BG, xrefs: 0040BCE1
open, xrefs: 0040BEB2
6, xrefs: 0040BD48
BG, xrefs: 0040BCB6

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: 6$del$open$BG$BG
API String ID: 176396367-3062541949
Opcode ID: 6661c5ad4a94f5b2a77256aa62986cb2614470b8204d72b77d606d62e6a9f535
Instruction ID: ebce903f47371d3aa9a353efbc56e4a5f85b2a43c77a02ae09f84a2e3ca1dcab
Opcode Fuzzy Hash: 6661c5ad4a94f5b2a77256aa62986cb2614470b8204d72b77d606d62e6a9f535
Instruction Fuzzy Hash: 8A51B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE

Function 00406764 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788

Strings

$, xrefs: 004067A2
[+] CoGetObject, xrefs: 004067C8
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
[+] CoGetObject SUCCESS, xrefs: 004067F8
[+] ucmAllocateElevatedObject, xrefs: 0040676F
Elevation:Administrator!new:, xrefs: 004067A9

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 176396367-3166923314
Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D

Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D

_memcmp.LIBVCRUNTIME ref: 004446A3
_free.LIBCMT ref: 00444714
_free.LIBCMT ref: 0044472D
_free.LIBCMT ref: 0044475F
_free.LIBCMT ref: 00444768
_free.LIBCMT ref: 00444774

Strings

C, xrefs: 00444561

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free$_abort_memcmp
String ID: C
API String ID: 137591632-1037565863
Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44

Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041A8F6

Strings

program files (x86)\, xrefs: 0041A8F0
.exe, xrefs: 0041A848
XCG, xrefs: 0041A89C, 0041A8A1
http\shell\open\command, xrefs: 0041A82D
:@, xrefs: 0041A8C3
program files\, xrefs: 0041A8DC, 0041A8E3, 0041A8F5

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
API String ID: 176396367-703403762
Opcode ID: 798a55bde29be117be22defb997e87dfb2d0a22d107527c411188d8ae8d94f91
Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
Opcode Fuzzy Hash: 798a55bde29be117be22defb997e87dfb2d0a22d107527c411188d8ae8d94f91
Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9

Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F875
_free.LIBCMT ref: 0044F883
_free.LIBCMT ref: 0044F9B1
_free.LIBCMT ref: 0044F9BC

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59

Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444086
_free.LIBCMT ref: 0044409D
_free.LIBCMT ref: 004440BC
_free.LIBCMT ref: 004440D7
_free.LIBCMT ref: 004440EE

Strings

J7D, xrefs: 00443FAB, 0044412D

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID: J7D
API String ID: 269201875-1677391033
Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88

Function 00419128 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041912D

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419213
XCG, xrefs: 0041918A
XCG, xrefs: 0041923C
XCG, xrefs: 0041931E
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041920E, 00419229, 004192A0

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 3519838083-65789007
Opcode ID: 3e3cb52280381f20afd8f5d887ba8ad44eb7197b226b4572a74dcfc9104dd012
Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
Opcode Fuzzy Hash: 3e3cb52280381f20afd8f5d887ba8ad44eb7197b226b4572a74dcfc9104dd012
Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799

Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437AAB
___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
_ValidateLocalCookies.LIBCMT ref: 00437B41
__IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
_ValidateLocalCookies.LIBCMT ref: 00437BC1

Strings

csm, xrefs: 00437B56

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95

Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
int.LIBCPMT ref: 0040FC0F

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FC4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D

Strings

P[G, xrefs: 0040FC94

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: P[G
API String ID: 2536120697-571123470
Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D

Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B

_free.LIBCMT ref: 0044FD29
_free.LIBCMT ref: 0044FD34
_free.LIBCMT ref: 0044FD3F
_free.LIBCMT ref: 0044FD93
_free.LIBCMT ref: 0044FD9E
_free.LIBCMT ref: 0044FDA9
_free.LIBCMT ref: 0044FDB4

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645

Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
int.LIBCPMT ref: 0040FEF2

Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B

std::_Facet_Register.LIBCPMT ref: 0040FF2E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70

Strings

H]G, xrefs: 0040FEEA

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: H]G
API String ID: 2536120697-1717957184
Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799

Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439789
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
__allrem.LIBCMT ref: 004397BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
__allrem.LIBCMT ref: 004397F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58

Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444B69
__cftoe.LIBCMT ref: 00444B9B

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D

Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446261
__freea.LIBCMT ref: 0044630B
__freea.LIBCMT ref: 00446329

Strings

a/p, xrefs: 004463F0
am/pm, xrefs: 0044638C

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B

Function 00407DEF Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00407FE9

Strings

SetFilePointerEx error, xrefs: 00408266
ReadFile error, xrefs: 0040822E
Uploading file to Controller: , xrefs: 00408077
>G, xrefs: 00407E87

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
API String ID: 3732870572-3066803209
Opcode ID: b5896b6aa8dc93a42fdc7ca8ee59af3793cf607094dab54a5cc799d4748aa015
Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
Opcode Fuzzy Hash: b5896b6aa8dc93a42fdc7ca8ee59af3793cf607094dab54a5cc799d4748aa015
Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B

Function 0040A3F4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040A456

Strings

minutes }, xrefs: 0040A59F
[, xrefs: 0040A50E
{ User has been idle for , xrefs: 0040A5AB
], xrefs: 0040A508

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Init_thread_footer
String ID: [${ User has been idle for $ minutes }$]
API String ID: 1385522511-3954389425
Opcode ID: 03b645630a32bab91784fdcaaf35e7665e57add118988245b84dd1f9af21cef4
Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
Opcode Fuzzy Hash: 03b645630a32bab91784fdcaaf35e7665e57add118988245b84dd1f9af21cef4
Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F

Function 00413C67 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

udp, xrefs: 00413D17, 00413D1F, 00413D23
65535, xrefs: 00413C6A

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE

Function 00401768 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

__Init_thread_footer.LIBCMT ref: 004017BC

Strings

p[G, xrefs: 00401786
T=G, xrefs: 00401800
>G, xrefs: 0040180B
>G, xrefs: 0040188E

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: T=G$p[G$>G$>G
API String ID: 1881088180-2461731529
Opcode ID: 24e7f747a15a6f24ad906a06405d149d66a6451b298e1ed85f96d43c0240959f
Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
Opcode Fuzzy Hash: 24e7f747a15a6f24ad906a06405d149d66a6451b298e1ed85f96d43c0240959f
Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E

Function 00401A8E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Strings

`=G, xrefs: 00401B04
.wav, xrefs: 00401AEC
%Y-%m-%d %H.%M, xrefs: 00401AC4
x=G, xrefs: 00401B8B

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _strftime
String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
API String ID: 1867682108-3643129801
Opcode ID: b98d141d1bc58706cf47e446f700e21750711a6b249cb7a34df20c430083dcb3
Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
Opcode Fuzzy Hash: b98d141d1bc58706cf47e446f700e21750711a6b249cb7a34df20c430083dcb3
Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB

__Init_thread_footer.LIBCMT ref: 0040AEA7

Strings

,]G, xrefs: 0040AE80
[Text copied to clipboard], xrefs: 0040AEF6
[End of clipboard], xrefs: 0040AEE9
0]G, xrefs: 0040AE70

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
API String ID: 1881088180-753205382
Opcode ID: 56c1f1ae6f78bac0c607c729516ac071ad5445c1ba0520974c197d9e4cefc69c
Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
Opcode Fuzzy Hash: 56c1f1ae6f78bac0c607c729516ac071ad5445c1ba0520974c197d9e4cefc69c
Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D

Function 00449950 Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004499E2
__alloca_probe_16.LIBCMT ref: 00449AC7
__freea.LIBCMT ref: 00449B37
__freea.LIBCMT ref: 00449B40
__freea.LIBCMT ref: 00449B65

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668

Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044310A
_free.LIBCMT ref: 0044312A

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84

Function 00439361 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 004393CD
__dosmaperr.LIBCMT ref: 0043940A
__dosmaperr.LIBCMT ref: 0043945E
_free.LIBCMT ref: 0043946A
_free.LIBCMT ref: 00439471

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __dosmaperr$_free
String ID:
API String ID: 242264518-0
Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9

Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F7B5
_free.LIBCMT ref: 0044F7C7
_free.LIBCMT ref: 0044F7D9
_free.LIBCMT ref: 0044F7EB
_free.LIBCMT ref: 0044F7FD

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C

Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443305
_free.LIBCMT ref: 00443317
_free.LIBCMT ref: 0044332A
_free.LIBCMT ref: 0044333B
_free.LIBCMT ref: 0044334C

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E

Function 00454982 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

__dosmaperr.LIBCMT ref: 00454A9D
__dosmaperr.LIBCMT ref: 00454ABC
__dosmaperr.LIBCMT ref: 00454C5F

Strings

H, xrefs: 00454BE4

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID: H
API String ID: 2332233096-2852464175
Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A

Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D4A8
_free.LIBCMT ref: 0044D5C5

Strings

., xrefs: 0044D77C
*?, xrefs: 0044D49C

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?$.
API String ID: 3300345361-3972193922
Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54

Function 004559CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00455AF9

Strings

HE, xrefs: 00455A1D, 00455B0E
HE, xrefs: 00455AC0

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID: HE$HE
API String ID: 269201875-1978648262
Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA

Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08

Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C

Strings

bad locale name, xrefs: 0040CE16

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C

Function 00447E3A Relevance: 6.4, APIs: 4, Instructions: 370COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00447EBC
_free.LIBCMT ref: 00447EE0
_free.LIBCMT ref: 00448067
_free.LIBCMT ref: 00448233

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 978846fda2128c97431eceff056d37264033e8c1365c30a17839f00b24d8827c
Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
Opcode Fuzzy Hash: 978846fda2128c97431eceff056d37264033e8c1365c30a17839f00b24d8827c
Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758

Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448D96
__alldvrm.LIBCMT ref: 00448F97
__alldvrm.LIBCMT ref: 00448FB9

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759

Function 0044B450 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9

Function 00452B2A Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00452C91
__alloca_probe_16.LIBCMT ref: 00452D3B
__freea.LIBCMT ref: 00452DAA
__freea.LIBCMT ref: 00452DB6

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID:
API String ID: 1635606685-0
Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68

Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788

Function 00437E06 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C

Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043810F

Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6

_UnwindNestedFrames.LIBCMT ref: 00438124
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
CallCatchBlock.LIBVCRUNTIME ref: 0043815D

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8

Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00441F6D

Strings

pow, xrefs: 00441F45, 00441F62

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E

Function 0041B1BB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0041B1EE
_wcslen.LIBCMT ref: 0041B2DB

Strings

?, xrefs: 0041B26D

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _memcmp_wcslen
String ID: ?
API String ID: 1846113162-1684325040
Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6

Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

LG, xrefs: 00433747
XG, xrefs: 00433768

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID:
String ID: LG$XG
API String ID: 0-1482930923
Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

T=G, xrefs: 00401DDB
T=G, xrefs: 00401DB7

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: T=G$T=G
API String ID: 3519838083-3732185208
Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D

Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448825

Strings

`@, xrefs: 00448809
`@, xrefs: 00448808

Memory Dump Source

Source File: 00000001.00000002.2563299774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2563275571.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563363859.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2563400306.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_rZcI2tz327.jbxd

Yara matches

Similarity

API ID: _free
String ID: `@$`@
API String ID: 269201875-20545824
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rZcI2tz327.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rZcI2tz327.exe_6f42f6dceb419b4ed06bd0fa4b24d87b80cbe1c1_93a63288_415b337e-b06b-460b-b519-524a802985e7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38A1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38F0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER394E.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
rZcI2tz327.exe