Edit tour

Windows Analysis Report
P87unxnF4t4DSrTt43.exe

Overview

General Information

Sample name:	P87unxnF4t4DSrTt43.exe
Analysis ID:	1592534
MD5:	51bb5f38593e255c16ab2712757cda43
SHA1:	458fbe81fed707852864c3bcc4997b27d6a65832
SHA256:	1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
Tags:	exemalwareRemcosRATtrojanuser-Joker
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

P87unxnF4t4DSrTt43.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe" MD5: 51BB5F38593E255C16AB2712757CDA43)

powershell.exe (PID: 7832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8140 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

P87unxnF4t4DSrTt43.exe (PID: 7848 cmdline: "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe" MD5: 51BB5F38593E255C16AB2712757CDA43)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["www.kposlifestyle.design:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OH1QS4", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "edefdefffff", "Keylog file max size": ""}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\edefdefffff\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3f810:$a1: Remcos restarted by watchdog! 0x3fd88:$a3: %02i:%02i:%02i:%03i
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x4ef3e0:$a1: Remcos restarted by watchdog! 0x567a00:$a1: Remcos restarted by watchdog! 0x4ef958:$a3: %02i:%02i:%02i:%03i 0x567f78:$a3: %02i:%02i:%02i:%03i
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8721b:$a1: Remcos restarted by watchdog! 0x9d38e:$a1: Remcos restarted by watchdog! 0x87778:$a3: %02i:%02i:%02i:%03i 0x87b27:$a3: %02i:%02i:%02i:%03i 0x9d8eb:$a3: %02i:%02i:%02i:%03i 0x9dca3:$a3: %02i:%02i:%02i:%03i
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x11dca:$a1: Remcos restarted by watchdog! 0x12327:$a3: %02i:%02i:%02i:%03i 0x126df:$a3: %02i:%02i:%02i:%03i
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x69308:$a1: Remcos restarted by watchdog! 0x69880:$a3: %02i:%02i:%02i:%03i
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x63594:$str_a1: C:\Windows\System32\cmd.exe 0x63510:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63510:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63a10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x64010:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x63604:$str_b2: Executing file: 0x6444c:$str_b3: GetDirectListeningPort 0x63e00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63f80:$str_b7: \update.vbs 0x6362c:$str_b9: Downloaded file: 0x63618:$str_b10: Downloading file: 0x636bc:$str_b12: Failed to upload file: 0x64414:$str_b13: StartForward 0x64434:$str_b14: StopForward 0x63ed8:$str_b15: fso.DeleteFile " 0x63e6c:$str_b16: On Error Resume Next 0x63f08:$str_b17: fso.DeleteFolder " 0x636ac:$str_b18: Uploaded file: 0x6366c:$str_b19: Unable to delete: 0x63ea0:$str_b20: while fso.FileExists(" 0x63b49:$str_c0: [Firefox StoredLogins not found]
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x63480:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x63410:$s1: CoGetObject 0x63424:$s1: CoGetObject 0x63440:$s1: CoGetObject 0x6d080:$s1: CoGetObject 0x633d0:$s2: Elevation:Administrator!new:
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64f94:$str_a1: C:\Windows\System32\cmd.exe 0x64f10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65410:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65a10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x65004:$str_b2: Executing file: 0x65e4c:$str_b3: GetDirectListeningPort 0x65800:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65980:$str_b7: \update.vbs 0x6502c:$str_b9: Downloaded file: 0x65018:$str_b10: Downloading file: 0x650bc:$str_b12: Failed to upload file: 0x65e14:$str_b13: StartForward 0x65e34:$str_b14: StopForward 0x658d8:$str_b15: fso.DeleteFile " 0x6586c:$str_b16: On Error Resume Next 0x65908:$str_b17: fso.DeleteFolder " 0x650ac:$str_b18: Uploaded file: 0x6506c:$str_b19: Unable to delete: 0x658a0:$str_b20: while fso.FileExists(" 0x65549:$str_c0: [Firefox StoredLogins not found]
6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new:
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c708:$a1: Remcos restarted by watchdog! 0x6cc80:$a3: %02i:%02i:%02i:%03i
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x66994:$str_a1: C:\Windows\System32\cmd.exe 0x66910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x67410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66a04:$str_b2: Executing file: 0x6784c:$str_b3: GetDirectListeningPort 0x67200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67380:$str_b7: \update.vbs 0x66a2c:$str_b9: Downloaded file: 0x66a18:$str_b10: Downloading file: 0x66abc:$str_b12: Failed to upload file: 0x67814:$str_b13: StartForward 0x67834:$str_b14: StopForward 0x672d8:$str_b15: fso.DeleteFile " 0x6726c:$str_b16: On Error Resume Next 0x67308:$str_b17: fso.DeleteFolder " 0x66aac:$str_b18: Uploaded file: 0x66a6c:$str_b19: Unable to delete: 0x672a0:$str_b20: while fso.FileExists(" 0x66f49:$str_c0: [Firefox StoredLogins not found]
6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x66880:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x66810:$s1: CoGetObject 0x66824:$s1: CoGetObject 0x66840:$s1: CoGetObject 0x70480:$s1: CoGetObject 0x667d0:$s2: Elevation:Administrator!new:
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6ad08:$a1: Remcos restarted by watchdog! 0xe3328:$a1: Remcos restarted by watchdog! 0x6b280:$a3: %02i:%02i:%02i:%03i 0xe38a0:$a3: %02i:%02i:%02i:%03i
1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64e80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd4a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64e10:$s1: CoGetObject 0x64e24:$s1: CoGetObject 0x64e40:$s1: CoGetObject 0x6ea80:$s1: CoGetObject 0xdd430:$s1: CoGetObject 0xdd444:$s1: CoGetObject 0xdd460:$s1: CoGetObject 0xe70a0:$s1: CoGetObject 0x64dd0:$s2: Elevation:Administrator!new: 0xdd3f0:$s2: Elevation:Administrator!new:
1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x1e3948:$a1: Remcos restarted by watchdog! 0x25bf68:$a1: Remcos restarted by watchdog! 0x1e3ec0:$a3: %02i:%02i:%02i:%03i 0x25c4e0:$a3: %02i:%02i:%02i:%03i
1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1ddac0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x2560e0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dda50:$s1: CoGetObject 0x1dda64:$s1: CoGetObject 0x1dda80:$s1: CoGetObject 0x1e76c0:$s1: CoGetObject 0x256070:$s1: CoGetObject 0x256084:$s1: CoGetObject 0x2560a0:$s1: CoGetObject 0x25fce0:$s1: CoGetObject 0x1dda10:$s2: Elevation:Administrator!new: 0x256030:$s2: Elevation:Administrator!new:
1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x127328:$a1: Remcos restarted by watchdog! 0x19f948:$a1: Remcos restarted by watchdog! 0x1278a0:$a3: %02i:%02i:%02i:%03i 0x19fec0:$a3: %02i:%02i:%02i:%03i
1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1214a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x199ac0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x121430:$s1: CoGetObject 0x121444:$s1: CoGetObject 0x121460:$s1: CoGetObject 0x12b0a0:$s1: CoGetObject 0x199a50:$s1: CoGetObject 0x199a64:$s1: CoGetObject 0x199a80:$s1: CoGetObject 0x1a36c0:$s1: CoGetObject 0x1213f0:$s2: Elevation:Administrator!new: 0x199a10:$s2: Elevation:Administrator!new:
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", ParentImage: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, ParentProcessId: 7644, ParentProcessName: P87unxnF4t4DSrTt43.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", ProcessId: 7832, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", ParentImage: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, ParentProcessId: 7644, ParentProcessName: P87unxnF4t4DSrTt43.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe", ProcessId: 7832, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: FF 9B 7F 6B 43 9F 59 B3 6D 05 DF 5D E3 CC B8 8D 5A BA ED D8 1F 9B 2C 2E 18 DF B3 B5 67 7F D3 5D 67 C0 27 9A 3A 4D 4F EA 78 FB 42 68 B3 F9 0E AF 37 3D 0B D2 6B CF 6C 3D F1 0A C7 A0 86 57 24 83 6C AF 18 CA 46 DC E7 03 98 2A 99 94 8F 08 51 EC D2 06 EB 42 D4 90 65 63 AE B3 14 34 0D AC DF EA 52 F6 7B 4C , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, ProcessId: 7848, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-OH1QS4\exepath

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:09:11.893824+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.7	49704	154.216.16.38	2404	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:09:12.574650+0100	2032777	1	Malware Command and Control Activity Detected	154.216.16.38	2404	192.168.2.7	49704	TCP
2025-01-16T09:11:13.522732+0100	2032777	1	Malware Command and Control Activity Detected	154.216.16.38	2404	192.168.2.7	49704	TCP
2025-01-16T09:13:13.617447+0100	2032777	1	Malware Command and Control Activity Detected	154.216.16.38	2404	192.168.2.7	49704	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:09:14.094112+0100	2803304	3	Unknown Traffic	192.168.2.7	49711	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: P87unxnF4t4DSrTt43.exe

Avira: detected

Antivirus detection for URL or domain

Source: www.kposlifestyle.design

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["www.kposlifestyle.design:2404:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OH1QS4", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "edefdefffff", "Keylog file max size": ""}

Multi AV Scanner detection for submitted file

Source: P87unxnF4t4DSrTt43.exe	Virustotal: Detection: 31%			Perma Link
Source: P87unxnF4t4DSrTt43.exe	ReversingLabs: Detection: 31%

Yara detected Remcos RAT

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\edefdefffff\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: P87unxnF4t4DSrTt43.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00432B45 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

6_2_00432B45

Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_15f3a43b-4

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00406764 _wcslen,CoGetObject,

6_2_00406764

Source: P87unxnF4t4DSrTt43.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: P87unxnF4t4DSrTt43.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sPiG.pdbSHA256xsLF source: P87unxnF4t4DSrTt43.exe
Source:	Binary string: sPiG.pdb source: P87unxnF4t4DSrTt43.exe

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040B335
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040B53A
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	6_2_0041B63A
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0044D7F9 FindFirstFileExA,	6_2_0044D7F9
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	6_2_004089A9
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,	6_2_00406AC2
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	6_2_00407A8C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	6_2_00408DA7
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00418E5F

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00406F06

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.7:49704 -> 154.216.16.38:2404
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 154.216.16.38:2404 -> 192.168.2.7:49704

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.kposlifestyle.design

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 154.216.16.38:2404

Source: global traffic

TCP traffic: 192.168.2.7:53968 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49711 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0040455B WaitForSingleObject,SetEvent,recv,

6_2_0040455B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.kposlifestyle.design
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780695534.0000000001434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, P87unxnF4t4DSrTt43.exe, 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341026272.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000

6_2_004099E4

Installs a global keyboard hook

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_00415B5E

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_00415B5E

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00415B5E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

6_2_00415B5E

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

6_2_00409B10

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\edefdefffff\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0041BD82 SystemParametersInfoW,

6_2_0041BD82

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00415A51 ExitWindowsEx,LoadLibraryA,GetProcAddress,

6_2_00415A51

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_0184DC8C	1_2_0184DC8C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03062E68	1_2_03062E68
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03066310	1_2_03066310
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03066320	1_2_03066320
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_0306C708	1_2_0306C708
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03068450	1_2_03068450
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03067B0F	1_2_03067B0F
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03067B20	1_2_03067B20
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03065AB0	1_2_03065AB0
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03062E59	1_2_03062E59
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03065ED8	1_2_03065ED8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_03065EE8	1_2_03065EE8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_05776F48	1_2_05776F48
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_057702D8	1_2_057702D8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_057702C8	1_2_057702C8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_05776F38	1_2_05776F38
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043D04B	6_2_0043D04B
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0042707E	6_2_0042707E
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0041301D	6_2_0041301D
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00441030	6_2_00441030
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00453110	6_2_00453110
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004271B8	6_2_004271B8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0041D27C	6_2_0041D27C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004522E2	6_2_004522E2
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043D2A8	6_2_0043D2A8
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00437360	6_2_00437360
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004363BA	6_2_004363BA
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0042645F	6_2_0042645F
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00431582	6_2_00431582
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043672C	6_2_0043672C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0041E7EA	6_2_0041E7EA
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0044C949	6_2_0044C949
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004269D6	6_2_004269D6
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004369D6	6_2_004369D6
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043CBED	6_2_0043CBED
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00432C54	6_2_00432C54
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00436C9D	6_2_00436C9D
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043CE1C	6_2_0043CE1C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00436F58	6_2_00436F58
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00434F32	6_2_00434F32

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: String function: 004020E7 appears 40 times
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: String function: 00433AB0 appears 41 times
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: String function: 004341C0 appears 55 times

Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1338994663.000000000161E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1352629348.000000000B4C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000000.1321081732.0000000000E12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesPiG.exe4 vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1348548828.0000000005D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1349492914.0000000008CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs P87unxnF4t4DSrTt43.exe
Source: P87unxnF4t4DSrTt43.exe	Binary or memory string: OriginalFilenamesPiG.exe4 vs P87unxnF4t4DSrTt43.exe

Source: P87unxnF4t4DSrTt43.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: P87unxnF4t4DSrTt43.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@7/8@3/2

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00416C9D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

6_2_00416C9D

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0040E2F1 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

6_2_0040E2F1

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0041A84A FindResourceA,LoadResource,LockResource,SizeofResource,

6_2_0041A84A

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_00419DBA

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P87unxnF4t4DSrTt43.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-OH1QS4
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuc2hjpp.f05.ps1

Jump to behavior

Source: P87unxnF4t4DSrTt43.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: P87unxnF4t4DSrTt43.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: P87unxnF4t4DSrTt43.exe	Virustotal: Detection: 31%
Source: P87unxnF4t4DSrTt43.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: P87unxnF4t4DSrTt43.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: P87unxnF4t4DSrTt43.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: P87unxnF4t4DSrTt43.exe

Static file information: File size 1056768 > 1048576

Source: P87unxnF4t4DSrTt43.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x101600

Source: P87unxnF4t4DSrTt43.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: P87unxnF4t4DSrTt43.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sPiG.pdbSHA256xsLF source: P87unxnF4t4DSrTt43.exe
Source:	Binary string: sPiG.pdb source: P87unxnF4t4DSrTt43.exe

Source: P87unxnF4t4DSrTt43.exe

Static PE information: 0xA23B2A12 [Sat Apr 1 03:46:26 2056 UTC]

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0041BEEE LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

6_2_0041BEEE

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 1_2_0184EEC2 push esp; iretd	1_2_0184EEC9
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004560BF push ecx; ret	6_2_004560D2
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00434206 push ecx; ret	6_2_00434219
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0045E669 push ecx; ret	6_2_0045E67B
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0045C9DD push esi; ret	6_2_0045C9E6
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004569F0 push eax; ret	6_2_00456A0E

Source: P87unxnF4t4DSrTt43.exe

Static PE information: section name: .text entropy: 7.766809579204765

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00406128 ShellExecuteW,URLDownloadToFileW,

6_2_00406128

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00419DBA OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

6_2_00419DBA

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

6_2_0041BEEE

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0040E627 Sleep,ExitProcess,

6_2_0040E627

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 8E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 7640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: 9E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: B580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: C580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Memory allocated: D580000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

6_2_00419AB8

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3717	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Window / User API: threadDelayed 936	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Window / User API: threadDelayed 8572	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Window / User API: foregroundWindowGot 1769	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe TID: 7908	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe TID: 7912	Thread sleep time: -2808000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe TID: 7912	Thread sleep time: -25716000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	6_2_0040B335
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	6_2_0040B53A
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0041B63A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,	6_2_0041B63A
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0044D7F9 FindFirstFileExA,	6_2_0044D7F9
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,	6_2_004089A9
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00406AC2 FindFirstFileW,FindNextFileW,	6_2_00406AC2
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,	6_2_00407A8C
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,	6_2_00408DA7
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00418E5F FindFirstFileW,FindNextFileW,FindNextFileW,	6_2_00418E5F

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

6_2_00406F06

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`)A
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780695534.000000000143B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

API call chain: ExitProcess graph end node

graph_6-49208

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0043A86D

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

6_2_0041BEEE

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00442764 mov eax, dword ptr fs:[00000030h]

6_2_00442764

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0044EB3E GetProcessHeap,

6_2_0044EB3E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00434378 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00434378
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_0043A86D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0043A86D
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00433D4F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00433D4F
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: 6_2_00433EE2 SetUnhandledExceptionFilter,	6_2_00433EE2

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Memory written: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

6_2_0041100E

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0041894A mouse_event,

6_2_0041894A

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"			Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Process created: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"			Jump to behavior

Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerS4\264
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerer
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager^F
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerSF
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageruF
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerS4\f1
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bProgram ManagerZ^
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerS4\er
Source: P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00434015 cpuid

6_2_00434015

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoA,	6_2_0040E751
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_0045107A
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoW,	6_2_004512CA
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: EnumSystemLocalesW,	6_2_004472BE
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_004513F3
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoW,	6_2_004514FA
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_004515C7
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: GetLocaleInfoW,	6_2_004477A7
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	6_2_00450C8F
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: EnumSystemLocalesW,	6_2_00450F52
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: EnumSystemLocalesW,	6_2_00450F07
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: EnumSystemLocalesW,	6_2_00450FED

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Queries volume information: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_00404915 GetLocalTime,CreateEventA,CreateThread,

6_2_00404915

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0041A9AD GetComputerNameExW,GetUserNameW,

6_2_0041A9AD

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: 6_2_0044804A _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

6_2_0044804A

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\edefdefffff\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

6_2_0040B21B

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		6_2_0040B335
Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe	Code function: \key3.db		6_2_0040B335

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-OH1QS4

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.P87unxnF4t4DSrTt43.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4fa76d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4e2ea98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P87unxnF4t4DSrTt43.exe.4eeb0b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: P87unxnF4t4DSrTt43.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\edefdefffff\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Code function: cmd.exe

6_2_00405042

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Bypass User Account Control	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Access Token Manipulation	3 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Windows Service	2 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	122 Process Injection	1 Timestomp	LSA Secrets	33 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	12 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bypass User Account Control	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	122 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
P87unxnF4t4DSrTt43.exe	32%	Virustotal		Browse
P87unxnF4t4DSrTt43.exe	32%	ReversingLabs
P87unxnF4t4DSrTt43.exe	100%	Avira	HEUR/AGEN.1309499
P87unxnF4t4DSrTt43.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
www.kposlifestyle.design	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.kposlifestyle.design	154.216.16.38	true	true	unknown
geoplugin.net	178.237.33.50	true	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
www.kposlifestyle.design	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://geoplugin.net/	P87unxnF4t4DSrTt43.exe, 00000006.00000002.3780695534.0000000001434000.00000004.00000020.00020000.00000000.sdmp	false	high
http://geoplugin.net/json.gp/C	P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, P87unxnF4t4DSrTt43.exe, 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	P87unxnF4t4DSrTt43.exe, 00000001.00000002.1341026272.00000000032F8000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false
154.216.16.38	www.kposlifestyle.design	Seychelles		135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592534
Start date and time:	2025-01-16 09:08:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	P87unxnF4t4DSrTt43.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@7/8@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 84 Number of non-executed functions: 184
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 4.175.87.197, 20.242.39.171, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:09:10	API Interceptor	7431451x Sleep call for process: P87unxnF4t4DSrTt43.exe modified
03:09:11	API Interceptor	15x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	1736928426c18fddec09a2865189863f874127ef0886c6a264008603d3a139c5bad971edfc789.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	geoplugin.net/json.gp
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	documents.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.kposlifestyle.design	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	154.216.16.38
geoplugin.net	1736928426c18fddec09a2865189863f874127ef0886c6a264008603d3a139c5bad971edfc789.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	documents.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKHT-ASShenzhenKatherineHengTechnologyInformationCo	new.bat	Get hash	malicious	Unknown	Browse	154.216.17.175
	https://caringforyousupport.com.au/Receipt536354.php	Get hash	malicious	WinSearchAbuse	Browse	154.216.17.175
	https://9817157365.com/	Get hash	malicious	Unknown	Browse	160.202.168.107
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	154.216.16.38
	1E3Vcm2yrA.exe	Get hash	malicious	RHADAMANTHYS	Browse	154.216.18.169
	icivfhp7cR.exe	Get hash	malicious	GhostRat	Browse	45.207.211.42
	6.elf	Get hash	malicious	Unknown	Browse	154.211.34.18
	wind.mpsl.elf	Get hash	malicious	Mirai	Browse	154.216.16.103
	wind.arm.elf	Get hash	malicious	Mirai	Browse	154.216.16.103
	wind.x86.elf	Get hash	malicious	Mirai	Browse	154.216.16.103
ATOM86-ASATOM86NL	1736928426c18fddec09a2865189863f874127ef0886c6a264008603d3a139c5bad971edfc789.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LrBF2Z930N.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	verynicegirlwalkingarounftheworldmuuuah.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	178.237.33.50
	plugmancrypted.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	documents.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	17366735083ba4993c0ae9322c32aacf9286de757a918f634b522467c19ad3da2352651d39438.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50

Process:	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3683413243328855
Encrypted:	false
SSDEEP:	3:rglsIlfVl1liqlDl5JWRal2Jl+7R0DAlBG45klovDl6v:Mls4tliql55YcIeeDAlOWAv
MD5:	3E54DBDF72CF465A11387B15F64743C5
SHA1:	102C4459595FD05992F0226C6392A8ABB2686002
SHA-256:	809E601A1CE0E0B11EC92B803EF42FAC1947A030FF1184BCE6C1EBBD6257074B
SHA-512:	F58EB76C3147599346B93D53418AB87E46A8BBFE42B359BFC86104A770A77CD8C9797ABF6663910A9CAB7E16ABDB2A724B9A168558152836DCB570B14B4AC7A0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\edefdefffff\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.6. .0.3.:.0.9.:.1.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P87unxnF4t4DSrTt43.exe.log

Download File

Process:	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

Download File

Process:	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.018421233492188
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkv:qlupdVauKyGX85jvXhNlT3/7XcV7Wro
MD5:	EB2FF94DBB57A448547893913F07269C
SHA1:	DF7B8498413BA06578D4743941ED5664A88945FC
SHA-256:	0FAD6CBFD4862A474081C36DF3E5E29F45A5EAC652C02BEF9E3637A7EB388B96
SHA-512:	F2D29C38E688792AC270E45DC9213ED1C58ACEE67B7C18F4873296A9FC3D1B2F79B317712EFBCB1CDC9A637070C87605DE39387B5246A7B9644B15EF25494374
Malicious:	false
Reputation:	low
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7126",. "geoplugin_longitude":"-74.0066",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv2IfLZ2KRH6Oug8s
MD5:	46CFAD7E103735ABA6646E3E9F6012AF
SHA1:	F864D5F42D478A79AF32EAE14B87265DE193A851
SHA-256:	55D9A9F40CF5657C548085C6C2472DF452CF3B1A75515C52F59D8853C5F39E74
SHA-512:	8AE818C136BC9AD5A375BDF9B7688C900C8CBE69A17660D428618259E680F338557E5DFF9897E1414E95E2AB1F5B9792965C20FAB7320648FB0B430C10F81A48
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpvoot1b.eeu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0vj2alo.4fb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l00yxfxh.rkr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuc2hjpp.f05.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7628064558005425
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	P87unxnF4t4DSrTt43.exe
File size:	1'056'768 bytes
MD5:	51bb5f38593e255c16ab2712757cda43
SHA1:	458fbe81fed707852864c3bcc4997b27d6a65832
SHA256:	1c80bf8e780ae58203e7f816c8fe04f66df434a3fbd981ba7c6e52e588622c03
SHA512:	80d2f4464d5f036000318ef6ba43b23c8e5576c67989b0097adbf13545b790df1340937d1f7f67d0d8630b2f80c8b85e3286032554868424d2bb5612fda6dcf9
SSDEEP:	12288:O8iWXV7O7jJlohi9cptOybLZG6OHGw2/EvK6hxshTAaZpAWLq8uFTF+cMSIsYSv/:FO7jX+pRblGp1vKMuhtTk0sYyKvwTm
TLSH:	F625E0D03B3A7711DDA8B670853AEDB863642D78B000B9E76DDD2B8772DD2029A1CF45
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*;...............0..............4... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5034d6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA23B2A12 [Sat Apr 1 03:46:26 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
lodsd
fiadd word ptr [eax]
add bh, ch
mov esi, CAFE0000h
add byte ptr [eax], al
mov esi, 000000BAh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x103482	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x104000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x106000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10192c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1014ec	0x101600	9588b383f3856961598132975491c318	False	0.8985001062408936	data	7.766809579204765	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x104000	0x59c	0x600	9984a5aa55d43e1c3a4ee986ab63fccc	False	0.4186197916666667	data	4.048277443839362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106000	0xc	0x200	933092226d15491ad21b816062fd25fc	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x104090	0x30c	data			0.4371794871794872
RT_MANIFEST	0x1043ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T09:09:11.893824+0100	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	1	192.168.2.7	49704	154.216.16.38	2404	TCP
2025-01-16T09:09:12.574650+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	154.216.16.38	2404	192.168.2.7	49704	TCP
2025-01-16T09:09:14.094112+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49711	178.237.33.50	80	TCP
2025-01-16T09:11:13.522732+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	154.216.16.38	2404	192.168.2.7	49704	TCP
2025-01-16T09:13:13.617447+0100	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	1	154.216.16.38	2404	192.168.2.7	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:09:11.879291058 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:11.885814905 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:11.885926962 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:11.893824100 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:11.900541067 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:12.574650049 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:12.577589035 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:12.582659006 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:12.731219053 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:12.779105902 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:13.135574102 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:13.144855022 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:13.149591923 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:13.464845896 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:09:13.471061945 CET	80	49711	178.237.33.50	192.168.2.7
Jan 16, 2025 09:09:13.471189976 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:09:13.471362114 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:09:13.477149963 CET	80	49711	178.237.33.50	192.168.2.7
Jan 16, 2025 09:09:14.093965054 CET	80	49711	178.237.33.50	192.168.2.7
Jan 16, 2025 09:09:14.094111919 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:09:14.103810072 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:14.108633995 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:15.090734959 CET	80	49711	178.237.33.50	192.168.2.7
Jan 16, 2025 09:09:15.090795994 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:09:42.631088018 CET	53968	53	192.168.2.7	162.159.36.2
Jan 16, 2025 09:09:42.635951042 CET	53	53968	162.159.36.2	192.168.2.7
Jan 16, 2025 09:09:42.636046886 CET	53968	53	192.168.2.7	162.159.36.2
Jan 16, 2025 09:09:42.640948057 CET	53	53968	162.159.36.2	192.168.2.7
Jan 16, 2025 09:09:43.101061106 CET	53968	53	192.168.2.7	162.159.36.2
Jan 16, 2025 09:09:43.106414080 CET	53	53968	162.159.36.2	192.168.2.7
Jan 16, 2025 09:09:43.106519938 CET	53968	53	192.168.2.7	162.159.36.2
Jan 16, 2025 09:09:43.235460997 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:09:43.238955021 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:09:43.243805885 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:10:13.367706060 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:10:13.369081020 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:10:13.373910904 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:10:43.483475924 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:10:43.484941006 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:10:43.489828110 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:11:03.421741962 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:03.826942921 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:04.468012094 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:05.827761889 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:08.297375917 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:13.123910904 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:13.522732019 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:11:13.527832985 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:11:13.532800913 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:11:22.827121973 CET	49711	80	192.168.2.7	178.237.33.50
Jan 16, 2025 09:11:43.551197052 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:11:43.552529097 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:11:43.557451963 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:12:13.582009077 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:12:13.584347963 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:12:13.589211941 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:12:43.611133099 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:12:43.612276077 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:12:43.617166042 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.266017914 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.267648935 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.272551060 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.272625923 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.272675037 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.277395010 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.307075024 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.424154997 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.428843975 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.434407949 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.434493065 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.434582949 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.440412045 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.509330034 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.514915943 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514931917 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514940977 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514950037 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514971972 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514981985 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.514991045 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.515001059 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.515005112 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.515006065 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.515017986 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.515038013 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:12.519900084 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.519912958 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.519932032 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.519941092 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.519952059 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.562516928 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:12.603192091 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:13.281445980 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:13.286389112 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.490134954 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.524090052 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:13.528975964 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529028893 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529037952 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529052973 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529062033 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529064894 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529072046 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529104948 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529114008 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529124022 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529145002 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529225111 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529233932 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529237032 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529244900 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529256105 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529270887 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529279947 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.529720068 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.617446899 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:13.621645927 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:13.626545906 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.297409058 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:14.302217007 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.501024008 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.554748058 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:14.559659004 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559679985 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559751987 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559763908 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559808969 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559820890 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559858084 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559870005 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559912920 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559923887 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559962988 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.559974909 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560009003 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560019970 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560064077 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560075998 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560112000 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560122967 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560153008 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560164928 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560245037 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:14.560256958 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.312736988 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:15.317548990 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.516422987 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.554541111 CET	54066	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:15.559403896 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559427023 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559505939 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559542894 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559600115 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559612036 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559643030 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559654951 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559716940 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559729099 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559757948 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559770107 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559806108 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559817076 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559861898 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559874058 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559901953 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559914112 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559979916 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.559994936 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.560020924 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:15.560033083 CET	2404	54066	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:16.626673937 CET	2404	49704	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:16.644028902 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:16.648885965 CET	2404	54065	154.216.16.38	192.168.2.7
Jan 16, 2025 09:13:16.705784082 CET	49704	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:16.705919981 CET	54065	2404	192.168.2.7	154.216.16.38
Jan 16, 2025 09:13:16.706548929 CET	54066	2404	192.168.2.7	154.216.16.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:09:11.833790064 CET	61145	53	192.168.2.7	1.1.1.1
Jan 16, 2025 09:09:11.844716072 CET	53	61145	1.1.1.1	192.168.2.7
Jan 16, 2025 09:09:13.453501940 CET	58004	53	192.168.2.7	1.1.1.1
Jan 16, 2025 09:09:13.461399078 CET	53	58004	1.1.1.1	192.168.2.7
Jan 16, 2025 09:09:42.630348921 CET	53	55492	162.159.36.2	192.168.2.7
Jan 16, 2025 09:09:43.115272045 CET	65152	53	192.168.2.7	1.1.1.1
Jan 16, 2025 09:09:43.122430086 CET	53	65152	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:09:11.833790064 CET	192.168.2.7	1.1.1.1	0x917b	Standard query (0)	www.kposlifestyle.design	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:09:13.453501940 CET	192.168.2.7	1.1.1.1	0xf208	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:09:43.115272045 CET	192.168.2.7	1.1.1.1	0xb12f	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:09:11.844716072 CET	1.1.1.1	192.168.2.7	0x917b	No error (0)	www.kposlifestyle.design		154.216.16.38	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:09:13.461399078 CET	1.1.1.1	192.168.2.7	0xf208	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:09:43.122430086 CET	1.1.1.1	192.168.2.7	0xb12f	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49711	178.237.33.50	80	7848	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:09:13.471362114 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 16, 2025 09:09:14.093965054 CET	1171	IN	HTTP/1.1 200 OK date: Thu, 16 Jan 2025 08:09:14 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7126", "geoplugin_longitude":"-74.0066", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	1
Start time:	03:09:09
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Imagebase:	0xe10000
File size:	1'056'768 bytes
MD5 hash:	51BB5F38593E255C16AB2712757CDA43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1341710478.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.1341710478.0000000004B23000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:09:10
Start date:	16/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Imagebase:	0x300000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:09:10
Start date:	16/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:09:10
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe"
Imagebase:	0xc80000
File size:	1'056'768 bytes
MD5 hash:	51BB5F38593E255C16AB2712757CDA43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3780449094.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:09:12
Start date:	16/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	322
Total number of Limit Nodes:	21

Executed Functions

Function 05776F48 Relevance: 3.4, Strings: 1, Instructions: 2164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$Aq, xrefs: 05777CB0

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID: $Aq
API String ID: 0-3665547428
Opcode ID: 036e62deb0ba3b5f45a85a7b62aab8280f2794769a3a068b31972c7edae58211
Instruction ID: 943829b32455516341871d8a018609bacbeda583f7476d196b4d16232dd8e82b
Opcode Fuzzy Hash: 036e62deb0ba3b5f45a85a7b62aab8280f2794769a3a068b31972c7edae58211
Instruction Fuzzy Hash: 6033E734A10229CFCB25DF24D988E99B7B5FF89304F1181E9E509AB365DB31AE85CF44

Function 05776F38 Relevance: 3.4, Strings: 1, Instructions: 2150
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$Aq, xrefs: 05777CB0

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID: $Aq
API String ID: 0-3665547428
Opcode ID: 3b1b0cb51b84c44ac1ab5ab21bf6279dee512cc9385137bf393bef6a0cd07120
Instruction ID: 88a43c52fb9c477cce954d8477da67fa0f8ce05accf4d477fcab27db3e8c6678
Opcode Fuzzy Hash: 3b1b0cb51b84c44ac1ab5ab21bf6279dee512cc9385137bf393bef6a0cd07120
Instruction Fuzzy Hash: A533E734A00629CFCB25DF24D988E99B7B5FF89304F1181E9E509AB365DB31AE85CF44

Function 03062E59 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa2090520f29482b76816c59cdc279637de4aad4a727c0db6115f291f3653c7
Instruction ID: ff340d05cbc3bf9ccad2cacd5682a13bbe7e7938d0ecd55b07000fdfc2e81e30
Opcode Fuzzy Hash: afa2090520f29482b76816c59cdc279637de4aad4a727c0db6115f291f3653c7
Instruction Fuzzy Hash: 3C41E6B4D052588FDB18CFA6C8547EEBBFABF89300F04D4AAD409A6259DB740946CF50

Function 03062E68 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37fb7602efa3fbb8939f6174c72a4a56e4f7b367136377ea50a74ef51c8ff8b
Instruction ID: b1586a5fbf3df80e454c89282fba5d67fafb2f2aa4b9d33968188f8fe6421eb8
Opcode Fuzzy Hash: b37fb7602efa3fbb8939f6174c72a4a56e4f7b367136377ea50a74ef51c8ff8b
Instruction Fuzzy Hash: 1041E7B4D05218CBDB18CFA6C8543EEFBFABF88300F14D46AD409B6258DB7409468F90

Function 0184D368 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0184D3F6
GetCurrentThread.KERNEL32 ref: 0184D433
GetCurrentProcess.KERNEL32 ref: 0184D470
GetCurrentThreadId.KERNEL32 ref: 0184D4C9

Strings

4'q, xrefs: 0184D341

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'q
API String ID: 2063062207-1807707664
Opcode ID: e02c614952d714d41eb096b6f3cffd7782c05b1dfe823ba1cd470f959d40ec9e
Instruction ID: 26817578c75dcef032126e5767e3ec574e4e59ae8191f1cdce7ed43aa742dd87
Opcode Fuzzy Hash: e02c614952d714d41eb096b6f3cffd7782c05b1dfe823ba1cd470f959d40ec9e
Instruction Fuzzy Hash: 4A617AB0900309CFDB14DFAAD589B9EBBF1FF48304F208559E009A7261DB346945CF65

Function 0184D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0184D3F6
GetCurrentThread.KERNEL32 ref: 0184D433
GetCurrentProcess.KERNEL32 ref: 0184D470
GetCurrentThreadId.KERNEL32 ref: 0184D4C9

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a3ffdebd830c5607c0bd10da7b69b14b34e0a2516e80149d01c83e12e2b29b6c
Instruction ID: 35f6b9522e58aa12297b4eaf1ce9babf9f3fcab40336eb3956218aedcbe68876
Opcode Fuzzy Hash: a3ffdebd830c5607c0bd10da7b69b14b34e0a2516e80149d01c83e12e2b29b6c
Instruction Fuzzy Hash: E45155B0900309CFDB14DFAAD589B9EBBF1EB48314F20C529E119A72A0DB346945CF66

Function 03068C9C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03068EDE

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b87648710db7f49f2beb40bffdb051b4628334af27f02d24fb1c1adae62b24d1
Instruction ID: d62e5c1d7b4d3d8a31c9d4bbd27fc5cb8a92ba5f065d395c924a892cc5791dfc
Opcode Fuzzy Hash: b87648710db7f49f2beb40bffdb051b4628334af27f02d24fb1c1adae62b24d1
Instruction Fuzzy Hash: 57A14971D01619DFEB24CFA8C841BEDBBF2BF48310F1485A9E818A7284DB759985CF91

Function 03068CA8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03068EDE

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 312e1286c4a010dbb85a1f2339190ed161e3abf0b267cd2bceed5a63be6a634d
Instruction ID: d12d57d22c2335e94e51846c960938dcad16d7c9238c626c941c1ea431a9e545
Opcode Fuzzy Hash: 312e1286c4a010dbb85a1f2339190ed161e3abf0b267cd2bceed5a63be6a634d
Instruction Fuzzy Hash: A2914A71D017199FEB24CFA8C841BEDBBF6BF48310F1485A9E818A7284DB749985CF91

Function 05771B84 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05771CA2

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ced28060378eaa0ece7e360983eab8b569fb7e29316b6e06d67644182ab5d7ad
Instruction ID: 2ee81537a502a60aa9c7ce22c9137c338a3ddeb53bae952692bf6264c5d81da8
Opcode Fuzzy Hash: ced28060378eaa0ece7e360983eab8b569fb7e29316b6e06d67644182ab5d7ad
Instruction Fuzzy Hash: 5D51DEB1C103099FDF14CFA9D884ADEBBB5BF48310F64822AE819AB210D775A845DF90

Function 05771B90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05771CA2

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 80a02e4aaee85d058130c1e646a48204eb36c037cbfdb301b19d590ac3ede8c7
Instruction ID: 5ae8be3c6f389392f4c73337e386a3c42f951798da1a1411452d6f5ff70a466b
Opcode Fuzzy Hash: 80a02e4aaee85d058130c1e646a48204eb36c037cbfdb301b19d590ac3ede8c7
Instruction Fuzzy Hash: 5741CEB1D1030D9FDF14CF9AD984ADEBBB5BF48310F64822AE819AB210D775A945CF90

Function 0184590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 018459C9

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c6c678f1889e4af0c88a770dac0a1e19c7fff432a7e0f409c719610dc1fac4f
Instruction ID: 5cae51138bbb9ce8d0b81da6b9d05cdd8c2f9fc49d9ae84475fd25ba6d9419ca
Opcode Fuzzy Hash: 8c6c678f1889e4af0c88a770dac0a1e19c7fff432a7e0f409c719610dc1fac4f
Instruction Fuzzy Hash: C541C2B1C0071DCBDB24DFA9C884B8DBBF5BF49314F20816AE508AB251DB756A46CF50

Function 018444E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 018459C9

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e0e4893cd718f1c54a409fd484586381c5654dabb2dfe282c88abc52f3346b7
Instruction ID: add92c2dfc62e59fb23bd3f2e5ff2ac3ae4c396eaab39a601e9f2a9adac83c62
Opcode Fuzzy Hash: 6e0e4893cd718f1c54a409fd484586381c5654dabb2dfe282c88abc52f3346b7
Instruction Fuzzy Hash: AD41C3B1C0071DCBDB24DFA9C884B9DBBF5BF49314F20816AE508AB251DB756A46CF90

Function 05774160 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05774221

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c94fd2d5d1acd37548220009a36471f86dde3455ef1973268e8d76119f064844
Instruction ID: f8a5bb04afb045ab7ab25e04ea7e829e528c4de70f0fc34e93635ba61e2874e5
Opcode Fuzzy Hash: c94fd2d5d1acd37548220009a36471f86dde3455ef1973268e8d76119f064844
Instruction Fuzzy Hash: 784117B8900209DFCB14DF99C488AAABBF6FF88314F25C459E519A7321D774A841CFA0

Function 03068A1B Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03068AB0

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 187b7303def50175e280a86c09dc6cf6dc39ecb12c1d0dd3d3e82bbf5f897a8e
Instruction ID: 4b2a506c5e0e96bee8a93a314aa7c875db8b0a8132b2375ccf5a0f0e31dbec0d
Opcode Fuzzy Hash: 187b7303def50175e280a86c09dc6cf6dc39ecb12c1d0dd3d3e82bbf5f897a8e
Instruction Fuzzy Hash: AA212475D003099FDB20CFA9C885BEEBBF1FF48310F14852AE919A7240C7789955CBA0

Function 03068A20 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03068AB0

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a04513bd0819123ca5c974467b9088c101136af05483e15cbfdb6633863e1a46
Instruction ID: 3d36b52978d0d0b7613894cd15f83288f118bd00d1fa70de9e6380a69a31094e
Opcode Fuzzy Hash: a04513bd0819123ca5c974467b9088c101136af05483e15cbfdb6633863e1a46
Instruction Fuzzy Hash: 71212575D003099FDB10DFAAC885BEEBBF5FF48310F54842AE919A7240D7789951CBA4

Function 03068B08 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 03068B90

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74ad00b9b12ef04182c1ec5162ecbc835cd9bded84c0c8b854bd6fdaeff749ec
Instruction ID: f51e041d37733f1fd1713642b879d378848f6118fb2aa85d3031577532bf3fba
Opcode Fuzzy Hash: 74ad00b9b12ef04182c1ec5162ecbc835cd9bded84c0c8b854bd6fdaeff749ec
Instruction Fuzzy Hash: 102115B1C012099FDB10CFAAC881BEEBBF1FF48310F548529E519A7250C7389941CBA0

Function 03068883 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03068906

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 61982032f1263fbdb36e20b467a61f04d8dfa03c6c07a7adc7a0f543ed9bf0dd
Instruction ID: ea59c893d24a060b3e39acdae078449ee743218ed74a5115609d8e76eedb93b0
Opcode Fuzzy Hash: 61982032f1263fbdb36e20b467a61f04d8dfa03c6c07a7adc7a0f543ed9bf0dd
Instruction Fuzzy Hash: B7212571D003098FDB24DFAAC885BEEBBF0EB48310F54852AD459A7240CB789A45CFA1

Function 0184D5B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184D647

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 568fe743781f1239aacd88e3d9a49d8bb39dccc6a5ec5a28b4b94bcebe2f6bb5
Instruction ID: f36caf8517e8bf1299b1f575657c4d7e542cae090080def83c88586384b53428
Opcode Fuzzy Hash: 568fe743781f1239aacd88e3d9a49d8bb39dccc6a5ec5a28b4b94bcebe2f6bb5
Instruction Fuzzy Hash: F821F2B5C003099FDB10CF9AD884ADEBBF4EB48320F14801AE918A3350D774AA51CFA4

Function 03068B10 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 03068B90

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 91800e376cca720e07a311e296d3c735d0bbe8f264ad29a92d77efa7caac78dd
Instruction ID: c708a58b9cf4860ba17e6550fe571876e79792ac25684acea79e7391f7d77e4d
Opcode Fuzzy Hash: 91800e376cca720e07a311e296d3c735d0bbe8f264ad29a92d77efa7caac78dd
Instruction Fuzzy Hash: 372105B1C003499FDB10DFAAC881BDEBBF5FF48310F508429E919A7240C7799901CBA4

Function 03068888 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03068906

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c64d985ab78c385b1d0c3f949d8b072a234ced80d305592a21c6a125f2ad3fc7
Instruction ID: c91ebd5073c9eaa637d5d491ed4eb390280fd7b1f159a92eaa842b0eb3a21f82
Opcode Fuzzy Hash: c64d985ab78c385b1d0c3f949d8b072a234ced80d305592a21c6a125f2ad3fc7
Instruction Fuzzy Hash: 3A213471D003098FDB24DFAAC485BAEBBF4AB48220F54842AD459A7240CB789945CFA5

Function 0184D5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184D647

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 60b8508ffde8728e2f46ce129170af0f6ae872696d3082b770e6c84ddf760c6d
Instruction ID: 4690f4c0ae6e1bf7a9dd7a323d6bcd63fe7f9c25490489e71421a96b436af433
Opcode Fuzzy Hash: 60b8508ffde8728e2f46ce129170af0f6ae872696d3082b770e6c84ddf760c6d
Instruction Fuzzy Hash: 3321E4B5D002099FDB10CF9AD984ADEFBF4EB48310F14841AE918A3350C774A955CFA4

Function 0306895B Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 030689CE

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 841af88bf4801f8dc55b0188b6e44dfe76909b2aeadc908c11da989f59fd565e
Instruction ID: a12f467739be9fcb6b3f9b2c168ddfc375c1e4537926dc89dd0f2abe1659959a
Opcode Fuzzy Hash: 841af88bf4801f8dc55b0188b6e44dfe76909b2aeadc908c11da989f59fd565e
Instruction Fuzzy Hash: 34112971C002499FDF20DFA9C845BEEBBF5EF48310F14841AE915A7250C7759951CFA1

Function 03068398 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 03068402

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa19f2c7ed9e21f4b02b0bea7787e209563dee5c5273715d35aea37310e4a0f3
Instruction ID: 08805c1a6d2a0373a6160a7e7385f3a23fea1c5fa8eae1d5d1238000b9364360
Opcode Fuzzy Hash: aa19f2c7ed9e21f4b02b0bea7787e209563dee5c5273715d35aea37310e4a0f3
Instruction Fuzzy Hash: 421176B0C003488FDB20DFAAC4457EEFBF0AF88324F24842AD459A7240CB795901CFA0

Function 03068960 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 030689CE

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e5339e337d399ea9053f7f67f8a2e9e71c5aa35b43cbb02903fc756c184f147
Instruction ID: 14724969d697eac151f2c746235591f3315db28ded5e842e0d08f86ac59e438d
Opcode Fuzzy Hash: 9e5339e337d399ea9053f7f67f8a2e9e71c5aa35b43cbb02903fc756c184f147
Instruction Fuzzy Hash: 87112671C003499FDB20DFAAC845BDEBBF5EF48320F14841AE515A7250CB759951CFA5

Function 030683A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 03068402

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5e35fa816eb4ec030bec4fd082210519e3043e7d9cb24324baf7bbae068ff434
Instruction ID: 9f7311008ec8203f1029d61be555e91ce9e1cdaee1a1422001fcceb91109bdc0
Opcode Fuzzy Hash: 5e35fa816eb4ec030bec4fd082210519e3043e7d9cb24324baf7bbae068ff434
Instruction Fuzzy Hash: 121136B1D003498FDB24DFAAC4457EEFBF5EB88324F248429D519A7640CB79A941CFA4

Function 0184B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0184B626

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a5ac40b6ec7b567c4ed5386e4138faa81a3d5c68b87ed6a2c8cdb6c706d68f7
Instruction ID: bba315dc459a9961687fb61c09490cf04a9c0d1481125d11ac9534cad3ef0aac
Opcode Fuzzy Hash: 7a5ac40b6ec7b567c4ed5386e4138faa81a3d5c68b87ed6a2c8cdb6c706d68f7
Instruction Fuzzy Hash: D511DFB5C007498FDB24DF9AD844ADEFBF4AB88320F10842AD529A7210D779A645CFA5

Function 03067210 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0306B58D

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 324117d38d148c0c074ac688dbe54a39e484389c68a06fb901bb1ec18ec1c0e0
Instruction ID: 8aba61c96a262c1f5d9f44a5d6784d5bf2242ddbeede14973d99ae7fb678f5eb
Opcode Fuzzy Hash: 324117d38d148c0c074ac688dbe54a39e484389c68a06fb901bb1ec18ec1c0e0
Instruction Fuzzy Hash: D81106B5800349DFDB20DF9AD485BDEFBF8EB48310F108419E514A7240D375AA54CFA1

Function 0306B529 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0306B58D

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e874aa8a388e5833ba113ef0ee2ca272d81e504cd9a271b331f426bdd4147cae
Instruction ID: f49bde329187ca440d4fcc98aaf36846c04b6a5c536cdc1e725627e216cfcd74
Opcode Fuzzy Hash: e874aa8a388e5833ba113ef0ee2ca272d81e504cd9a271b331f426bdd4147cae
Instruction Fuzzy Hash: 4C11E8B58003499FDB20DF9AD985BDEFFF8EB48320F14845AE558A7250C375A544CFA1

Function 014CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338186286.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14cd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9895d593dc6d8502275851909a5703117a87dc8a8e4dd53897805472feb07c7a
Instruction ID: 1280deb8d73e7bd1f91be622bdf738a9ef55cf4c935293dadb0c22fd901c544e
Opcode Fuzzy Hash: 9895d593dc6d8502275851909a5703117a87dc8a8e4dd53897805472feb07c7a
Instruction Fuzzy Hash: 4521007A904200DFDB55DF54D9C0B26BF61EB98628F20857EE9090A266C336D406CAA2

Function 014CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338186286.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14cd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dac7d94472be784a31a19fb4f596bc8bad0f1295a93eb636d16755ec5771509
Instruction ID: b4f8ac34e9f72d1ffe9964ab4b3f5d679f9a13d55fdd927b52b9b0a58c17027c
Opcode Fuzzy Hash: 9dac7d94472be784a31a19fb4f596bc8bad0f1295a93eb636d16755ec5771509
Instruction Fuzzy Hash: 3D210279904200DFDB05DF44D9C0B66BB65EB84724F20C17EDA090A266C336E447CAA2

Function 015FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338672363.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15fd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba86343260fd3bae4f61a3cda77e6a1d1a9d4dd0c46a1a15aed22f856e1f5ea
Instruction ID: 4a787cc39ff83757f300ddd21c2b45ffbc515a7f28a244aa81759c1cbbf7f762
Opcode Fuzzy Hash: 8ba86343260fd3bae4f61a3cda77e6a1d1a9d4dd0c46a1a15aed22f856e1f5ea
Instruction Fuzzy Hash: 15210075604200DFDB15DF54D984B2ABBB9FB84314F20C96DEA0A4F286D33AD807CA62

Function 015FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338672363.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15fd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e1848a2437da06fb684fa7124e618610fb9baf63d6f16f47f087d09157d038
Instruction ID: 7116f1dff5a2bf806691b0a34c6c7fbc1dcd18ddb5fd9ed1476e748da413f415
Opcode Fuzzy Hash: 63e1848a2437da06fb684fa7124e618610fb9baf63d6f16f47f087d09157d038
Instruction Fuzzy Hash: 96210779604300DFDB15DF94D9C4B1ABBB5FB84324F20C96DDA494F256C336D446CAA1

Function 015FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338672363.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15fd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6c0d41d8dbcb68d173d94092eca3a6a51178b6b9acce4cac264c0dad620c09
Instruction ID: 966bfcc53304addf85ad822f96c31cecccc77a566d4a2921ec2d2766e8c0daa8
Opcode Fuzzy Hash: cd6c0d41d8dbcb68d173d94092eca3a6a51178b6b9acce4cac264c0dad620c09
Instruction Fuzzy Hash: DF217C755093808FCB06CF24D990715BF71FB46214F28C5EAD9498F6A7C33A980ACB62

Function 014CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338186286.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14cd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: c661a1d29206a33fbcb34c87cb054b1b48b7529abb2772e35a3a5db3601420d1
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 1611CD76904240DFCB06CF44D9C0B56BF62FB84324F2482BED9090A266C33AE456CBA1

Function 014CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338186286.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_14cd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 28d3ea338ad6e689f9d8f95dcb6a9e8b7d361e761da2944020c3a08577364608
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 7011AF7A904280CFCB16CF54D9C4B16BF72FB94724F24C6AED8490B666C336D456CBA1

Function 015FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1338672363.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_15fd000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: b425fab87940bf345fc335a796c5b8eeb5cb487662b5a8fd850cb9ffdf385498
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 3411BB79504280DFCB06CF54C5C0B19BBB2FB84324F24C6AED9494F296C33AD40ACBA1

Non-executed Functions

Function 0306C708 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190b0d437025fc376731eeb8355c7248be79145af1a6605f9792b54e08ead4f9
Instruction ID: 8eb7e442fffe819f261706390de230b4e912c87266918c08fee44ce4b45ef46b
Opcode Fuzzy Hash: 190b0d437025fc376731eeb8355c7248be79145af1a6605f9792b54e08ead4f9
Instruction Fuzzy Hash: 5EE18B35B027088FEB29DB79D450BAEB7F6AF89700F18846DD186DB294CB35E901CB51

Function 03065ED8 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe370f046d819a095e2c491c1836bafc8c1a8e2acab1fe7d65e0e13c065cbf4
Instruction ID: ebd9b670957ffe2adef6c098502b3578e24985007a7c22fc3c201c82a45519a4
Opcode Fuzzy Hash: bbe370f046d819a095e2c491c1836bafc8c1a8e2acab1fe7d65e0e13c065cbf4
Instruction Fuzzy Hash: D5E1D874E002598FDB14CFA9C580AAEFBB2FF89304F2481A9D455AB355D735AD41CFA0

Function 057702D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3473d694bd2ca0d94f365be4966746c3846cd0ad04cc67fb58bab71641a615
Instruction ID: 18ca3aa164cd4c42b8f016cf4acb7b44420a8a7bb19cf9c342b8ad2521a3e5ff
Opcode Fuzzy Hash: 8a3473d694bd2ca0d94f365be4966746c3846cd0ad04cc67fb58bab71641a615
Instruction Fuzzy Hash: AD1285B14117458AE730CF65E94C6893BB1BB61398F906329D2A12F2FDDBB8164BCF44

Function 03066320 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8420a33d8bb9372d9c3c2d2b538eb1a35a34664141a09d13a4a11add1862712
Instruction ID: 781e5f5b41d63f65e7278e6e335b632a1bf77afc0398b0d9f4323883cf684963
Opcode Fuzzy Hash: f8420a33d8bb9372d9c3c2d2b538eb1a35a34664141a09d13a4a11add1862712
Instruction Fuzzy Hash: C2E1D674E012598BDB14CFA9D590AAEFBF2FB89304F2481A9D814AB359D7319D41CFA0

Function 03068450 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed858b489686c8b7463f5b924a1c29f24272cbf1716167e1015d1e193d562eac
Instruction ID: 3d472a6ed7a60469e4de6bed6a880d73c3acbc45d378777f918ebeb4519b43bd
Opcode Fuzzy Hash: ed858b489686c8b7463f5b924a1c29f24272cbf1716167e1015d1e193d562eac
Instruction Fuzzy Hash: B3E1C774E012598FDB14DFA9C580AAEFBB2FF89304F2481A9D814AB359D7349D41CFA1

Function 03067B20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6520122be9de5f728fdbffdff7e67d4d2717ee9535bbd267995c6cf26c9405
Instruction ID: d44a93deb2713dccc971e47fba10aad37ba050afaadc7d76f56e12c52981689d
Opcode Fuzzy Hash: 5d6520122be9de5f728fdbffdff7e67d4d2717ee9535bbd267995c6cf26c9405
Instruction Fuzzy Hash: DDE1D874E012598FDB14CFA9C580AAEFBB2FF89304F248159D815AB359D7359D41CFA0

Function 03065AB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd9b972228bdf4970fb1c3ef8c77a739541346f5941c106748d8025f574b2d4
Instruction ID: 78ad35336e3796ea5326c586ee4db77e118713cf3a17345e5620bc63d17edbf4
Opcode Fuzzy Hash: fdd9b972228bdf4970fb1c3ef8c77a739541346f5941c106748d8025f574b2d4
Instruction Fuzzy Hash: 21E1C774E012598FDB14DFA9CA84AAEFBB2FF89304F248169D814AB355D734AD41CF60

Function 0184DC8C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339815646.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1840000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87fbdf2121b26190cad723dc97e728057b8c4e8ad98edd5d5cf150cb5bfd641
Instruction ID: 4ce997a951c0eaa25aa993b8de964dd97d24f53548198dfd16950ce578395dc3
Opcode Fuzzy Hash: d87fbdf2121b26190cad723dc97e728057b8c4e8ad98edd5d5cf150cb5bfd641
Instruction Fuzzy Hash: B7A15D32E0020A8FCF15DFB8D84459EBBB2FF95300B15856AE905EB265DF75DA15CB80

Function 057702C8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1346233596.0000000005770000.00000040.00000800.00020000.00000000.sdmp, Offset: 05770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5770000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ffe5f734b093c239071b1db00638fed5aeb995d701e78643cdf1b6290615f3
Instruction ID: 5b9a306366be9321d1b823ce5c0b87bab9593cd81e905b5ee877bca654cdd163
Opcode Fuzzy Hash: a6ffe5f734b093c239071b1db00638fed5aeb995d701e78643cdf1b6290615f3
Instruction Fuzzy Hash: F2C1F6B18117458BE730CF29E8482897BB1BB953A4F506329D2616F2FDDBB8164BCF44

Function 03066310 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f08a965aa8642974a6f7cfbd3043b918757bb0d720ee19c1452b22603006a0
Instruction ID: f806946483cc90cb261cef17b006c7642dc571468dc3357158cb2cc9ca8327b4
Opcode Fuzzy Hash: f2f08a965aa8642974a6f7cfbd3043b918757bb0d720ee19c1452b22603006a0
Instruction Fuzzy Hash: 0C51D870E052598BDB14CFA9C5805AEFBF2FF89304F2481A9D418AB356D7359D42CF61

Function 03067B0F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146b9e14894486db4cbf6acb9c36cae9264fe513e98119060f11d9733040f048
Instruction ID: 2f23161ff445fe2b419103da4bafaabc80bebdb63ad07884ced76ab4f30d582a
Opcode Fuzzy Hash: 146b9e14894486db4cbf6acb9c36cae9264fe513e98119060f11d9733040f048
Instruction Fuzzy Hash: 8051F770E012598FDB14CFA9C5809AEFBF2FF89314F2481A9D418AB356D7349941CFA1

Function 03065EE8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339981663.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3060000_P87unxnF4t4DSrTt43.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d56f732c2a489d3db5b9e920752daf2358b47314519e4a8fe1178114bed46dc
Instruction ID: 22a8fda5d2d88db7aeb4e8d30f469ee9cdacd1bed1a2fd0a49c2a158def4b130
Opcode Fuzzy Hash: 9d56f732c2a489d3db5b9e920752daf2358b47314519e4a8fe1178114bed46dc
Instruction Fuzzy Hash: C051EA74E002198BDB18CFA9C6845AEFBF6FF89304F2481A9D418AB355D735AD41CFA1

Analysis Process: P87unxnF4t4DSrTt43.exePID: 7848, Parent PID: 7644COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.4%
Total number of Nodes:	1648
Total number of Limit Nodes:	49

Executed Functions

Function 0041BEEE Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
GetProcAddress.KERNEL32(00000000), ref: 0041BF26
LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
GetProcAddress.KERNEL32(00000000), ref: 0041BF63
LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
GetProcAddress.KERNEL32(00000000), ref: 0041BF73
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
GetProcAddress.KERNEL32(00000000), ref: 0041BF83
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
GetProcAddress.KERNEL32(00000000), ref: 0041BF93
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
GetProcAddress.KERNEL32(00000000), ref: 0041C003
LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011
GetProcAddress.KERNEL32(00000000), ref: 0041C014
LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D856), ref: 0041C021
GetProcAddress.KERNEL32(00000000), ref: 0041C024
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D856), ref: 0041C036
GetProcAddress.KERNEL32(00000000), ref: 0041C039
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D856), ref: 0041C046
GetProcAddress.KERNEL32(00000000), ref: 0041C049
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D856), ref: 0041C05B
GetProcAddress.KERNEL32(00000000), ref: 0041C05E
LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D856), ref: 0041C06B
GetProcAddress.KERNEL32(00000000), ref: 0041C06E

Strings

IsWow64Process, xrefs: 0041BF75
NtUnmapViewOfSection, xrefs: 0041BF56
GetConsoleWindow, xrefs: 0041C016
IsUserAnAdmin, xrefs: 0041BF95
kernel32, xrefs: 0041BF6A, 0041BF6F, 0041BF7A, 0041BF8A, 0041BFAE, 0041BFFA, 0041C01B
EnumDisplayDevicesW, xrefs: 0041BFB9
Iphlpapi, xrefs: 0041C050, 0041C05A, 0041C065
SetProcessDEPPolicy, xrefs: 0041BFA9
GetProcessImageFileNameW, xrefs: 0041BEF8, 0041BEFD, 0041BF1D
ntdll, xrefs: 0041BF5B, 0041C02B, 0041C035, 0041C045
NtResumeProcess, xrefs: 0041C03B
GlobalMemoryStatusEx, xrefs: 0041BF65
user32, xrefs: 0041BF47, 0041BFBE, 0041BFD2, 0041BFE6
Kernel32, xrefs: 0041BF1E
EnumDisplayMonitors, xrefs: 0041BFCD
Shell32, xrefs: 0041BF9A
Shlwapi, xrefs: 0041C007
GetExtendedTcpTable, xrefs: 0041C04B
NtSuspendProcess, xrefs: 0041C026
shcore, xrefs: 0041BF33
GetMonitorInfoW, xrefs: 0041BFE1
GetExtendedUdpTable, xrefs: 0041C060
GetComputerNameExW, xrefs: 0041BF85
SetProcessDpiAwareness, xrefs: 0041BF2D, 0041BF32, 0041BF46
Psapi, xrefs: 0041BEFE
GetSystemTimes, xrefs: 0041BFF5

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 384173800-625181639
Opcode ID: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction ID: 91c85bc0cfa8e625a7056272f5779649be84715ca0db9f9d819234a6a75bf275
Opcode Fuzzy Hash: b0b2e61fc073e98d70dce9ef4f7eaaaad63808f39ef958059982ad015adeb2a9
Instruction Fuzzy Hash: 4C31E2A0E8035C7ADB207BB69CC9F3B7E6DD9847953510427B54893190EB7DEC408EAE

Function 0041894A Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7, xrefs: 00418B42
1, xrefs: 004189AC
3, xrefs: 00418A6C
4, xrefs: 00418AD0
2, xrefs: 00418A0C
5, xrefs: 00418B21
0, xrefs: 00418973
6, xrefs: 00418B2B

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: a9de58ba0c2801d14e688282b77566cfdf8eed5a7e5a556e6b9892cffd9b18c5
Instruction ID: a206eb20bee8e87b23b85030021c48398d73e585fead2f4b7fd4ae1d02439eb2
Opcode Fuzzy Hash: a9de58ba0c2801d14e688282b77566cfdf8eed5a7e5a556e6b9892cffd9b18c5
Instruction Fuzzy Hash: EA61D5B4108301AEDB00EF21C862FEA77E4AF95750F44485EF591672E2DF78AA48C797

Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
GetLastError.KERNEL32 ref: 00409A1B

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
TranslateMessage.USER32(?), ref: 00409A7A
DispatchMessageA.USER32(?), ref: 00409A85

Strings

Keylogger initialization failure: error , xrefs: 00409A32

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: d18730f85669cb230c4623b663f0c744b4f5d15589cfdaaa540fabe1f56e8766
Instruction ID: 916e88852ed13b3ab14e3660f0b3d121b0d8821096f38c6baae7fa71b0b7a026
Opcode Fuzzy Hash: d18730f85669cb230c4623b663f0c744b4f5d15589cfdaaa540fabe1f56e8766
Instruction Fuzzy Hash: 6D118271604301AFC710BB7A9C4996B77ECAB94B15B10057EFC45E2191EE34DA01CBAA

Function 0040E627 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8

Sleep.KERNEL32(00000BB8), ref: 0040E6DB
ExitProcess.KERNEL32 ref: 0040E74A

Strings

pth_unenc, xrefs: 0040E63D, 0040E684, 0040E6F1
6.0.0 Pro, xrefs: 0040E6B6, 0040E723
override, xrefs: 0040E64C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 6.0.0 Pro$override$pth_unenc
API String ID: 2281282204-4012039065
Opcode ID: f421cdf6d9c6d8049a3e57c2dc73a36603adb0feb741279f5af10ed514b8101a
Instruction ID: 41eca1b412dc6cb4cbd69e66e1420b1d2a9bda06de9f36a729d5cd10817e4b5d
Opcode Fuzzy Hash: f421cdf6d9c6d8049a3e57c2dc73a36603adb0feb741279f5af10ed514b8101a
Instruction Fuzzy Hash: A821D131F1420027D60876778857B6F399A9B81719F90052EF819A72E7EEBD9E1083DF

Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000001,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404946
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,004755B0,00000000,?,?,?,?,?,00414F1C,?,00000001), ref: 00404994
CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040495C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: bc9bf88564fe88bac39ee81bd5498bc3c7810f38d668c3ffa8bf170065fcb83f
Instruction ID: 334fa9fd2124ebc6c4f40b6d461b17bc354faf393a4ed588a06a33f3771f6744
Opcode Fuzzy Hash: bc9bf88564fe88bac39ee81bd5498bc3c7810f38d668c3ffa8bf170065fcb83f
Instruction Fuzzy Hash: 1611E3B19052547ACB10A7BA8849BDB7F9CAB86364F00007FF50462292DA789845CBFA

Function 0040455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
recv.WS2_32(?,?,?,00000000), ref: 0040459F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitrecv
String ID:
API String ID: 311754179-0
Opcode ID: e9776599d1ec220d30db4bf84b70fc35cad7659389b29cba8a531b5175ba4202
Instruction ID: 6eb9ccf7f7f4a74ce0fca17a02289a90418c2efed9003feaedd78b13c881e648
Opcode Fuzzy Hash: e9776599d1ec220d30db4bf84b70fc35cad7659389b29cba8a531b5175ba4202
Instruction Fuzzy Hash: ABF08236108612BFD7015B10EC08E1AFBA2FB88721F20862EF611612A19F71EC21DB59

Function 0041A9AD Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750FC), ref: 0041A9CA
GetUserNameW.ADVAPI32(?,0040E096), ref: 0041A9E2

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
Instruction ID: dd4171341b6269d20eef4dfb17ad31a68228dcd82fcdc0eb213b330dd994abd5
Opcode Fuzzy Hash: c38e36c8d41ee46761b6a4ad2d0e2b40601694a6c822a335d006f55048ef3fa5
Instruction Fuzzy Hash: 16014F7290011CAADB00EB90DC49ADDBB7CEF44315F10016AB502B3195EFB4AB898A98

Function 0040E751 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004146BA,00474EE0,00475A38,00474EE0,00000000,00474EE0,?,00474EE0,6.0.0 Pro), ref: 0040E765

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 421515283829ddc35b956787f58d423e39949e6c6887f96e861c6dca66fe8524
Instruction ID: 426317967f55bc2b8d076a22fb2a8dcf1c85f3a8f112093483d3870effb55d88
Opcode Fuzzy Hash: 421515283829ddc35b956787f58d423e39949e6c6887f96e861c6dca66fe8524
Instruction Fuzzy Hash: A6D05E607002197BEA109691CC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF048AE1

Function 0040D83A Relevance: 60.3, APIs: 13, Strings: 21, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF03
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF0C
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D856), ref: 0041BF23
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF26
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF38
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF3B
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D856), ref: 0041BF4C
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF4F
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D856), ref: 0041BF60
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF63
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D856), ref: 0041BF70
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF73
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D856), ref: 0041BF80
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF83
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D856), ref: 0041BF90
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BF93
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D856), ref: 0041BFA4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFA7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D856), ref: 0041BFB4
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFB7
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D856), ref: 0041BFC8
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFCB
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D856), ref: 0041BFDC
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFDF
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D856), ref: 0041BFF0
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041BFF3
Part of subcall function 0041BEEE: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D856), ref: 0041C000
Part of subcall function 0041BEEE: GetProcAddress.KERNEL32(00000000), ref: 0041C003
Part of subcall function 0041BEEE: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D856), ref: 0041C011

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000104), ref: 0040D863

Part of subcall function 0040FD92: __EH_prolog.LIBCMT ref: 0040FD97

Strings

C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 0040D85B, 0040DC84
del, xrefs: 0040E14B
hSG, xrefs: 0040E097
Software\, xrefs: 0040D938
Remcos Agent initialized, xrefs: 0040DE5F
8SG, xrefs: 0040D9D7
User, xrefs: 0040E10B
Inj, xrefs: 0040DA4A, 0040DA61
Administrator, xrefs: 0040E0FF
exepath, xrefs: 0040DD07, 0040DDB1
del, xrefs: 0040E167, 0040E1C7
Exe, xrefs: 0040D984
dMG, xrefs: 0040E01B
0TG, xrefs: 0040D9E7
PSG, xrefs: 0040DD91
licence, xrefs: 0040DDF8
license_code.txt, xrefs: 0040D8C2
8SG, xrefs: 0040D97A
SG, xrefs: 0040DBDD
Access Level: , xrefs: 0040E11A
PSG, xrefs: 0040DCDA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$0TG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$Exe$Inj$PSG$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$hSG$licence$license_code.txt
API String ID: 2830904901-3089908927
Opcode ID: 0594d9b2a5c8721a9b0f3eff75ed75ac23b4dc375cca0bdcfa7f2c3d8d313acc
Instruction ID: b96e9d53b64ce9762df997b7c443b274fb73bccd3fe431706256fac2145036cf
Opcode Fuzzy Hash: 0594d9b2a5c8721a9b0f3eff75ed75ac23b4dc375cca0bdcfa7f2c3d8d313acc
Instruction Fuzzy Hash: 2E32C760B043406ADA14B776DC57BBE259A9F81748F00483FB9467B2E2DEBC9D44C39E

Function 00418195 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004181AF
CreateCompatibleDC.GDI32(00000000), ref: 004181BA

Part of subcall function 00418648: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418678

CreateCompatibleBitmap.GDI32(?,00000000), ref: 0041823B
DeleteDC.GDI32(?), ref: 00418253
DeleteDC.GDI32(00000000), ref: 00418256
SelectObject.GDI32(00000000,00000000), ref: 00418261
StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418289
GetIconInfo.USER32(?,?), ref: 004182C1
DeleteObject.GDI32(?), ref: 004182F0
DeleteObject.GDI32(?), ref: 004182FD
DrawIcon.USER32(00000000,?,?,?), ref: 0041830A
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00660046), ref: 0041833A
GetObjectA.GDI32(?,00000018,?), ref: 00418369
LocalAlloc.KERNEL32(00000040,00000028), ref: 004183B2
LocalAlloc.KERNEL32(00000040,00000001), ref: 004183D5
GlobalAlloc.KERNEL32(00000000,?), ref: 0041843E
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00418461
DeleteDC.GDI32(?), ref: 00418475
DeleteDC.GDI32(00000000), ref: 00418478
DeleteObject.GDI32(00000000), ref: 0041847B
GlobalFree.KERNEL32(00CC0020), ref: 00418486
DeleteObject.GDI32(00000000), ref: 0041853A
GlobalFree.KERNELBASE(?), ref: 00418541
DeleteDC.GDI32(?), ref: 00418551
DeleteDC.GDI32(00000000), ref: 0041855C
DeleteDC.GDI32(?), ref: 0041858E
DeleteDC.GDI32(00000000), ref: 00418591
DeleteObject.GDI32(?), ref: 00418597

Strings

DISPLAY, xrefs: 004181A8

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
String ID: DISPLAY
API String ID: 1765752176-865373369
Opcode ID: f014c3f535cdc39c90e2c208b2cef83b763ee17ec47546c29dc6992d331a2ac1
Instruction ID: a1654617e6feb41a21483335bab58d6c80918fdf06c9fa75f2eb3c48c5790805
Opcode Fuzzy Hash: f014c3f535cdc39c90e2c208b2cef83b763ee17ec47546c29dc6992d331a2ac1
Instruction Fuzzy Hash: EFC16C31504344AFD7209F21CC44BABBBE9EF88751F44482EF989A32A1DF34E945CB5A

Function 004140AC Relevance: 46.4, APIs: 5, Strings: 21, Instructions: 855
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,00475308,?,00000000), ref: 00414100
WSAGetLastError.WS2_32 ref: 00414321
Sleep.KERNEL32(00000000,00000002), ref: 00414D1A

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

name, xrefs: 004144F2
C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 0041454C
hSG, xrefs: 004146BC
%I64u, xrefs: 00414485
TLS Off, xrefs: 0041426B, 0041427E
TLS On , xrefs: 00414279
Disconnected, xrefs: 00414C8A
PhNG, xrefs: 0041456F
VG, xrefs: 00414695
Connecting | , xrefs: 00414298
| , xrefs: 004142A2, 004143E8
Connection Error: , xrefs: 00414332
UG, xrefs: 00414230
NG, xrefs: 004145A6
6.0.0 Pro, xrefs: 00414689
hlight, xrefs: 0041451F
NG, xrefs: 004145E4
Connection Error: Unable to create socket, xrefs: 0041437C
dMG, xrefs: 00414657
Connected | , xrefs: 004143E3
PSG, xrefs: 004144CC

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$6.0.0 Pro$C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$PhNG$TLS Off$TLS On $dMG$hSG$hlight$name$NG$NG$UG$VG
API String ID: 524882891-3697509818
Opcode ID: cba9574a81fdbd1965ccfbce74c93add01a9028576c14112c3b54c9fb10de30e
Instruction ID: c3263a97f07b8ae9d11225c8127e62ab27a72c03ae3a8f764161ebb565a1ac44
Opcode Fuzzy Hash: cba9574a81fdbd1965ccfbce74c93add01a9028576c14112c3b54c9fb10de30e
Instruction Fuzzy Hash: EE625E71A001145ACB18F771DDA6AEE73659FA0308F1041BFB80A771E2EF785E85CA9D

Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 0040A456
Sleep.KERNEL32(000001F4), ref: 0040A461
GetForegroundWindow.USER32 ref: 0040A467
GetWindowTextLengthW.USER32(00000000), ref: 0040A470
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
Sleep.KERNEL32(000003E8), ref: 0040A574

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

{ User has been idle for , xrefs: 0040A5AB
<mG, xrefs: 0040A43B
], xrefs: 0040A508
<mG, xrefs: 0040A4AA
<mG, xrefs: 0040A4C0
[, xrefs: 0040A50E
minutes }, xrefs: 0040A59F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$<mG$<mG$<mG$]
API String ID: 911427763-3636820255
Opcode ID: 89f2fb798528b21680e5d26758fc8fa0f7a9c1d46c1229a9f80a86482ea440bb
Instruction ID: ab9145b4e211f5f3da3af6290e6e7a2c9d96cae7f6b46a2c86e206227f6ebbf0
Opcode Fuzzy Hash: 89f2fb798528b21680e5d26758fc8fa0f7a9c1d46c1229a9f80a86482ea440bb
Instruction Fuzzy Hash: 1951D0716043409BC324FB25D886AAE7795AF84718F00093FF446A32E2DF7C9E55868F

Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004042A5
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

TLS Handshake... | , xrefs: 004042C9
TLS Error 1, xrefs: 004042FC
TLS Error 3, xrefs: 0040439D
Connection Failed: , xrefs: 0040440C
TLS Error 2, xrefs: 0040431A
TLS Authentication Failed, xrefs: 0040435E
Connection Refused, xrefs: 0040443E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 3de94ab0e66eda819ef2ab692e3ed842bea7be81516bcb9effce6a7158ccd530
Instruction ID: 8d860672b69a19ae3c360ccb47b0a38bc4e99592ce22fc56bfe6acc5d0e7da0a
Opcode Fuzzy Hash: 3de94ab0e66eda819ef2ab692e3ed842bea7be81516bcb9effce6a7158ccd530
Instruction Fuzzy Hash: D54109B0B0020277CA04B77A884766E7A55AB85314B80012FE901A7AD3FE3DAD2587DF

Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04

Strings

UserProfile, xrefs: 0040C9C2
ProgramFiles, xrefs: 0040C9D8
ProgramData, xrefs: 0040C9C9
\SysWOW64, xrefs: 0040C96A
SystemDrive, xrefs: 0040C8FB
AppData, xrefs: 0040C9BB
\system32, xrefs: 0040C918
WinDir, xrefs: 0040C905, 0040C927, 0040C979
Temp, xrefs: 0040C8D0

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 8058316647152c20abd1cdabdfa83951e42b6909899b53d80ef63206f3cf228c
Instruction ID: f058a63a2e06dcb2b247864a9289bab0e783a4957c20bc3838a58b63f1508e50
Opcode Fuzzy Hash: 8058316647152c20abd1cdabdfa83951e42b6909899b53d80ef63206f3cf228c
Instruction Fuzzy Hash: F0415C721482009AC214F721DC97DAFB7A4AE90759F10063FF546720E2EE7CAA59C69F

Function 00409E48 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00409E62

Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049

Strings

PSG, xrefs: 00409F24
PSG, xrefs: 00409F19

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: PSG$PSG
API String ID: 3795512280-3836871860
Opcode ID: f51c8a451bae5ce4cb9b41d7c84fb8ee8e58ebb1526cc16bd191c939a7bee33b
Instruction ID: 2e46ee78bd67d64478951c63fc585b7447d0c94e1b250d5b4a4871e09aa14890
Opcode Fuzzy Hash: f51c8a451bae5ce4cb9b41d7c84fb8ee8e58ebb1526cc16bd191c939a7bee33b
Instruction Fuzzy Hash: 68517F716043005ACB05BB71C866ABF779AAF81309F00453FF886B71E2DE7D9D45C69A

Function 0041A66E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

StrToIntA.SHLWAPI(00000000,0046CC58,?,00000000,00000000,004750FC,00000003,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0041A6E4

Strings

ProductName, xrefs: 0041A67D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041A682, 0041A68C, 0041A6CA
(64 bit), xrefs: 0041A711, 0041A71B
(32 bit), xrefs: 0041A70C
CurrentBuildNumber, xrefs: 0041A6C5
8ZG, xrefs: 0041A69D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$8ZG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-1475859423
Opcode ID: 8bb5d8e7f89d1d66d189f69efb5f33a0046ea50dbfee033791c9c80dded757db
Instruction ID: 1adcdd06a104af508aeef54d465e0c78d2d81651f2e3fe11076ab4bcd17b792f
Opcode Fuzzy Hash: 8bb5d8e7f89d1d66d189f69efb5f33a0046ea50dbfee033791c9c80dded757db
Instruction Fuzzy Hash: 1811C660A001012AC704B3A6DCDBDBF765A9B91304F44413FB856A71E2FB6C9D9583EE

Function 0041A726 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A749
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A75F
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A778
InternetCloseHandle.WININET(00000000), ref: 0041A7BE
InternetCloseHandle.WININET(00000000), ref: 0041A7C1

Strings

http://geoplugin.net/json.gp, xrefs: 0041A759

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 18955b8fabe3660c6f83c06147cef84eb9f6d6413300c9467b7eacfb49d9d00e
Instruction ID: dd066ffe0ad47051801ff1a9504fa95a24023bf504f9cdcf24902ddc36d2e50e
Opcode Fuzzy Hash: 18955b8fabe3660c6f83c06147cef84eb9f6d6413300c9467b7eacfb49d9d00e
Instruction Fuzzy Hash: C311947110A3126BD624EB169C85DBF7BECEF86765F00043EF845A2191DF68D848C6BA

Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10

Strings

pQG, xrefs: 00409DC2

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: pQG
API String ID: 1958988193-3769108836
Opcode ID: a8be8c16880439c766c810802cad88d1de10d530097162c07d361957ed4d994b
Instruction ID: 007c54a35b5ab6fada7f5b2b4f31fda992404cc28ee9ac254c5285dcec39f6dc
Opcode Fuzzy Hash: a8be8c16880439c766c810802cad88d1de10d530097162c07d361957ed4d994b
Instruction Fuzzy Hash: 0911E730640B406AE720E724D88972F7B9AAB81316F44047EF18566AE3CA799CD5C29D

Function 004127AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC

Strings

pth_unenc, xrefs: 004127AE
XwF, xrefs: 004127DB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: XwF$pth_unenc
API String ID: 1818849710-1649331827
Opcode ID: 003af5593e895fcdf7f1354251e976ce7b0cb98045418862ca23e2dd2000f068
Instruction ID: b42ea712bc7a6ff48bd64609183fdbccf638e423d93a2202917fd6756948167f
Opcode Fuzzy Hash: 003af5593e895fcdf7f1354251e976ce7b0cb98045418862ca23e2dd2000f068
Instruction Fuzzy Hash: 27F06D32140204BBCB00AFA1DD45AEF3768EF00751B108169B916B60A1EE759E04EBA4

Function 00447153 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445569,00440CA8,00000000,?,?,?,?,00440E8B,00000000,0000000A,000000FF,0000000A,00000000), ref: 00447158
_free.LIBCMT ref: 0044718D
_free.LIBCMT ref: 004471B4
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471C1
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 004471CA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction ID: 9627307c59aa3692a64de8377ee3c20019e30fe80ec8d82769d3f9bfdfbdb6fb
Opcode Fuzzy Hash: c73b76ca02ce190c9082a6036dde6ca48763b4b9e088bcde2ec0a65c3a46cc10
Instruction Fuzzy Hash: 3E01F97624CB102BB30267B95C85D2B2A29DBC17B6726012FF509A6392EF2C8C07515D

Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

Strings

{NAL, xrefs: 00404473, 004044D6, 0040454A, 004044DC

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID: {NAL
API String ID: 3963590051-1903569844
Opcode ID: b5de4d74b5d400c31c2a5d84294cf86768d6602e9c4e63d79063061539c9c55f
Instruction ID: 09920f02ef31e30e393b68ef0c8285e211ae926702cc5adcda46913b737bad1c
Opcode Fuzzy Hash: b5de4d74b5d400c31c2a5d84294cf86768d6602e9c4e63d79063061539c9c55f
Instruction Fuzzy Hash: 552137B29005156BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EE78A504C6E4

Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Strings

Offline Keylogger Started, xrefs: 004098C7, 004098CE, 004098FB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: cc1b8e756a79e7dfddc5899faecbeca08fcee506b9212d88ec03cf3c6ecf7b49
Instruction ID: 15e43fcc554e39227c644a0273f32637653ac1eeca6ef832bd6c9a92d0497390
Opcode Fuzzy Hash: cc1b8e756a79e7dfddc5899faecbeca08fcee506b9212d88ec03cf3c6ecf7b49
Instruction Fuzzy Hash: 0A1198B15003097AD224BA36CC86DBF7A5CDA813A8B40053EB845622D3EA785E14C6FB

Function 004128AD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

Strings

TeF, xrefs: 004128B1, 004128D3, 004128B4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: TeF
API String ID: 1818849710-331424825
Opcode ID: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction ID: 5082c9e4fe043c0a9a82c1e0a3a4def458545ef8caf92c2e29ea1f35f3ad8a86
Opcode Fuzzy Hash: 69388a3f5ca785ef31159ee28a7932d701a8b17d3c2adace4bd37096d90c6bf5
Instruction Fuzzy Hash: C9E03971640308BFDF119B919C05FDB3BA8EB04B95F004165FA05F61A1DAB1DE18EBA8

Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404797
CloseHandle.KERNEL32(?,?,00000000), ref: 004047A0

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 9617c1c77b3540baec9c61ab2e4dd9d42702906bdf543f674b1f8784a173c439
Instruction ID: 5371640f48c6a0368c7cea64887978d4ac2a240c02499e3407376e9d4191e8ff
Opcode Fuzzy Hash: 9617c1c77b3540baec9c61ab2e4dd9d42702906bdf543f674b1f8784a173c439
Instruction Fuzzy Hash: 10417171504301ABC700FB61CC55D7FBBE9AFD5315F00093EF892A32E2EE389909866A

Function 0041AB95 Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?), ref: 0041ABAB
Sleep.KERNEL32(000003E8), ref: 0041ABB6
GetSystemTimes.KERNEL32(?,?,?), ref: 0041ABCB
__aulldiv.LIBCMT ref: 0041AC67

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
Instruction ID: 7cb4eddd506215a21d9c44be4850b318e12e80d273729b61be08d6c7a3dfdc1e
Opcode Fuzzy Hash: a7e496ea74412c4f74dd561fc1d9e5efe2a930fde01781876ab294e7da94f75c
Instruction Fuzzy Hash: 9A216D725043009FC304EF65D9858AFB7E8EFC8714F044A2EF58593251EA38EA49CBA7

Function 0041B79A Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
CloseHandle.KERNEL32(00000000), ref: 0041B817

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction ID: fca0af3f27241acfb9d15a16a542bc487c24adb9e916811621f81636ea96e045
Opcode Fuzzy Hash: 801f75d00fac8da0c66411ebabb5881698d5c73b15829ac97cd3568d121a9cb6
Instruction Fuzzy Hash: 1501F5712052057FE6105E249CC9EBB739CEB82B75F10063EF662D23C1DB25CC8686B9

Function 00414D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00414D52
GetTickCount.KERNEL32 ref: 00414DCE

Strings

NG, xrefs: 00414D81

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: NG
API String ID: 180926312-1651712548
Opcode ID: 060940e25ac8971c94ae7a490dbd6ea47cd5478e2e271b8134bfcfb9f4dcc145
Instruction ID: 085b2f02be9ab0868ba51c73fb921716b1faa5b055701b3286f453889ed4f7a0
Opcode Fuzzy Hash: 060940e25ac8971c94ae7a490dbd6ea47cd5478e2e271b8134bfcfb9f4dcc145
Instruction Fuzzy Hash: C85182321042409AC624FB71D8A2AEF73E5AFD0304F00453FB94A671E2EF789949C69E

Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040DA7D,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046656C,00000003,00000000), ref: 0040BEE6
GetLastError.KERNEL32 ref: 0040BEF1

Strings

8SG, xrefs: 0040BED7

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: 8SG
API String ID: 1925916568-2887235486
Opcode ID: b5077f7ec388620cf5be0ca51e32a1ab35e6e66f7e0f9972a02b1c78fa9675f2
Instruction ID: 2210f0ff69d3cac9d22e7a3f14049619627ec1602d204fa864a150733b7892bf
Opcode Fuzzy Hash: b5077f7ec388620cf5be0ca51e32a1ab35e6e66f7e0f9972a02b1c78fa9675f2
Instruction Fuzzy Hash: B9D012702057009BE70817709D4E76D3951D784703F00407DB90BE51E1CEA488409519

Function 004125EB Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
RegCloseKey.KERNEL32(?), ref: 00412637

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a01adbe8d93d7843240e1245e145c4eb73053e88c38affbd61dab3a9f8b8539c
Instruction ID: 14faf112d3046a25d46051106a5b1d66d342437105d793e51b0bcc882fecfd0c
Opcode Fuzzy Hash: a01adbe8d93d7843240e1245e145c4eb73053e88c38affbd61dab3a9f8b8539c
Instruction Fuzzy Hash: D8F0D176900118BBCB209B91DD09EDF7B7CEB44B50F00406ABA05F2190DA749E599BA8

Function 00412735 Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
RegCloseKey.KERNEL32(00000000), ref: 00412775

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
Instruction ID: 218a6bf298efa18a53fa985214dbde7e418f837aa6fd6996b0f70a828ecfe766
Opcode Fuzzy Hash: 2290404c5028f19351fda844a65f428930317fa0cea8d3593e6495ca7ac6aa60
Instruction Fuzzy Hash: 6501AD35800229BFDF215F91DC09DDF7F38EF05760F004065BA08A20A0EB3589A9DBA4

Function 0041258F Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
RegCloseKey.KERNEL32(?), ref: 004125D8

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction ID: f1b1b21d3432ee16d2560aa6e8f8b6fc3b679f7482eced78fea8614e15db81c1
Opcode Fuzzy Hash: f2bc15ec1dd87dd5d2b8e96f704feec537dddf8cd8f352820b88cb246238aa27
Instruction Fuzzy Hash: B4F03075A00208BFDF119FA09C45FDEBBB8EB04B55F104065FA05F6191D670DA54DB94

Function 00412546 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004670E0), ref: 0041255D
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004670E0), ref: 00412571
RegCloseKey.KERNEL32(?,?,?,0040B996,004670E0), ref: 0041257C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
Instruction ID: da5e3a6b8615f7fc9763e362b131f946d251b316bd2acc507b7b22157b73f9fc
Opcode Fuzzy Hash: 90b816baf6681459c689896bd7ee7621983de5913a9f55156db5b466bfdb1e74
Instruction Fuzzy Hash: 1BE03931941224BB9B200BA29D09EDB7F6DEF06BA1B010455B809A2111DAA18E54EAF4

Function 00417AA9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(00474AF4,?,00000000,004757C0,?,00000000), ref: 00417AF9

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811

Strings

NG, xrefs: 00417BB3

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEventGdiplusHandleObjectSingleStartupWaitsend
String ID: NG
API String ID: 3841810518-1651712548
Opcode ID: e934312635e02f6cccf21a1a845dedef51b8525978cf4b269c9f685e1ca40080
Instruction ID: 24f710431f87bb8c4a71e67c72c2239940d7293f2891f037fe4f689efd11e20a
Opcode Fuzzy Hash: e934312635e02f6cccf21a1a845dedef51b8525978cf4b269c9f685e1ca40080
Instruction Fuzzy Hash: FF4172713042005BC618FB71D8A2AFFB395ABD4308F10453FF94A572D2EF78594A869E

Function 0041AB17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041AB2F

Strings

@, xrefs: 0041AB23

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 1f373de7373fca73aae67113848499a281b9ea6c5d4bde3cba777b2765641b05
Instruction ID: c886a1cb5b033e49400669607b807ed2acfa4fc0ecd365fa3ec0929bbc02049d
Opcode Fuzzy Hash: 1f373de7373fca73aae67113848499a281b9ea6c5d4bde3cba777b2765641b05
Instruction Fuzzy Hash: 96E0C2B6901228EBCB10DFA9E98498DFBF8FF48664B008126E909B3344D370E805CB90

Function 0041AB50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 0041AB64

Strings

@, xrefs: 0041AB5A

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
Instruction ID: b665d68c061e3f9f56ba9c4249da2251c097319f67e9030db6e937b6cf7da2fa
Opcode Fuzzy Hash: a4fe8e15525f2be1febd29730eb74c732a6063ed027868c332be47892e1af589
Instruction Fuzzy Hash: 00D067B59013189FCB20DFA8E945A8DBBF8EB48214F004529E946E3744E774E945CB94

Function 00417988 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GdipLoadImageFromStream.GDIPLUS(?,?,?,00417E11,00000000,?,?,?,?,00000000), ref: 0041799C

Strings

YyA, xrefs: 0041798E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FromGdipImageLoadStream
String ID: YyA
API String ID: 3292405956-1661632404
Opcode ID: 6b815a9a4963b74d3bc1a2751b028ab6595660ed9c8fdd428ea3c8c463bc3307
Instruction ID: c416f4b8239c06ff0a3ca34b47412c7883467aa553140555bb067b5d2f2a4f94
Opcode Fuzzy Hash: 6b815a9a4963b74d3bc1a2751b028ab6595660ed9c8fdd428ea3c8c463bc3307
Instruction Fuzzy Hash: 6DD0C9725002119FC3619F04EC40A92B7E8EB55713F11C92FA896D2620E7B4AC448F64

Function 004179AB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4COMMON

Download Yara Rule

APIs

GdipDisposeImage.GDIPLUS(?,00417EC2), ref: 004179B4

Strings

YyA, xrefs: 004179AE

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DisposeGdipImage
String ID: YyA
API String ID: 1024088383-1661632404
Opcode ID: 0b75b8e188b2c1e080c05397ff57465d29dfdffccc3d46a70387a439a8051644
Instruction ID: a6b1128ee4d630f398833de059b196f96dd36f7b291f3e06f0aea0641f1b368d
Opcode Fuzzy Hash: 0b75b8e188b2c1e080c05397ff57465d29dfdffccc3d46a70387a439a8051644
Instruction Fuzzy Hash: 80A00174481202DFCF025F60AA49414BEA5AB5770A324C299988959222EB77D416DF6A

Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
Instruction ID: e62a462d4859cb901c95814de100b0ae44c334504336dc08fc7633b5118be932
Opcode Fuzzy Hash: 9dcc25316a99288ac387cf2e613c868b0e107fead0b532e7680f1acbcbd447ec
Instruction Fuzzy Hash: 100171B0508B809FD7358F38B8456977FE0AB15314F044DAEF1D697BA1C7B5A481CB18

Function 00433818 Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00433FF2

Part of subcall function 00437DE7: RaiseException.KERNEL32(?,?,00434621,?,?,?,?,?,?,?,?,00434621,?,0046E654,0041AF80,?), ref: 00437E47

__CxxThrowException@8.LIBVCRUNTIME ref: 0043400F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: aa33f71218ff2e33c7e0abf3df586dfddbac15aa65d93ad702ff3d6b6945e10b
Instruction ID: 1c2073f64fee591a786a8a3f9c67cac18272885bad9296719f7a79fda1cbf913
Opcode Fuzzy Hash: aa33f71218ff2e33c7e0abf3df586dfddbac15aa65d93ad702ff3d6b6945e10b
Instruction Fuzzy Hash: 1BF0BB25C0430D768B04BEA6E80A9AD33BC5E08329F50513BB825914D1FB7C9759C5CD

Function 0041AE5D Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0041AE7F
GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AE92

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
Instruction ID: 7a6786a6daea7d79da8b38e9164549a295f8c3929764bf887eb2819544a3ffc0
Opcode Fuzzy Hash: 27a61dc13c3baf2ab93a997f5cd2cb0d43e4b22d1e77ef92c0de48519faa66db
Instruction Fuzzy Hash: 4AE04875A0031867FB20B7659C4EFD6766C9704B05F0400ADB619E21C3EDB4EA048BE4

Function 00414072 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,00472B28,004750FC,00000000,00414318,00000000,00000001), ref: 00414094
WSASetLastError.WS2_32(00000000), ref: 00414099

Part of subcall function 00413F0F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FA0
Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00413FC7
Part of subcall function 00413F0F: LoadLibraryA.KERNEL32(?), ref: 00413FFF
Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
Part of subcall function 00413F0F: FreeLibrary.KERNEL32(00000000), ref: 00414018
Part of subcall function 00413F0F: GetProcAddress.KERNEL32(00000000,?), ref: 00414027

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
Instruction ID: e2cb8cd332084910a557c38b5932e5372e8318120e5bc29c0191cd414ba32ecd
Opcode Fuzzy Hash: 82e440812e84df215c52e3f2a247b94cffd3b5d9bcffb41726cfdd66b840233f
Instruction Fuzzy Hash: F4D012326406216B93506B6D5D01EBB5AEDDF96761B06003BF508D6111DA946C4142A8

Function 00409517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409531

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
Instruction ID: 7b719d08391bbb12b01dd12fa1e9474f3c31e37c6e717f7fed2b29792a4b3228
Opcode Fuzzy Hash: 025e3e4768cc8a802bf55c327d7a2483ad7764abdea9560a4cc63c803d4be503
Instruction Fuzzy Hash: B71193329002059BCB05FF66D8529EE77A4EF54319B10443FF842662E2EF78A915CB98

Function 00448916 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0000000A,00000000,?,00447184,00000001,00000364,?,?,00440E8B,00000000,0000000A,000000FF,0000000A,00000000,?), ref: 00448957

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2c0c69a6d0450f8205c6b3d3ecae47eb244d617f5f4b8047d462909e87cbea64
Instruction ID: 26c2e56809404158c0b29fa9b74778046e098960ac6c1563bbfba353e7bfba60
Opcode Fuzzy Hash: 2c0c69a6d0450f8205c6b3d3ecae47eb244d617f5f4b8047d462909e87cbea64
Instruction Fuzzy Hash: EBF0E971504E35ABBB315A669D46B7F7749EF41B70B14802FBC08B6290CE78D80197EE

Function 00446D0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
Instruction ID: 40638bbf90b8c7646580dfe44e72c34c865d7c07d7b9b06d8b79509a7ad90776
Opcode Fuzzy Hash: 0df71086ebe011a22fdff847967a9c5229befe104b2723ee1c4cd472e7f23894
Instruction Fuzzy Hash: 52E0E5B1B00220A6FB202A6A8C02B5B36498F437B4F070033AC0A9A291CE6CCC4081AF

Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 00404277

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
Instruction ID: a6df37c1a3c4b0bfee4e794801b63ea3b6ec8424062e123ecf3ffc10766d7ffb
Opcode Fuzzy Hash: 512c305c5d81d862cf08042479f934390d4c65f7aad148c3c3ac63496dcf4775
Instruction Fuzzy Hash: F7D012325586094ED620AAB5AD0F8A4775CD317611F0003BA6CB5825D3FA84561CC6AB

Function 004179FB Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417E67,00000000,?,?), ref: 00417A0D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: GdipImageSaveStream
String ID:
API String ID: 971487142-0
Opcode ID: 560899ce446b4df5cbbf587b5dc22dc3b23c0c7b5a029273649944ab77091904
Instruction ID: 234b4fee382431d5f696987cdba4a48248ff408daa68a05ea21ce747e8bf2435
Opcode Fuzzy Hash: 560899ce446b4df5cbbf587b5dc22dc3b23c0c7b5a029273649944ab77091904
Instruction Fuzzy Hash: B9C01272008351AF8B12DF40DC05D6FBFA6FF98310B040C1DF56541120CB218864DB55

Function 004045AA Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_000045C6,00475920,00000000,00000000), ref: 004045BD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: f82cd8bf721802bda6ad9a3339813e43b5bd2c1f5f501421a36ff160661b679e
Instruction ID: 5d7dc6040bb5beb69a998e0b7efaeee5010d171735069ebf598f78582634bb40
Opcode Fuzzy Hash: f82cd8bf721802bda6ad9a3339813e43b5bd2c1f5f501421a36ff160661b679e
Instruction Fuzzy Hash: 94C04CF19102007FA600CF20CD49C3776DCE75074172185697904D2141D575DD01C539

Function 0040262E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00402636

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction ID: a98dd8728e001a7547a03d6555be836c7c4d92c50a1b5b3c87ce8ff60de75990
Opcode Fuzzy Hash: fa11f090124af29c98583f2c3e9d30177ae40f5e0afd44ce9742dc7edc058cff
Instruction Fuzzy Hash: 69A0123300C2016AC9852E00DD05C0ABFA1EB90360F20C41FF086140F0CB32A0B0A705

Non-executed Functions

Function 00405042 Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 280pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040508E

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

__Init_thread_footer.LIBCMT ref: 004050CB
CreatePipe.KERNEL32(00476D14,00476CFC,00476C20,00000000,0046656C,00000000), ref: 0040515E
CreatePipe.KERNEL32(00476D00,00476D1C,00476C20,00000000), ref: 00405174
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476C30,00476D04), ref: 004051E7

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,00466570,00000062,00466554), ref: 0040538E
Sleep.KERNEL32(00000064,00000062,00466554), ref: 004053A8
TerminateProcess.KERNEL32(00000000), ref: 004053C1
CloseHandle.KERNEL32 ref: 004053CD
CloseHandle.KERNEL32 ref: 004053D5
CloseHandle.KERNEL32 ref: 004053E7
CloseHandle.KERNEL32 ref: 004053EF

Strings

SystemDrive, xrefs: 00405109
mG, xrefs: 004051A9
xlG, xrefs: 00405332
mG, xrefs: 00405114
xlG, xrefs: 004053D7
xlG, xrefs: 004052FE
lG, xrefs: 00405133
xlG, xrefs: 00405078
0lG, xrefs: 00405183
mG, xrefs: 004050B5
xlG, xrefs: 00405202
cmd.exe, xrefs: 004050F5

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: lG$ mG$ mG$ mG$0lG$SystemDrive$cmd.exe$xlG$xlG$xlG$xlG$xlG
API String ID: 3815868655-3731297122
Opcode ID: 3416e0b7a9ab2e8475615790bf4b42608ef81ca1a43c57928c40c3b77ce5ef90
Instruction ID: f3d75f47542da312923ddfb9c6ddab2c5323933c8a72fe1ed5abf95ef94fff6a
Opcode Fuzzy Hash: 3416e0b7a9ab2e8475615790bf4b42608ef81ca1a43c57928c40c3b77ce5ef90
Instruction Fuzzy Hash: 3491C571600605AFC610BB65ED42A6F3BAAEB84344F01443FF949A22E2DF7D9C448F6D

Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406F28
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
DeleteFileW.KERNEL32(00000000), ref: 00407018

Part of subcall function 0041B63A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
Part of subcall function 0041B63A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717
Part of subcall function 0041B63A: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
DeleteFileA.KERNEL32(?), ref: 004078CC

Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E

Sleep.KERNEL32(000007D0), ref: 00407976
StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA

Part of subcall function 0041BD82: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Strings

Unable to delete: , xrefs: 00407078
VNG, xrefs: 004071C6
@PG, xrefs: 00407473
pPG, xrefs: 00407998
pPG, xrefs: 00407563
Downloading file: , xrefs: 004071F3
Downloaded file: , xrefs: 004072A8
pPG, xrefs: 0040705B
Executing file: , xrefs: 0040742F
Unable to rename file!, xrefs: 0040768F
open, xrefs: 00407410
NG, xrefs: 00406F54
Browsing directory: , xrefs: 004074B6
Deleted file: , xrefs: 0040703A
pPG, xrefs: 004076A6
Failed to download file: , xrefs: 00407321

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
String ID: @PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$VNG$open$pPG$pPG$pPG$pPG$NG
API String ID: 2918587301-3905578539
Opcode ID: a32d47f9191dda89bebe2cd936081c8e0da1ff7d5e9a7f5bebcc8624358dd399
Instruction ID: 1d2e2627ec10ef381271a766c0004beadc8049fa085ae304c46d09a1b017b010
Opcode Fuzzy Hash: a32d47f9191dda89bebe2cd936081c8e0da1ff7d5e9a7f5bebcc8624358dd399
Instruction Fuzzy Hash: 0F42A271A043005BC614FB76C8979AE76A59F90708F40493FF946771E2EE3CAA09C6DB

Function 0041100E Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0041101D

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00411059
CreateThread.KERNEL32(00000000,00000000,0041170F,00000000,00000000,00000000), ref: 004110BE

Part of subcall function 0041258F: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004125AF
Part of subcall function 0041258F: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475308), ref: 004125CD
Part of subcall function 0041258F: RegCloseKey.KERNEL32(?), ref: 004125D8

CloseHandle.KERNEL32(00000000), ref: 00411068

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00411332

Strings

Remcos restarted by watchdog!, xrefs: 00411073
Watchdog launch failed!, xrefs: 00411296
WDH, xrefs: 004110C8, 004110CE, 00411338
svchost.exe, xrefs: 004111D8
Watchdog module activated, xrefs: 00411097, 004112E8
\system32\, xrefs: 0041111C
rmclient.exe, xrefs: 004111FD
0TG, xrefs: 00411046
\SysWOW64\, xrefs: 00411174
fsutil.exe, xrefs: 00411222
WinDir, xrefs: 0041112E, 00411183

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
String ID: 0TG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 65172268-427618296
Opcode ID: cce5ba87b7370ffeabc667a99c2fd1501aa6090f00cbce55658675b20f93cf83
Instruction ID: de889ccbd4d484bbc366ed6bf297281231fcf4352047712fae5372da0dd81bf3
Opcode Fuzzy Hash: cce5ba87b7370ffeabc667a99c2fd1501aa6090f00cbce55658675b20f93cf83
Instruction Fuzzy Hash: 3D717E3160420157C214FB72CC579AE77A8AF94719F40053FF986A21E2EF7C9A49C6AF

Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
FindClose.KERNEL32(00000000), ref: 0040B3CE
FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
FindClose.KERNEL32(00000000), ref: 0040B517

Strings

UserProfile, xrefs: 0040B365
\logins.json, xrefs: 0040B439
\key3.db, xrefs: 0040B47B
[Firefox StoredLogins Cleared!], xrefs: 0040B504
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B357
[Firefox StoredLogins not found], xrefs: 0040B3D9

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: f60dc40eb39ac72ddeb6ad73c15d962a45f8a5f1cba306fcb922ac7305482b47
Instruction ID: 4260ee55bd24f38cfaff6d718e7bb7aae0563b8f0cd35122f003610daf392ab1
Opcode Fuzzy Hash: f60dc40eb39ac72ddeb6ad73c15d962a45f8a5f1cba306fcb922ac7305482b47
Instruction Fuzzy Hash: 0A510B319042195ADB14F7A2DC96AEE7764EF50318F50017FF806B30E2EF789A45CA9D

Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
FindClose.KERNEL32(00000000), ref: 0040B5CC
FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
FindClose.KERNEL32(00000000), ref: 0040B6B2
FindClose.KERNEL32(00000000), ref: 0040B6D1

Strings

UserProfile, xrefs: 0040B563
[Firefox Cookies not found], xrefs: 0040B5D7, 0040B69F
[Firefox cookies found, cleared!], xrefs: 0040B6E0
\cookies.sqlite, xrefs: 0040B62F
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040B555

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: c6033163c9b867c0d80e27f6400ce1ab20a1c87c49643b46c9f20880bdd59d01
Instruction ID: 1e8de758c2b97f43aed4804fc6a56dd8ce4d3e4bc3adeefe5a602588f19c01c2
Opcode Fuzzy Hash: c6033163c9b867c0d80e27f6400ce1ab20a1c87c49643b46c9f20880bdd59d01
Instruction Fuzzy Hash: F4412C319042196ACB14F7A5EC569EE7768EE11318F50017FF802B31E2EF399A458A9E

Function 00415B5E Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415B5F
EmptyClipboard.USER32 ref: 00415B6D
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415B8D
GlobalLock.KERNEL32(00000000), ref: 00415B96
GlobalUnlock.KERNEL32(00000000), ref: 00415BCC
SetClipboardData.USER32(0000000D,00000000), ref: 00415BD5
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: cc07caf996ff6d076e1eeb75bee4c200faab5da2a67908d4d3b469133882fce7
Instruction ID: a6dc46a1ac747b1df6f49b20b287b9a63e2ec98da8de7deae82efe0a0170cbcd
Opcode Fuzzy Hash: cc07caf996ff6d076e1eeb75bee4c200faab5da2a67908d4d3b469133882fce7
Instruction Fuzzy Hash: A82137711047009BC714BBB1DC5AAAF7669AF94B06F00443FF907A61E2EF38C945C76A

Function 0040E2F1 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,004750FC), ref: 0040E30B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,004750FC), ref: 0040E336
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E352
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E3D5
CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E3E4

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

CloseHandle.KERNEL32(00000000,?,?,004750FC), ref: 0040E449

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E497
ieinstal.exe, xrefs: 0040E4AE
ielowutil.exe, xrefs: 0040E4EF
Inj, xrefs: 0040E5ED

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 726551946-1743721670
Opcode ID: a3a35be969e31f0fa3240682cdf82f12369ddd4f8bd4dd9cec5ae51362d14e9c
Instruction ID: 57de327b15d82dbd2eac346b6cac6cdabb084366653080b34320caf9a24139d1
Opcode Fuzzy Hash: a3a35be969e31f0fa3240682cdf82f12369ddd4f8bd4dd9cec5ae51362d14e9c
Instruction Fuzzy Hash: A17150311043419BC714FB62D8529AFB7A5AFD1358F400D3EF986631E2EF389919CA9A

Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
GetKeyboardLayout.USER32(00000000), ref: 00409B52
GetKeyState.USER32(00000010), ref: 00409B5C
GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
ToUnicodeEx.USER32(0047515C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
ToUnicodeEx.USER32(0047515C,?,?,?,00000010,00000000,00000000), ref: 00409C1C

Strings

`kG, xrefs: 00409BFD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID: `kG
API String ID: 1888522110-3643241581
Opcode ID: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
Instruction ID: 5852d3e9e60d78bbc7fecef5f6baa999b7b2ba0a9f64a262714a670a3ee03c46
Opcode Fuzzy Hash: c97b305c4e5192c039be4b57959f7d148ad44e176559ca20096398a0f42faa8b
Instruction Fuzzy Hash: 3B318F72504308AFD700DF91DC45FDBB7ECEB88715F01083AB645D61A1DBB5E9488B9A

Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00406788
CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

Strings

[+] CoGetObject SUCCESS, xrefs: 004067F8
[+] ucmAllocateElevatedObject, xrefs: 0040676F
Elevation:Administrator!new:, xrefs: 004067A9
[-] CoGetObject FAILURE, xrefs: 004067F1, 00406800
$, xrefs: 004067A2
[+] CoGetObject, xrefs: 004067C8
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 0040677D, 00406782, 004067C1

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
Instruction ID: 6c9b37094527eb08cc4748ecdfbd23cbc672ad5faa28133fe458ce4522bc368c
Opcode Fuzzy Hash: 37d5bffcbb8f4b2cbb961f9636bb3800fd08e5c8d40d037755d6192962cbe9cf
Instruction Fuzzy Hash: B11133B29011186ADB10FAA58955A9E77BCDB48714F11047FF905F3281E77C9A0486BD

Function 00419AB8 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00475920), ref: 00419ACE
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419B1D
GetLastError.KERNEL32 ref: 00419B2B
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00419B63

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 9a1ee3bf3d6bce16bbcabb7d3c2507a4bc347ace43e17270fa3d1e71e0279349
Instruction ID: 410433f0f292194423399e5208e7b63ee2478b974df0930e3a7ace9da88798fe
Opcode Fuzzy Hash: 9a1ee3bf3d6bce16bbcabb7d3c2507a4bc347ace43e17270fa3d1e71e0279349
Instruction Fuzzy Hash: C28142311043049BC314FB21DC95DAFB7A8BF94718F50492EF582621D2EF78EA09CB9A

Function 0044804A Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004480CC
_free.LIBCMT ref: 004480F0
_free.LIBCMT ref: 00448277
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
_free.LIBCMT ref: 00448443

Strings

xE, xrefs: 00448232, 00448238

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID: xE
API String ID: 314583886-407097786
Opcode ID: 29f33701d0dde71fba102b35938b8b5784e7ceb7e6dd2606d32a2e84e67b5ec7
Instruction ID: 53eab31d398634ed2913b9f897b2f59caf849b5b19a8cc02276c673e3ebcc531
Opcode Fuzzy Hash: 29f33701d0dde71fba102b35938b8b5784e7ceb7e6dd2606d32a2e84e67b5ec7
Instruction Fuzzy Hash: 24C14731904205ABFB249F698D81AAF7BB8EF41310F2441AFE88497351EF798E42C75C

Function 0041B63A Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B694
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B6C6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004752F0,00475308), ref: 0041B734
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B741

Part of subcall function 0041B63A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004752F0,00475308), ref: 0041B717

FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B76C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B773
GetLastError.KERNEL32(?,?,?,?,?,?,004752F0,00475308), ref: 0041B77B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,004752F0,00475308), ref: 0041B78E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
Instruction ID: 009c1ade3c0c7cd9a9baeecb78710ce3116f293085b5e5d3e47bbce280e6f24a
Opcode Fuzzy Hash: 29d361786a175de539fdf9d753c964fcdbe74632238a9f507c15aa3fc292f646
Instruction Fuzzy Hash: 2931937180521CAACB20E7B19C89FDA777CAF55304F0404EBF515E2181EF799AC4CB69

Function 0041301D Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130F2
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 004130FE

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004132C5
GetProcAddress.KERNEL32(00000000), ref: 004132CC

Strings

Shlwapi.dll, xrefs: 004132C0
SHDeleteKeyW, xrefs: 004132BB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 873ebbdf440dce3f88c262c3a4829dd9431ed5815be12e9cb480789c80129325
Instruction ID: 0508f95716d3db9771c6b78d28bd3d55684df0f5bc265fe56362dad8d88080f3
Opcode Fuzzy Hash: 873ebbdf440dce3f88c262c3a4829dd9431ed5815be12e9cb480789c80129325
Instruction Fuzzy Hash: CEB1A371A043006BC614FA76CC979BE76695F9471CF40063FF846B31E2EE7C9A48869B

Function 00418E5F Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 004190B5
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419181

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Strings

VG, xrefs: 00418EE8
NG, xrefs: 00418E8F
PSG, xrefs: 00418F55
VG, xrefs: 00419094

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: PSG$NG$VG$VG
API String ID: 341183262-216422830
Opcode ID: c18c5d7cc2ec127294a62739c3c80729bd111981e773be46c2ec41552c58774a
Instruction ID: 0b04574543ffaf1c42473f802d0f517b04b5d48d9dde9d4f65c428d20583ff9f
Opcode Fuzzy Hash: c18c5d7cc2ec127294a62739c3c80729bd111981e773be46c2ec41552c58774a
Instruction Fuzzy Hash: AF8150315042405AC314FB71C8A6EEF73A8AFD0718F50493FF946671E2EF389A49C69A

Function 004515C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004516D3
IsValidCodePage.KERNEL32(00000000), ref: 0045172E
IsValidLocale.KERNEL32(?,00000001), ref: 0045173D
GetLocaleInfoW.KERNEL32(?,00001001,00443EFC,00000040,?,0044401C,00000055,00000000,?,?,00000055,00000000), ref: 00451785
GetLocaleInfoW.KERNEL32(?,00001002,00443F7C,00000040), ref: 004517A4

Strings

(E, xrefs: 00451680

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: (E
API String ID: 745075371-542121585
Opcode ID: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction ID: 0c55cced660072bbdea70b00f38c40adf5ab32faa3293abc4b1f14fb3cf6f882
Opcode Fuzzy Hash: a84efe1a2cce186fb5bbf2749623e7c2965abdb2206941bc4280497163ca2dcb
Instruction Fuzzy Hash: EB5193719002059BDB10EFA5CC41BBF77B8AF04706F18056BFD11EB262DB789949CB69

Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
GetLastError.KERNEL32 ref: 0040B261

Strings

UserProfile, xrefs: 0040B227
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
[Chrome StoredLogins not found], xrefs: 0040B27B
[Chrome StoredLogins found, cleared!], xrefs: 0040B287

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 7bd7e0a71dc55e2f05a60c9822167b84464631b2e0a9dbc3b4263f52b6270825
Instruction ID: af3d5975f8ef5736f4e1f689bc2271043fd855ebe8bb8600121af3fad6928989
Opcode Fuzzy Hash: 7bd7e0a71dc55e2f05a60c9822167b84464631b2e0a9dbc3b4263f52b6270825
Instruction Fuzzy Hash: 5C01D63168010597CA0476B6DC6F8AF3B24E921708B10017FF802731E2FF3A9905C6DE

Function 00416C9D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
GetLastError.KERNEL32 ref: 00416CE8

Strings

SeShutdownPrivilege, xrefs: 00416CBD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction ID: cb90277d3e2bb8506008076be0b211c0c8a285b816e0fe18bd298ac82c07c5c8
Opcode Fuzzy Hash: 594fceb9dcf720018193b7af68db4771e8a957862718425d2e1bf0ede3cec24e
Instruction Fuzzy Hash: EEF0DA75901229BBDB109B91DC4DEEF7EBCEF05656F110065B805B20A2DE748A08CAA5

Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004089AE

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7

Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,{NAL,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000), ref: 0040450E
Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00474EE0,004755B0,00000000,?,?,?,?,?,00414E7B), ref: 0040453C

Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
Part of subcall function 004047EB: SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
Part of subcall function 004047EB: CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811

__CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
String ID:
API String ID: 4043647387-0
Opcode ID: a6c84999141094eea2a7914acdc4c3dcb6e780acf37f441bccc3a0eabee6c86c
Instruction ID: d6647de2ed81915fd1100427b9b1f0ab8477674b12134c2b00fdd843198b9521
Opcode Fuzzy Hash: a6c84999141094eea2a7914acdc4c3dcb6e780acf37f441bccc3a0eabee6c86c
Instruction Fuzzy Hash: 0DA16E719001089BCB14EBA1DD92AEDB779AF54318F10427FF506B71D2EF385E498B98

Function 00419DBA Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,00419A10,00000000,00000000), ref: 00419DC3
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00419A10,00000000,00000000), ref: 00419DD8
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419DE5
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00419A10,00000000,00000000), ref: 00419DF0
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E02
CloseServiceHandle.ADVAPI32(00000000,?,?,00419A10,00000000,00000000), ref: 00419E05

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: af999b41650d3cd8b8f8fe088188ad5770f3288987236d92c8a0026e65871fc6
Instruction ID: bfab90d9ddd5c2d56401b7e15998ac1c6a079cb4321381bf248b2ffa9e014974
Opcode Fuzzy Hash: af999b41650d3cd8b8f8fe088188ad5770f3288987236d92c8a0026e65871fc6
Instruction Fuzzy Hash: 60F0E9715403146FD2115B31EC88DBF2A6CDF85BB2B01002EF442A3191CF78CD4995B5

Function 00450C8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443F03,?,?,?,?,?,?,00000004), ref: 00450D71
_wcschr.LIBVCRUNTIME ref: 00450E01
_wcschr.LIBVCRUNTIME ref: 00450E0F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443F03,00000000,00444023), ref: 00450EB2

Strings

(E, xrefs: 00450D02

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: (E
API String ID: 4212172061-542121585
Opcode ID: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
Instruction ID: 16e6850baad922d2e300dda2121b2fdf61a8ef58a3873fa5b3432b878cecddba
Opcode Fuzzy Hash: 59e7985f3c02f7c10489d8edf0480172058bbcb387fbadea5ac0dcfc1ce8ddaa
Instruction Fuzzy Hash: A361FC7A500306AAD725AB75CC42ABB73A8EF44316F14082FFD05D7243EB78E949C769

Function 00415A51 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00416C9D: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416CAA
Part of subcall function 00416C9D: OpenProcessToken.ADVAPI32(00000000), ref: 00416CB1
Part of subcall function 00416C9D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416CC3
Part of subcall function 00416C9D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416CE2
Part of subcall function 00416C9D: GetLastError.KERNEL32 ref: 00416CE8

ExitWindowsEx.USER32(00000000,00000001), ref: 00415AF3
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415B08
GetProcAddress.KERNEL32(00000000), ref: 00415B0F

Strings

SetSuspendState, xrefs: 00415AFE
PowrProf.dll, xrefs: 00415B03

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 86b5893e768e0e13360477bdb0defc34886795441577a5559bab3a2d7dc1305a
Instruction ID: be3657bdb4b9c596b700244bf1edaf45c421fe256a6f88bebcc25452880e9c8a
Opcode Fuzzy Hash: 86b5893e768e0e13360477bdb0defc34886795441577a5559bab3a2d7dc1305a
Instruction Fuzzy Hash: 84215E71644741A6CB14FBB198A6AFF22599F80748F40483FB442771D2EF7CE889865E

Function 004513F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 0045148C
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451712,?,00000000), ref: 004514B5
GetACP.KERNEL32(?,?,00451712,?,00000000), ref: 004514CA

Strings

OCP, xrefs: 00451447
ACP, xrefs: 00451411

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction ID: 27270ea0035267e4249f05f4639a08e7e92d7e6a6a5113c6df6fa5280cb26525
Opcode Fuzzy Hash: 7de529321666405c3dbd177549b20e94864b34fdb637d578d31b634f87125a95
Instruction Fuzzy Hash: 0821C731600100B7DB308F54C901FA773A6AF52B67F5A9566EC0AD7223EB3ADD49C399

Function 0041A84A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A85B
LoadResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A86F
LockResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A876
SizeofResource.KERNEL32(00000000,?,?,0040E25B,00000000), ref: 0041A885

Strings

SETTINGS, xrefs: 0041A84E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction ID: 1fe06f9b0c9a023904624b9b61caa7bd4c13f92b8b5c35c0d543cfa28092256f
Opcode Fuzzy Hash: af91fd7a50235684c3f0857021386823e2c7131a01440ecb0520647964aa65c6
Instruction Fuzzy Hash: DAE01A76240720ABCB211BA1BD4CD073E39F7867637000039F549A2221CE75CC52CB29

Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407A91
FindFirstFileW.KERNEL32(00000000,?,00466AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 458c4cd14ae4f9017ff53500914738011c44e03bc8e8f39dc4765d65b0750b24
Instruction ID: e1cc7e471fba1e38487cd482a49156f4879f85d64aa43a49cb1f79655cfb0c65
Opcode Fuzzy Hash: 458c4cd14ae4f9017ff53500914738011c44e03bc8e8f39dc4765d65b0750b24
Instruction Fuzzy Hash: 325162729001085ACB14FBA5DD969ED7B78AF50318F50417FB806B31D2EF3CAB498B99

Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318

Strings

C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 0040627F, 004063A7
open, xrefs: 0040622E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$open
API String ID: 2825088817-4159253631
Opcode ID: 893f71f27b6b0849fff010fbcbc9598768ca5abafe3a9edc094bd365604e6998
Instruction ID: e32f65eb076a11421f0b28df520d432f118a03887cfea0ef8c7e4d0a3f62d172
Opcode Fuzzy Hash: 893f71f27b6b0849fff010fbcbc9598768ca5abafe3a9edc094bd365604e6998
Instruction Fuzzy Hash: E361CF3160430067CA14FA76D8569BE37A59F81718F01493FBC46772E6EF3CAA05C69B

Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

pPG, xrefs: 00406BC0
pPG, xrefs: 00406AFD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: pPG$pPG
API String ID: 4113138495-3204143781
Opcode ID: c595c858632e4b630c745db85e1f9651263fe84311176f454f0f68f2edbe44ab
Instruction ID: b94dab712156e78be0f8cc3bef15d45c6a114b58aade1ae888b20ae253cfdc5a
Opcode Fuzzy Hash: c595c858632e4b630c745db85e1f9651263fe84311176f454f0f68f2edbe44ab
Instruction Fuzzy Hash: F42187715043015BC714FB61DC95DEF77A8AF90318F40093EF996A31E1EF38AA08CA9A

Function 0041BD82 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BE77

Part of subcall function 004127AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004127B9
Part of subcall function 004127AA: RegSetValueExA.KERNEL32(?,XwF,00000000,?,00000000,00000000,00475308,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127E1
Part of subcall function 004127AA: RegCloseKey.KERNEL32(?,?,?,0040E6D3,00467758,6.0.0 Pro), ref: 004127EC

Strings

TileWallpaper, xrefs: 0041BE61
WallpaperStyle, xrefs: 0041BDC2, 0041BDF5, 0041BE45
Control Panel\Desktop, xrefs: 0041BDBD, 0041BDF0, 0041BE40

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 66458e8cc3153e1574d54a22ceeec595ae1d5fb91ba42e72fdc85762ed94257a
Instruction ID: 3b74369dcb7a8544f1b55df16a592c3d868ba554001bd6a4c71ed5c97b6fc17b
Opcode Fuzzy Hash: 66458e8cc3153e1574d54a22ceeec595ae1d5fb91ba42e72fdc85762ed94257a
Instruction Fuzzy Hash: F5112132B8035033D518313A5E67BBF2816D34AB60F55415FB6066A6CAFADE4AA103DF

Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408DAC
FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FileFind$FirstH_prologNext
String ID:
API String ID: 301083792-0
Opcode ID: bcd3d9f6996f059f2558f11917fb654a90ab45b7422d36df760ea7f45a3727a1
Instruction ID: 402ed7a5658d2f2a6adb961a0daa6f616ba37c5e7974c2bf040f6c8ce137202a
Opcode Fuzzy Hash: bcd3d9f6996f059f2558f11917fb654a90ab45b7422d36df760ea7f45a3727a1
Instruction Fuzzy Hash: 127141728001199BCB15EBA1DC919EE7778AF54314F10427FE846B71E2EF385E49CB98

Function 0045107A Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004510CE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004511DF

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
Instruction ID: aee342ac21436657f5846041838c3bd09d84a4d920a4c2a145562aed062da8a9
Opcode Fuzzy Hash: dd837d4aabf90151236531eaa8a7eeaa8db7e820d6096a7a5c305d7033fab590
Instruction Fuzzy Hash: F661D8719005079BDB289F25CC82B7677A8EF04306F1041BBFD05D66A2EB78D949DB58

Function 0043A86D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A965
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A96F
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A97C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction ID: 2e36d9e0b5662236be867d7d52d6a22dc3a0b47d07fc7de068387a758ceea7c7
Opcode Fuzzy Hash: af6e046c0509c32b3386d0bc76265e00dd1467fe013a3816057f721e951f2d82
Instruction Fuzzy Hash: E731D6B491131CABCB21DF24D98978DB7B8BF08311F5051EAE80CA7251EB749F818F49

Function 00432B45 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004328CD,00000024,00000006,?,00000000), ref: 00432B57
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CDC9,00000006), ref: 00432B6D
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CDC9,00000006), ref: 00432B7F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction ID: 69441ad90531868046e0b1178e1924530c202fcb63ed7aa5228c64bcbe668f15
Opcode Fuzzy Hash: 35a60dd61fd8b237ab80bed8c3b3b6d5f5cecafcaafe6d2ae27acd69f3d7963f
Instruction Fuzzy Hash: ADE09231608350FFFB300F25AC08F177B94EB89B65F21063AF155E40E4CAA59805961C

Function 00442764 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 00442785
TerminateProcess.KERNEL32(00000000,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044278C
ExitProcess.KERNEL32 ref: 0044279E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction ID: c8bd48e99420b6c7b8697c64d03bd4ba31791432aa3bec6fd876c0c539ce8582
Opcode Fuzzy Hash: 580307e7f9ed19ccdf9c10412063d8ea8bc62da0884c48fe7532ae208af4f440
Instruction Fuzzy Hash: 7EE04F31000704AFEF016F10DD099493F29EF50396F448469F90896132CF79DC42CA48

Function 0044D7F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044D98C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction ID: eafca5d3f29716c6c78e4e4ea3ad02361a474eaab44c7f235df41bcab4a95e78
Opcode Fuzzy Hash: 90d0b4729825bd90b6a9b0e481f721cabe6d10aefd9ef70f2d231800c5ca14c4
Instruction Fuzzy Hash: 3431F472D00249ABEB249E79CC85EFB7BBDDB85314F0401AEF419D7251E6349E418B54

Function 004477A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004477FA

Strings

GetLocaleInfoEx, xrefs: 004477B8, 004477C2

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction ID: 58a0a1dc03b065be57d87c6409a63545e464c60cfee5b8c381720ea1698dad41
Opcode Fuzzy Hash: 6bd799bfac9af36fd133eb5d72b5b36b41e76e7aabeb18fd4f2c376b7933ddb9
Instruction Fuzzy Hash: A0F0F631640318B7DB056F61CC06F6E7B64DB04712F10019AFC0467252CF75AB119A9D

Function 004512CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

Part of subcall function 004470CF: _free.LIBCMT ref: 0044712E
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045131E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
Instruction ID: 0b21b5069fbf1db5bec531630a8d3eee6f1f474d64bb54c6a1c44a3d8e2cc721
Opcode Fuzzy Hash: bc85fdc09d4fce3dfbe50538f39d64f32c4b6099e2a05669c9b1daebb1f6e385
Instruction Fuzzy Hash: 2221D372501206ABEB24AB25CC61B7B77ACEB04316F10017BFD01D6663EB78AD49CB58

Function 00450F52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(0045107A,00000001,00000000,?,00443EFC,?,004516A7,00000000,?,?,?), ref: 00450FC4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction ID: 451a354658792f2252a151bea30e2a99c0585190810680eeac5085bd3c0c80bb
Opcode Fuzzy Hash: 2806d9e87b91580947c38d8a0617f63d2b95e775220bf3e675df36a013b02c7b
Instruction Fuzzy Hash: FD11293B2007019FDB28AF39C8916BABB92FF8435AB14442DE94747B41D7B9B847C744

Function 004514FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451298,00000000,00000000,?), ref: 00451526

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction ID: d2fe2c3fce417e68b0623dfb5eb434355baf81d8c10f12b7a8aa08190ad777f0
Opcode Fuzzy Hash: e61a00dc03fcb481ae1f4eaad0348555d58099959c5ffac150b0217cf8aecc77
Instruction Fuzzy Hash: 4AF0F9326102197BDB289A258C46BBB7758EB80755F04046AEC07A3251FA78FD45C6D4

Function 00450FED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(004512CA,00000001,?,?,00443EFC,?,0045166B,00443EFC,?,?,?,?,?,00443EFC,?,?), ref: 00451039

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction ID: 969c50ee721750b2a7664082bdad3607fc28c6e2ba06475257799e5d9796a5a7
Opcode Fuzzy Hash: 1383e35cddf71846be5f04bfb451628eb58ff654fdb94fb85b79533aadb6d968
Instruction Fuzzy Hash: 19F028363003045FDB245F76DC81B7B7B95EF8075DF04442EFD4187A92D6B99C828604

Function 004472BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00444CDC: EnterCriticalSection.KERNEL32(-00472558,?,0044246B,00000000,0046EAD0,0000000C,00442426,0000000A,?,?,00448949,0000000A,?,00447184,00000001,00000364), ref: 00444CEB

EnumSystemLocalesW.KERNEL32(00447278,00000001,0046EC58,0000000C), ref: 004472F6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction ID: acebf021cc54f47487df9b00313a15cc1bfd22b3d47c3c45ccbcf72c34342655
Opcode Fuzzy Hash: ce5d864c7127ce76761e0cbea026e968eb5e88cd2d94c9e55423b39c5525c7e8
Instruction Fuzzy Hash: 97F06236620200DFEB10EF79DE46B5D37E0EB44715F10816AF414DB2A1CBB89981DB4D

Function 00450F07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

EnumSystemLocalesW.KERNEL32(00450E5E,00000001,?,?,?,004516C9,00443EFC,?,?,?,?,?,00443EFC,?,?,?), ref: 00450F3E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction ID: 7585e2e2e927d60b614fbbb7cbec4ece609ea7599c31e6a5607aeddcbc8761df
Opcode Fuzzy Hash: c0752d91e59c0ec8caa35cedbb84099f1f2f8e555a7fabae98b3644acfac0ab5
Instruction Fuzzy Hash: 89F0E53A30020557CB28AF35D845B6A7F94EFC1715B16449EFE098B252C67AD886C794

Function 00433EE2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00033EEE,00433BBC), ref: 00433EE7

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction ID: 9bcc487b38fe881941be7e97ad5738302595bcb4dafebc2e14986f4c0a09dd7d
Opcode Fuzzy Hash: e588410f7d772084ad9b5e6a201b2d06307ba3208cc6e1757a1b1bd45e9a1e30
Instruction Fuzzy Hash:

Function 0044EB3E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0044EB3E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction ID: 07883168748708d5871df038b293f30180ed36dce4f2d3eb69edcdcf819b44e4
Opcode Fuzzy Hash: 92e8274eb45f99ac31ca5a7841fd9c067bc26919afa491827186e59168ab32af
Instruction Fuzzy Hash: 8EA01130202202CBA3008F32AB0A20A3BA8AA00AA23028038A00AC02A0EE2080808A08

Function 0041742B Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417472
GetProcAddress.KERNEL32(00000000), ref: 00417475
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417486
GetProcAddress.KERNEL32(00000000), ref: 00417489
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041749A
GetProcAddress.KERNEL32(00000000), ref: 0041749D
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004174AE
GetProcAddress.KERNEL32(00000000), ref: 004174B1
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00417552
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041756A
GetThreadContext.KERNEL32(?,00000000), ref: 00417580
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004175A6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417626
TerminateProcess.KERNEL32(?,00000000), ref: 0041763A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00417671
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041773E
SetThreadContext.KERNEL32(?,00000000), ref: 0041775B
ResumeThread.KERNEL32(?), ref: 00417768
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417780
GetCurrentProcess.KERNEL32(?), ref: 0041778B
TerminateProcess.KERNEL32(?,00000000), ref: 004177A5
GetLastError.KERNEL32 ref: 004177AD

Strings

ZwMapViewOfSection, xrefs: 00417477
ntdll, xrefs: 0041745D, 0041747C, 00417490, 004174A4
ZwUnmapViewOfSection, xrefs: 0041748B
ZwCreateSection, xrefs: 00417458
ZwClose, xrefs: 0041749F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction ID: 9d7e092ec3b05a7a521957261ed1896ff906ab06cfb84d00d3f911d9ff722cfe
Opcode Fuzzy Hash: ca58d074774f4cb3cec8caed2bdcc8ae3fb1cd477b48ba63cf2103ffe40dc484
Instruction Fuzzy Hash: C3A16D71508304AFD710DF65CD89B6B7BF8FB48345F00082EF699962A1DB75E884CB6A

Function 0040C28E Relevance: 47.5, APIs: 6, Strings: 21, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9

ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C632
ExitProcess.KERNEL32 ref: 0040C63E

Strings

wend, xrefs: 0040C4F7
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C5E1
fso.DeleteFolder ", xrefs: 0040C519
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C418
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C330
SG, xrefs: 0040C505
"), xrefs: 0040C443
SG, xrefs: 0040C3DC
SG, xrefs: 0040C3C4
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C56F
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C2DF
exepath, xrefs: 0040C365
while fso.FileExists(", xrefs: 0040C45A
""", 0, xrefs: 0040C555
open, xrefs: 0040C62C
PSG, xrefs: 0040C33D
On Error Resume Next, xrefs: 0040C427
dMG, xrefs: 0040C2C9
\update.vbs, xrefs: 0040C3E9
Temp, xrefs: 0040C3EE
fso.DeleteFile ", xrefs: 0040C4A8

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: SG$ SG$ SG$""", 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-1415323999
Opcode ID: 654f7889ed5edaac55a18f8be21b9837d0d7268fd1f2b157d317ae4c17904d16
Instruction ID: 61d23169d088639e971774d7266815e56d2523c1fe05d3951d40341dc357c42d
Opcode Fuzzy Hash: 654f7889ed5edaac55a18f8be21b9837d0d7268fd1f2b157d317ae4c17904d16
Instruction Fuzzy Hash: F891A3316042005AC314FB21D852AAF7799AF90318F50453FF88AB71E2EF7CAD49C69E

Function 0040BF04 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C013
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C056
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475308,?,pth_unenc), ref: 0040C065

Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C280
ExitProcess.KERNEL32 ref: 0040C287

Strings

wend, xrefs: 0040C1D2
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C22F
fso.DeleteFolder ", xrefs: 0040C1F8
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C0F3
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BFA6
SG, xrefs: 0040C1E0
"), xrefs: 0040C11F
.vbs, xrefs: 0040C06F
pth_unenc, xrefs: 0040BF0A
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BF55
exepath, xrefs: 0040BFEF
while fso.FileExists(", xrefs: 0040C136
open, xrefs: 0040C27A
SG, xrefs: 0040C031
dMG, xrefs: 0040BF3F
PSG, xrefs: 0040BFCC
On Error Resume Next, xrefs: 0040C102
Temp, xrefs: 0040C0B4
fso.DeleteFile ", xrefs: 0040C183

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: SG$ SG$")$.vbs$On Error Resume Next$PSG$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-899740633
Opcode ID: 6fdf2f18d39eafdca5b1836955c68c779565fa021d6480eae315e8288a497e30
Instruction ID: 3970d62be7f9f5e1fdb580af11360c5c0218cddba346a3e39168d22276c4a34b
Opcode Fuzzy Hash: 6fdf2f18d39eafdca5b1836955c68c779565fa021d6480eae315e8288a497e30
Instruction Fuzzy Hash: 838194316042005BC315FB21D852AAF7799AF91708F10453FF986A72E2EF7C9D49C69E

Function 0041138D Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00475308,?,00000000), ref: 004113AC
ExitProcess.KERNEL32 ref: 004115F5

Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 00411433
OpenProcess.KERNEL32(00100000,00000000,,@,?,?,?,?,00000000), ref: 00411442
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0041144D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00411454
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 0041145A

Part of subcall function 004128AD: RegCreateKeyA.ADVAPI32(80000001,00000000,TeF), ref: 004128BB
Part of subcall function 004128AD: RegSetValueExA.KERNEL32(TeF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128D6
Part of subcall function 004128AD: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004670E0,00000001,000000AF,00466554), ref: 004128E1

PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 0041148B
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 004114E7
GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411501
lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 00411513

Part of subcall function 0041B79A: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B7F6
Part of subcall function 0041B79A: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B80A
Part of subcall function 0041B79A: CloseHandle.KERNEL32(00000000), ref: 0041B817

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041155B
Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 0041159C
OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004115B1
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004115BC
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004115C3
GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004115C9

Part of subcall function 0041B79A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B7D9

Strings

WDH, xrefs: 00411461, 004115D0
exepath, xrefs: 004113E0
0TG, xrefs: 0041139B
open, xrefs: 00411555
temp_, xrefs: 004114F5
,@, xrefs: 00411439
.exe, xrefs: 00411507
PSG, xrefs: 004113BA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
String ID: ,@$.exe$0TG$PSG$WDH$exepath$open$temp_
API String ID: 4250697656-4136069298
Opcode ID: 57a76233155c5e6f3f5eb151cd316bca093877b01aee461a5fef8088efcefce1
Instruction ID: 17001e37a1d7cf9a3413e78a7a022695eb621cd558d1591dce66fb7483b9d66c
Opcode Fuzzy Hash: 57a76233155c5e6f3f5eb151cd316bca093877b01aee461a5fef8088efcefce1
Instruction Fuzzy Hash: 7551B571A00315BBDB00A7A09C46EFE736E9B44715F10416BF906B71E2EF788E858A9D

Function 0041A3B1 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A4A8
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A4BC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00466554), ref: 0041A4E4
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041A4F5
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A536
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A54E
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A563
SetEvent.KERNEL32 ref: 0041A580
WaitForSingleObject.KERNEL32(000001F4), ref: 0041A591
CloseHandle.KERNEL32 ref: 0041A5A1
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A5C3
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A5CD

Strings

NG, xrefs: 0041A475, 0041A3F5
open ", xrefs: 0041A43C
pause audio, xrefs: 0041A531
" type , xrefs: 0041A441
stopped, xrefs: 0041A569
play audio, xrefs: 0041A4B7
close audio, xrefs: 0041A5C8
status audio mode, xrefs: 0041A55E
stop audio, xrefs: 0041A5BE
resume audio, xrefs: 0041A549
alias audio, xrefs: 0041A424

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 6cdad7b2072bb7b1f1cf65aa6f0dc65162114e9383cfe1cf391b21bd569ee139
Instruction ID: 23b594f260307180257043fa1e2d6aa1707bafa700398656917524c484c431be
Opcode Fuzzy Hash: 6cdad7b2072bb7b1f1cf65aa6f0dc65162114e9383cfe1cf391b21bd569ee139
Instruction Fuzzy Hash: A251B1716442046AD214BB32EC92EBF3B9DAB90758F10443FF445621E2EE789D48866F

Function 0040BC67 Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040BC75
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
CopyFileW.KERNEL32(C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000000,00000000,00000000,00000000,00000000,?,004750FC,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
_wcslen.LIBCMT ref: 0040BD54
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
CopyFileW.KERNEL32(C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000000,00000000), ref: 0040BDF2
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
_wcslen.LIBCMT ref: 0040BE34
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750FC,0000000E), ref: 0040BE9B
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000001), ref: 0040BEB9
ExitProcess.KERNEL32 ref: 0040BED0

Strings

SG, xrefs: 0040BE40
C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 0040BCFF, 0040BD04, 0040BD37, 0040BDEC, 0040BDF1, 0040BDF8, 0040BE59
SG, xrefs: 0040BD85
6, xrefs: 0040BD48
del, xrefs: 0040BE63
open, xrefs: 0040BEB2
SG, xrefs: 0040BDD1
SG, xrefs: 0040BC7A
SG, xrefs: 0040BD6C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: SG$ SG$ SG$ SG$ SG$6$C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$del$open
API String ID: 1579085052-636918380
Opcode ID: a7d6d57d1ad3ded224159505a6611d35dd0400eb66e533863ce6af2c8e10c1ae
Instruction ID: cada26950b0f91ffbe9684419e497f708478a0192fdd3dd39558b78de3226dfb
Opcode Fuzzy Hash: a7d6d57d1ad3ded224159505a6611d35dd0400eb66e533863ce6af2c8e10c1ae
Instruction Fuzzy Hash: 0B51C1316046006BD609B722EC52E7F77889F81719F50443FF985A62E2DF7CAD4582EE

Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
WriteFile.KERNEL32(00000000,00472B02,00000002,00000000,00000000), ref: 00401CE0
WriteFile.KERNEL32(00000000,00472B04,00000004,00000000,00000000), ref: 00401CF0
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
WriteFile.KERNEL32(00000000,00472B0E,00000002,00000000,00000000), ref: 00401D22
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42

Strings

data, xrefs: 00401D2C
fmt , xrefs: 00401CA8
WAVE, xrefs: 00401C98
RIFF, xrefs: 00401C78

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction ID: 459023fa40bd80d73c97eac26e4027242e7445eca248bff5dcea5bec94493f3f
Opcode Fuzzy Hash: d86e0a11b62900f44300c56c570c8f4c6d29e182ebfed168058ac3948617b838
Instruction Fuzzy Hash: 85411C726443187AE210DE51DD86FBB7FACEB85B54F40081AF644E6080D7A5E909DBB3

Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000001,004068B2,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000003,004068DA,004752F0,00406933), ref: 004064F4
GetProcAddress.KERNEL32(00000000), ref: 004064FD
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
GetProcAddress.KERNEL32(00000000), ref: 00406511
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
GetProcAddress.KERNEL32(00000000), ref: 00406525
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
GetProcAddress.KERNEL32(00000000), ref: 00406539
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
GetProcAddress.KERNEL32(00000000), ref: 0040654D
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
GetProcAddress.KERNEL32(00000000), ref: 00406561

Strings

C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 004064E1
RtlAcquirePebLock, xrefs: 00406530
NtAllocateVirtualMemory, xrefs: 00406508
RtlReleasePebLock, xrefs: 00406544
NtFreeVirtualMemory, xrefs: 0040651C
ntdll.dll, xrefs: 004064E8, 004064F3, 0040650D, 00406521, 00406535, 00406549, 0040655D
RtlInitUnicodeString, xrefs: 004064EE
LdrEnumerateLoadedModules, xrefs: 00406558

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-3653113000
Opcode ID: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction ID: d8392adca69ca7380431791802c09c3f057f20abbaf47be00649cb9a46baa942
Opcode Fuzzy Hash: ef23c6471a2b46cbb5b12a679159521cca5d22753a6c35f36816646c352fbe50
Instruction Fuzzy Hash: D20171A4E40B1635CB206F7B7C94D17AEAC9E503503160837A406F32A1EEBCD400CD7D

Function 0041B3C6 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041B3E1
_memcmp.LIBVCRUNTIME ref: 0041B3F9
lstrlenW.KERNEL32(?), ref: 0041B412
FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B44D
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B460
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B4A4
lstrcmpW.KERNEL32(?,?), ref: 0041B4BF
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B4D7
_wcslen.LIBCMT ref: 0041B4E6
FindVolumeClose.KERNEL32(?), ref: 0041B506
GetLastError.KERNEL32 ref: 0041B51E
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B54B
lstrcatW.KERNEL32(?,?), ref: 0041B564
lstrcpyW.KERNEL32(?,?), ref: 0041B573
GetLastError.KERNEL32 ref: 0041B57B

Strings

?, xrefs: 0041B478

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction ID: f0577cbf519c1fbc76aa3138d797bbd7c283cc622b072e5c2a83b2d98bec9820
Opcode Fuzzy Hash: e79c6557d7143a0add8a3d203bc3a2cd2385ec013658f048d8e2d2538e26efc1
Instruction Fuzzy Hash: 8441A071504705ABC720DF61E8489EBB7E8EB48705F00482FF541D2262EF78D989CBDA

Function 0044E41E Relevance: 25.9, APIs: 17, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044E4B0
_free.LIBCMT ref: 0044E4D6
_free.LIBCMT ref: 0044E4FF
_free.LIBCMT ref: 0044E537
_free.LIBCMT ref: 0044E568
_free.LIBCMT ref: 0044E5A9
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044E62A
_free.LIBCMT ref: 0044E643
_wcschr.LIBVCRUNTIME ref: 0044E680
_free.LIBCMT ref: 0044E6EC
_free.LIBCMT ref: 0044E712
_free.LIBCMT ref: 0044E73B
_free.LIBCMT ref: 0044E770
_free.LIBCMT ref: 0044E7A1
_free.LIBCMT ref: 0044E7E2
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E867
_free.LIBCMT ref: 0044E880

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
Instruction ID: a8aac0df7486383d9a181904d39d16e24afc3d72eb934652fe50c6e09291e228
Opcode Fuzzy Hash: 0e1a8f8bbfaf70a5321281e28d07a2b80f4a7f922fdb1718459ded84c8fb4435
Instruction Fuzzy Hash: 5DD12771D00310AFFB21AF77888166E7BA4BF01368F45416FF945A7381EA399E418B9D

Function 00411D59 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411D72

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Sleep.KERNEL32(0000000A,00466324), ref: 00411EC4
Sleep.KERNEL32(0000000A,00466324,00466324), ref: 00411F66
Sleep.KERNEL32(0000000A,00466324,00466324,00466324), ref: 00412008
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 00412069
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120A0
DeleteFileW.KERNEL32(00000000,00466324,00466324,00466324), ref: 004120DC
Sleep.KERNEL32(000001F4,00466324,00466324,00466324), ref: 004120F6
Sleep.KERNEL32(00000064), ref: 00412138

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

/stext ", xrefs: 00411E4F, 00411EF1, 00411F93
NG, xrefs: 00412356
HTG, xrefs: 004123EE
NG, xrefs: 0041220A
HTG, xrefs: 004122CA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$HTG$HTG$NG$NG
API String ID: 1223786279-556891652
Opcode ID: 608ad779d3f05872a2fb421b20f7995dfcf2a6a41ae2f7ba8b1188b624d33fb6
Instruction ID: b666a026b41db1aee680f36e7b950d376c2ae40a85d54f66cdb5da2431d4b1f1
Opcode Fuzzy Hash: 608ad779d3f05872a2fb421b20f7995dfcf2a6a41ae2f7ba8b1188b624d33fb6
Instruction Fuzzy Hash: F00224315083414AD324FB61D891BEFB7D5AFD4308F50493EF88A931E2EF785A49C69A

Function 00413F0F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413F5E
LoadLibraryA.KERNEL32(?), ref: 00413FA0
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413FC0
FreeLibrary.KERNEL32(00000000), ref: 00413FC7
LoadLibraryA.KERNEL32(?), ref: 00413FFF
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414011
FreeLibrary.KERNEL32(00000000), ref: 00414018
GetProcAddress.KERNEL32(00000000,?), ref: 00414027
FreeLibrary.KERNEL32(00000000), ref: 0041403E

Strings

getaddrinfo, xrefs: 00413F1C, 00413FBA, 0041400B
freeaddrinfo, xrefs: 00413F3B
\ws2_32, xrefs: 00413F88
\wship6, xrefs: 00413FE7
getnameinfo, xrefs: 00413F2B

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction ID: be6955175b5ce73d91635d8a52bfbd354ab09fdd92d7e760b1966c561f7cb5d0
Opcode Fuzzy Hash: a1ebb0e7ad90273c6050595515f5be941597b1bff8e5ee6fc120c50391cee153
Instruction Fuzzy Hash: B33117B280131567D320EF55DC84EDB7BDCAF89745F01092AFA88A3201D73CD98587AE

Function 0041BA2F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041BA51
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041BA95
RegCloseKey.ADVAPI32(?), ref: 0041BD5F

Strings

DisplayName, xrefs: 0041BADC
InstallLocation, xrefs: 0041BB1C
DisplayVersion, xrefs: 0041BB08
Publisher, xrefs: 0041BAF1
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041BA47
UninstallString, xrefs: 0041BB44
InstallDate, xrefs: 0041BB30

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 3efd418213305a701cb68e843df2402042726612c0cd2b9edffbb1664b23c096
Instruction ID: 1bcbf0a3cc417a03c0c35e29071d92a42b6db1fb54f2f7a4c144fc0fa0a0a3c2
Opcode Fuzzy Hash: 3efd418213305a701cb68e843df2402042726612c0cd2b9edffbb1664b23c096
Instruction Fuzzy Hash: 43813F311082409FD324EB11D951AEFB7E8FFD4314F10493FB586921E1EF34AA59CA9A

Function 0041CCA9 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CCF4
GetCursorPos.USER32(?), ref: 0041CD03
SetForegroundWindow.USER32(?), ref: 0041CD0C
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CD26
Shell_NotifyIconA.SHELL32(00000002,00474B50), ref: 0041CD77
ExitProcess.KERNEL32 ref: 0041CD7F
CreatePopupMenu.USER32 ref: 0041CD85
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CD9A

Strings

Close, xrefs: 0041CD8B

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction ID: 460fc807693895ecf387abb2373bcbc61375cccb84b7011694e880842115b21a
Opcode Fuzzy Hash: bed582d39fc96e8479943e4d89b527f8ff9ef20370aed2009df63d45acb158b0
Instruction Fuzzy Hash: F321F831140205EFDB054FA4FD4DBAA3F65EB04702F004539FA0AA41B1DBB6ED91EB59

Function 0044514D Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004451BD
_free.LIBCMT ref: 004451D3
_free.LIBCMT ref: 004451E4
_free.LIBCMT ref: 004451F5
_free.LIBCMT ref: 0044520C
GetCPInfo.KERNEL32(?,?), ref: 00445254

Part of subcall function 00451E2B: _free.LIBCMT ref: 00451E96

_free.LIBCMT ref: 00445400
_free.LIBCMT ref: 00445413
_free.LIBCMT ref: 00445421
_free.LIBCMT ref: 0044542C
_free.LIBCMT ref: 0044546E
_free.LIBCMT ref: 00445476
_free.LIBCMT ref: 0044547E
_free.LIBCMT ref: 00445486
_free.LIBCMT ref: 00445494

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
Instruction ID: de18a1b700a064f56ed707831433d851a0809218b1b1d193042f08ca5b0df7c8
Opcode Fuzzy Hash: 39c5139744f4540f523a9af4ed2fa8afb712fe0565144d4bd577e3f50ea1b080
Instruction Fuzzy Hash: 59B190719006059FEF11DF69C881BEEBBF4FF09304F14406EF895AB252DA799C459B24

Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
__aulldiv.LIBCMT ref: 00407FE9
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
CloseHandle.KERNEL32(00000000), ref: 00408200
CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
CloseHandle.KERNEL32(00000000), ref: 00408256

Strings

NG, xrefs: 00407E87
SetFilePointerEx error, xrefs: 00408266
ReadFile error, xrefs: 0040822E
Uploading file to Controller: , xrefs: 00408077

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 1884690901-2582957567
Opcode ID: ec4e0d5317ee6db51cf61ba48dd6986dc2dc21271ea4f960ed56e36754342467
Instruction ID: fe8c5194ffe86d3827a7b181bfbb3d0fd3c62202293e6b84b2d5449ede98e066
Opcode Fuzzy Hash: ec4e0d5317ee6db51cf61ba48dd6986dc2dc21271ea4f960ed56e36754342467
Instruction Fuzzy Hash: 73B182716083409BC614FB25C892BAFB7E5AFD4314F40492EF889632D2EF789945C79B

Function 0045027D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004502C1

Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F510
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F522
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F534
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F546
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F558
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F56A
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F57C
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F58E
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5A0
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5B2
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5C4
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5D6
Part of subcall function 0044F4F3: _free.LIBCMT ref: 0044F5E8

_free.LIBCMT ref: 004502B6

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 004502D8
_free.LIBCMT ref: 004502ED
_free.LIBCMT ref: 004502F8
_free.LIBCMT ref: 0045031A
_free.LIBCMT ref: 0045032D
_free.LIBCMT ref: 0045033B
_free.LIBCMT ref: 00450346
_free.LIBCMT ref: 0045037E
_free.LIBCMT ref: 00450385
_free.LIBCMT ref: 004503A2
_free.LIBCMT ref: 004503BA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction ID: 8d5a52dc196ca223d521196e0170462af54da78aea2ffa7a7b46d1c1532e12ca
Opcode Fuzzy Hash: 0aefceb04b648aea5efd53e91dec8318d050154b6956abd82aee10787160205d
Instruction Fuzzy Hash: 57316F355003009FEB20AA79D84AB5B73E9EF01365F51445FF88AD7652DF38AC48D719

Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00411771: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
Part of subcall function 00411771: WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

Part of subcall function 00412735: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475308), ref: 00412751
Part of subcall function 00412735: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041276A
Part of subcall function 00412735: RegCloseKey.KERNEL32(00000000), ref: 00412775

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
ShellExecuteW.SHELL32(00000000,open,00000000,00466900,00466900,00000000), ref: 0040C826
ExitProcess.KERNEL32 ref: 0040C832

Strings

exepath, xrefs: 0040C69F
""", 0, xrefs: 0040C74F
open, xrefs: 0040C820
PSG, xrefs: 0040C67D
.vbs, xrefs: 0040C6CD
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C7D5
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C767
Temp, xrefs: 0040C708

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$PSG$Temp$exepath$open
API String ID: 1913171305-1605470806
Opcode ID: 0e6254cfd11fd0719da03c2ec8444806ffe6fa9b88c261795a14bdbbed94e080
Instruction ID: 0a59ab1ac2652dc6c4b0de1f1bfb113b457f9f33def171b9a9917dadcc9857af
Opcode Fuzzy Hash: 0e6254cfd11fd0719da03c2ec8444806ffe6fa9b88c261795a14bdbbed94e080
Instruction Fuzzy Hash: 2E416D329101185ACB14F761DC56DFE7779AF50708F10417FF806B31E2EE786A8ACA98

Function 0044F5F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F639
_free.LIBCMT ref: 0044F65D
_free.LIBCMT ref: 0044F66A
_free.LIBCMT ref: 0044F68F
_free.LIBCMT ref: 0044F69C
_free.LIBCMT ref: 0044F6A5
_free.LIBCMT ref: 0044F983
_free.LIBCMT ref: 0044F98B

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction ID: 986e8a668492dbee8f9f46891c6c86f5dcf9ebf43b9fca0c5b911ed3811bef24
Opcode Fuzzy Hash: b030283a6c0ce51ba92dd09d555ed862ebb201d4cb761b5ee972a13664eb7e13
Instruction Fuzzy Hash: 1FC15371D40204BBEB20EAA8CC82FEE77B89B08704F15416AFE45FB282D6749D459768

Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(0040466D,000000FF,00000000,?,?,00000000,?,0040466D,00000000,?,?), ref: 004047FD
SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404808
CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404811
closesocket.WS2_32(000000FF), ref: 0040481F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,0040466D,00000000,?,?), ref: 00404856
SetEvent.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404867
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 0040486E
SetEvent.KERNEL32(?,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404880
CloseHandle.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 00404885
CloseHandle.KERNEL32(?,?,00000000,?,0040466D,00000000,?,?,?,00000000), ref: 0040488A
SetEvent.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?), ref: 00404895
CloseHandle.KERNEL32(0040466D,?,00000000,?,0040466D,00000000,?,?), ref: 0040489A

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: e2db301fcad4624b7263a524b2eba2d344f633f08cd73d808afccc2cf0cb2889
Instruction ID: bab6184e8302d1d457a53eef1949a11c31841f7ba2aeead181e9cd14b25d2afd
Opcode Fuzzy Hash: e2db301fcad4624b7263a524b2eba2d344f633f08cd73d808afccc2cf0cb2889
Instruction Fuzzy Hash: 21212C71100F149FC6216B26DC05A17BBE1EF40325F104A6EE2A622AF2CF35F851DB4C

Function 00454B92 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454860: CreateFileW.KERNEL32(00000000,?,?,;LE,?,?,00000000,?,00454C3B,00000000,0000000C), ref: 0045487D

GetLastError.KERNEL32 ref: 00454CA6
__dosmaperr.LIBCMT ref: 00454CAD
GetFileType.KERNEL32(00000000), ref: 00454CB9
GetLastError.KERNEL32 ref: 00454CC3
__dosmaperr.LIBCMT ref: 00454CCC
CloseHandle.KERNEL32(00000000), ref: 00454CEC
CloseHandle.KERNEL32(?), ref: 00454E36
GetLastError.KERNEL32 ref: 00454E68
__dosmaperr.LIBCMT ref: 00454E6F

Strings

H, xrefs: 00454DF4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
Instruction ID: a1ee14646c220e05fb339a94c39d658440f80e8cb8884f5184f0ba1168eb6fd8
Opcode Fuzzy Hash: 7241ecee4a5f1f89fc763009d89c6ec11b2c57897b1f7dc41199f6beedf99759
Instruction Fuzzy Hash: EBA126319045489FDF19DF68D8427AE7BB1EB46329F14015EEC01AF392CB398896CB5A

Function 0041931E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419323
GdiplusStartup.GDIPLUS(00474AF4,?,00000000), ref: 00419355
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004193E1
Sleep.KERNEL32(000003E8), ref: 00419463
GetLocalTime.KERNEL32(?), ref: 00419472
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041955B

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00419409
VG, xrefs: 004194B7
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00419404, 0041941F, 00419496
VG, xrefs: 004193BC

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$VG$VG
API String ID: 489098229-455837001
Opcode ID: 9f9be5d73908092905350f8d6be77be6132ee5e04cd9351ebf74e9d7e7752075
Instruction ID: fd6a6a94d4e700b4a78141c9ee43bb9ee9cebd21b8d39b126fa21a823fd8be24
Opcode Fuzzy Hash: 9f9be5d73908092905350f8d6be77be6132ee5e04cd9351ebf74e9d7e7752075
Instruction Fuzzy Hash: 9F517B71A002449ACB14BBB5C866AFE7BA9AB55308F40403FF845B71D2EF3C5E85C799

Function 00413D3F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

65535, xrefs: 00413D42
udp, xrefs: 00413DEF, 00413DF7, 00413DFB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction ID: c3bfc2202edcb816331f8b78e042012e01f064b481147a6b300cfea58c86e196
Opcode Fuzzy Hash: ca54308d78d3c4eee7f7b8de95e44a5f1974b5ba6ce0b2e83d9cd08af329ba0f
Instruction Fuzzy Hash: E241F4716093029BD7209F28D905BBB3BA4EB84742F04042FF98593391EB6DDEC1866E

Function 00439571 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395C9
GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004395D6
__dosmaperr.LIBCMT ref: 004395DD
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439609
GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439613
__dosmaperr.LIBCMT ref: 0043961A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043965D
GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439667
__dosmaperr.LIBCMT ref: 0043966E
_free.LIBCMT ref: 0043967A
_free.LIBCMT ref: 00439681

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
Instruction ID: 4e2bc3e06b1619faa1414a7a2c806c5d1514cda6e297fdc8b1054bbcfea92265
Opcode Fuzzy Hash: 7d25b48f924a9fae5a5881453bd469cfe57fd0c2e6412707544dbbd620f0408d
Instruction Fuzzy Hash: D431E27280560ABFDF11AFA5DC459AF3B68EF09324F10015EF81066251DB39CD50DBAA

Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00404E71
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
TranslateMessage.USER32(?), ref: 00404F30
DispatchMessageA.USER32(?), ref: 00404F3B
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00404FF3
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

CloseChat, xrefs: 00404FBB
GetMessage, xrefs: 00404FAA
DisplayMessage, xrefs: 00404F9E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: 1295ec8e36243f98cadcd04087525a0f6d30f5080800e4555915d39d6ef7306e
Instruction ID: 290a0909c372499a911e5ffd519e5407deecd3e64339803c74491ead196e324c
Opcode Fuzzy Hash: 1295ec8e36243f98cadcd04087525a0f6d30f5080800e4555915d39d6ef7306e
Instruction Fuzzy Hash: A441B1726043016BC614FB75DC568AF7BA8ABC1714F00093EF906A31E6EF38DA05C79A

Function 0041700D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00466554), ref: 0041710A
CloseHandle.KERNEL32(00000000), ref: 00417113
DeleteFileA.KERNEL32(00000000), ref: 00417122
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004170D6

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

<, xrefs: 004170B1
@, xrefs: 004170B8
Temp, xrefs: 0041702E
HVG, xrefs: 0041714F
HVG, xrefs: 004170E3

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
String ID: <$@$HVG$HVG$Temp
API String ID: 1107811701-2568817187
Opcode ID: 49b2793fd4fb0bfedd157a3dfc6a5d0807558cb51ec49c987588f81380459670
Instruction ID: 91e4b2e714ed18abe86730f534b33d619c8c8851ecafca63038a632c75497fc1
Opcode Fuzzy Hash: 49b2793fd4fb0bfedd157a3dfc6a5d0807558cb51ec49c987588f81380459670
Instruction Fuzzy Hash: 00319C31A00209ABCB04FBA1DC56AEE7775AF50308F40417EF506761E2EF785A89CB99

Function 00419E7B Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419E8A
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EA1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EAE
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419EBD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ECE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197EE,00000000,00000000), ref: 00419ED1

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fd4b3df9065e7dfd6d4a697e6f6a53e43d0cc3b02fd87625ee99f2ecddb25ff7
Instruction ID: 401ec45fa9dd23e1a78cca63bf6ad54db5d4c9b9326c405a7ffc92fc58cb3c60
Opcode Fuzzy Hash: fd4b3df9065e7dfd6d4a697e6f6a53e43d0cc3b02fd87625ee99f2ecddb25ff7
Instruction Fuzzy Hash: 4211A331941218BBD711AB64DC85DFF3B6CDB45BA1B05002AF902A21D2DF64CD4A9AB5

Function 00446FDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446FEF

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 00446FFB
_free.LIBCMT ref: 00447006
_free.LIBCMT ref: 00447011
_free.LIBCMT ref: 0044701C
_free.LIBCMT ref: 00447027
_free.LIBCMT ref: 00447032
_free.LIBCMT ref: 0044703D
_free.LIBCMT ref: 00447048
_free.LIBCMT ref: 00447056

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction ID: 9fec27c2adf71536e74eabd4120179072dbaa777ef3671cded9c13d0800a1e4b
Opcode Fuzzy Hash: 6cab9f7d569f345c7814ae43f5c160195df6b64f63ea78a6b18b8aa73aee7787
Instruction Fuzzy Hash: 86119B7550011CBFDB05EF55C882CDD3BB5EF05364B9240AAF9494F222DA35DE50EB49

Function 004103EC Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0041040B
inet_ntoa.WS2_32(?), ref: 004104A6

Strings

GetDirectListeningPort, xrefs: 004105A9
NG, xrefs: 00410431
StopForward, xrefs: 00410587
StopReverse, xrefs: 00410598
StartForward, xrefs: 0041056A
StartReverse, xrefs: 00410576

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: 7b7cad720aec6dcac55c86159f4ba6ce004c0f2feb5086f5f477b25b5e77307c
Instruction ID: 73c74054356758d85ec5353b0407031f458931cc5dd6312d5a4dd957febfbb04
Opcode Fuzzy Hash: 7b7cad720aec6dcac55c86159f4ba6ce004c0f2feb5086f5f477b25b5e77307c
Instruction Fuzzy Hash: 5851A4316043005BCA14FB75D95AAAE36A59B84318F00453FF809972E1DFBC9D85C78E

Function 00455349 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455FBF), ref: 0045536C

Strings

acos, xrefs: 004554E4
asin, xrefs: 004554D8
log, xrefs: 00455412, 0045541E
pow, xrefs: 00455450, 004554FC, 0045550F
sqrt, xrefs: 004554F0
log10, xrefs: 004553B6, 00455406
exp, xrefs: 00455431, 00455493

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: fcb8f87b81c24025c8faa1ed3748b23e21aaaa522dc2b9ab90eaf932e2f1aeea
Instruction ID: 83316d2fa1d48b2f4155984bd6892a75fd3c5afb36d5e99e95f82d48d48c5a2a
Opcode Fuzzy Hash: fcb8f87b81c24025c8faa1ed3748b23e21aaaa522dc2b9ab90eaf932e2f1aeea
Instruction Fuzzy Hash: 93516C70900A09DBCF10DF58D5581BDBBB0FB0A306F204197DC81A7326DB798A6C8B1E

Function 004167E2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00416842

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Sleep.KERNEL32(00000064), ref: 0041686E
DeleteFileW.KERNEL32(00000000), ref: 004168A2

Strings

open, xrefs: 0041683C
/t , xrefs: 00416821
temp, xrefs: 004167F2
\sysinfo.txt, xrefs: 004167ED
dxdiag, xrefs: 00416837

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 78dd33abf2884f810a7e72361485d7cfc0b09768de528c2206b505d279b8ba2d
Instruction ID: c4be9e9118a59201799f54b99a9a171b680bb642a7e99c3b30ff6139130205e5
Opcode Fuzzy Hash: 78dd33abf2884f810a7e72361485d7cfc0b09768de528c2206b505d279b8ba2d
Instruction Fuzzy Hash: 1B313E719001189ADB04FBA1DC96EEE7764AF50708F00417FF946730D2EF786A8ACA9D

Function 00406616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00475A50,00000000,004752F0,00003000,00000004,00000000,00000001), ref: 00406647
GetCurrentProcess.KERNEL32(00475A50,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe), ref: 00406705

Strings

[+] NtAllocateVirtualMemory Success, xrefs: 0040667A
[-] NtAllocateVirtualMemory Error, xrefs: 004066AA
PEB: %x, xrefs: 00406716
\explorer.exe, xrefs: 0040666A
explorer.exe, xrefs: 004066BD, 004066E2
windir, xrefs: 00406654

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
Instruction ID: 2a8ac338152687dbadce55b3d6de3572d7837fd421bef744f3a625c24d449dc1
Opcode Fuzzy Hash: 3d4dde61fac8f932cecf13147f1715ad91c8a5d9075df555c2e0fc840e87cdfb
Instruction Fuzzy Hash: B231B671600700AFD300AF65DC8AF5677A8FB44709F11053EF50ABB6E1EBB9A8548B6D

Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401AD3

Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54

waveInUnprepareHeader.WINMM(00472AC0,00000020,00000000,?), ref: 00401B85
waveInPrepareHeader.WINMM(00472AC0,00000020), ref: 00401BC3
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401BD2

Strings

.wav, xrefs: 00401AEC
dMG, xrefs: 00401B04
|MG, xrefs: 00401B8B
%Y-%m-%d %H.%M, xrefs: 00401AC4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 79247b94fc76ef65d7255bd27e7b2992fd07bc3911e05f814a85dbf418cf17d5
Instruction ID: b0e15ff03f11dcb3e5bfd7c1448581b7ace3962aa9bffbd159c0990beee9d81b
Opcode Fuzzy Hash: 79247b94fc76ef65d7255bd27e7b2992fd07bc3911e05f814a85dbf418cf17d5
Instruction Fuzzy Hash: 7E315E315043019FC324EB21DC56A9E77A4FB94314F00493EF559A21F1EFB8AA89CB9A

Function 0041CB7A Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041CB93

Part of subcall function 0041CC2A: RegisterClassExA.USER32(00000030), ref: 0041CC77
Part of subcall function 0041CC2A: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
Part of subcall function 0041CC2A: GetLastError.KERNEL32 ref: 0041CC9C

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041CBCA
lstrcpynA.KERNEL32(00474B68,Remcos,00000080), ref: 0041CBE4
Shell_NotifyIconA.SHELL32(00000000,00474B50), ref: 0041CBFA
TranslateMessage.USER32(?), ref: 0041CC06
DispatchMessageA.USER32(?), ref: 0041CC10
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CC1D

Strings

Remcos, xrefs: 0041CBD5

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction ID: 6591afd7fea275f101bd811abb8745f55115b26a2df550b070e187602390ba30
Opcode Fuzzy Hash: 7a949f86bc247f3cbdd076edfe2cda77560b6c3ffe772df9fdb29a851d56ec4a
Instruction Fuzzy Hash: 130112B1940344ABD7109BA5EC4DFEABBBCA7C5B05F004029E615A2061EFB8E585CB6D

Function 0044B660 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
Instruction ID: 8081305e108bfff8a8e14cd18a234b42858a69a1a1930647e7f2335dd99175ec
Opcode Fuzzy Hash: b79e0bacf68e79f56bbfbff6a95aeb92d11d955db7cfd18af0a5c0e52fbe5259
Instruction Fuzzy Hash: 44C105B0D04249AFEF11DFA9C8417BEBBB4EF09314F04415AE544A7392C738D941CBA9

Function 00452D3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00453013,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452DE6
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452E69
__alloca_probe_16.LIBCMT ref: 00452EA1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00453013,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452EFC
__alloca_probe_16.LIBCMT ref: 00452F4B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F13

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00453013,00000000,00000000,?,00000001,?,?,?,?), ref: 00452F8F
__freea.LIBCMT ref: 00452FBA
__freea.LIBCMT ref: 00452FC6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
Instruction ID: e285173fe66e9ab68cc8b5f7bb46492c032c90826bba7407019ac45f59d87ef3
Opcode Fuzzy Hash: 636d8ee8978a4b28d28c899fe5287c94f7ea3d2e518637072967bc6aea0c1ce5
Instruction Fuzzy Hash: E991D572E002169BDF208E64DA41AEFBBB5AF0A312F14055BFC05E7242D778DC48C768

Function 00444609 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004470CF: GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
Part of subcall function 004470CF: _free.LIBCMT ref: 00447106
Part of subcall function 004470CF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
Part of subcall function 004470CF: _abort.LIBCMT ref: 0044714D

_memcmp.LIBVCRUNTIME ref: 004448B3
_free.LIBCMT ref: 00444924
_free.LIBCMT ref: 0044493D
_free.LIBCMT ref: 0044496F
_free.LIBCMT ref: 00444978
_free.LIBCMT ref: 00444984

Strings

C, xrefs: 00444771

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: abd95adb81c550f409ae5c5119100e906ed8d0f865db868ac1378bf86e803171
Instruction ID: ce46d41f1d9e01bafc0896c2bb0d2adb680072b6a59d341745b23d3028246374
Opcode Fuzzy Hash: abd95adb81c550f409ae5c5119100e906ed8d0f865db868ac1378bf86e803171
Instruction Fuzzy Hash: 24B14975A012199FEB24DF18C884BAEB7B4FF49314F1045AEE849A7351D738AE90CF48

Function 00413A9F Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

tcp, xrefs: 00413C03
udp, xrefs: 00413BD9

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction ID: 641150f3fd0ea6af627c79cdc5c75230aa36f57d28899e04d0661f3c05bf373f
Opcode Fuzzy Hash: af4d639371690cb8637a3a63659cf8324f890a8ac4b6ebd8bb2dc9423f2fa13d
Instruction Fuzzy Hash: 0D71D1716083528FDB24CF1994846ABB7E0AF84746F14442FF885A7352E77CDE81CB8A

Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00466454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18

Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588

Strings

.part, xrefs: 00406C0F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 857a5de1e36b0c99e5fcaddd662611590a652c3b5d8b29b265f96ceecfea8a93
Instruction ID: 7eae26b3d9efd85ab9a821acf87acbbc445967fcd6ce231ca79d13f55b5b668b
Opcode Fuzzy Hash: 857a5de1e36b0c99e5fcaddd662611590a652c3b5d8b29b265f96ceecfea8a93
Instruction Fuzzy Hash: C631A4715083019FD210EF21DD459AFB7A8FB84755F40093EF9C6B21A1DF38AA48CB9A

Function 0040196B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
waveInOpen.WINMM(00472AF8,000000FF,00472B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
waveInPrepareHeader.WINMM(00472AC0,00000020,00000000), ref: 00401A66
waveInAddBuffer.WINMM(00472AC0,00000020), ref: 00401A75
waveInStart.WINMM ref: 00401A81

Strings

dMG, xrefs: 0040196F
|MG, xrefs: 00401A1E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG
API String ID: 1356121797-1683252805
Opcode ID: 90184a660b4496401ca2bd395970f68dae25d6e8355fffeefbf0e1e22ce1cb2f
Instruction ID: 140f40b68b7a2e7574469051551963e155d477b90c1392cdc23a62cf20397fe9
Opcode Fuzzy Hash: 90184a660b4496401ca2bd395970f68dae25d6e8355fffeefbf0e1e22ce1cb2f
Instruction Fuzzy Hash: 52215C316002019BC725DF66EE1996A7BA6FB84710B00883EF50DE76B0DBF898C0CB5C

Function 00449B60 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D774,0043D774,?,?,?,00449DB1,00000001,00000001,1AE85006), ref: 00449BBA
__alloca_probe_16.LIBCMT ref: 00449BF2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449DB1,00000001,00000001,1AE85006,?,?,?), ref: 00449C40
__alloca_probe_16.LIBCMT ref: 00449CD7
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449D3A
__freea.LIBCMT ref: 00449D47

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

__freea.LIBCMT ref: 00449D50
__freea.LIBCMT ref: 00449D75

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
Instruction ID: b9264d00d576e3e69c3e593975f72d59ef517f4fd458bc34bb1ef2c80a576446
Opcode Fuzzy Hash: 45550f184a61a9f8ddf17f24dc0c1f131df532b020593bc4805c091103afbf88
Instruction Fuzzy Hash: 3651F8B2A10206AFFB258F65DC82EBF77A9EB44754F15462EFC05DB240EB38DC409658

Function 00418CB4 Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32 ref: 00418CFE
SendInput.USER32(00000001,?,0000001C), ref: 00418D26
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D4D
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D6B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418D8B
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DB0
SendInput.USER32(00000001,0000001C,0000001C), ref: 00418DD2
SendInput.USER32(00000001,?,0000001C), ref: 00418DF5

Part of subcall function 00418CA7: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418CAD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: InputSend$Virtual
String ID:
API String ID: 1167301434-0
Opcode ID: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction ID: 141eef32e971302722b3407f09031bac5ba220a7556c2b6a6b809b2d6bbc12e7
Opcode Fuzzy Hash: 03d106074c487e793b96b2f05eb270ad55284c326fdeb905245ef2a17d2a5417
Instruction Fuzzy Hash: 2D318031258349A9E210DF65DC41FDFBBECAFC9B08F04080FB58457191EAA4858C87AB

Function 00415BDD Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00415BDE
EmptyClipboard.USER32 ref: 00415BEC
CloseClipboard.USER32 ref: 00415BF2
OpenClipboard.USER32 ref: 00415BF9
GetClipboardData.USER32(0000000D), ref: 00415C09
GlobalLock.KERNEL32(00000000), ref: 00415C12
GlobalUnlock.KERNEL32(00000000), ref: 00415C1B
CloseClipboard.USER32 ref: 00415C21

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: bf20fe329199a8e34afe0003246c911adf149e6994b4918492a0dc0ec0b93d4d
Instruction ID: 369576e1793333014f6cd695595c81a654a0099a6e7e621b1e9fba3c04e1709a
Opcode Fuzzy Hash: bf20fe329199a8e34afe0003246c911adf149e6994b4918492a0dc0ec0b93d4d
Instruction Fuzzy Hash: EE0152322003009FC350BF71DC59AAE77A5AF80B42F00443FFD06A61A2EF35C949C659

Function 00446369 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00446471
__freea.LIBCMT ref: 0044651B
__freea.LIBCMT ref: 00446539

Strings

hD, xrefs: 004467A3
am/pm, xrefs: 0044659C
a/p, xrefs: 00446600

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm$hD
API String ID: 3509577899-3668228793
Opcode ID: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
Instruction ID: deb853d5fd6adf3918d69246e21912660bd894b39407ab32d9d7da7685977c7a
Opcode Fuzzy Hash: 44ea5ac924aea223c25ec6af7a156dea15db996b08b3c9c3fe5b3e61d2d79652
Instruction Fuzzy Hash: 1CD111719002069AFB289F68C9857BBB7B0FF06708F26415BE9019B355D33D9D81CB6B

Function 0044FA16 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044FA85
_free.LIBCMT ref: 0044FA93
_free.LIBCMT ref: 0044FBC1
_free.LIBCMT ref: 0044FBCC

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
Instruction ID: 0b2e84c71dbf843dbcc2e99f9f8dbab27ea7d8a4e4ef3fbdb467abc62f582456
Opcode Fuzzy Hash: 1d80ecd898b2873860388bfd90a69a91c38572b88f559cfcb1da031a1a01905e
Instruction Fuzzy Hash: E061E271D00244AFEB20DF69C842BAABBF4EB4A320F24407BED45EB251D734AD45DB58

Function 0044418B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

_free.LIBCMT ref: 00444296
_free.LIBCMT ref: 004442AD
_free.LIBCMT ref: 004442CC
_free.LIBCMT ref: 004442E7
_free.LIBCMT ref: 004442FE

Strings

Z9D, xrefs: 004441BB, 0044433D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: Z9D
API String ID: 3033488037-3781130823
Opcode ID: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
Instruction ID: 86c8eacfe83d9672290f1135950403671a27bde0e5aa55c461cabd1b4ee88ac5
Opcode Fuzzy Hash: 1e396c4f324de9ddb7b01a7129941a49517c4d4e7f7401902ff7e7d19c1db4b4
Instruction Fuzzy Hash: D551B171A00304AFEB20DF6AC881B6A77F4FF95724B1446AEF809D7650E779DA01CB48

Function 0044821F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045E478), ref: 00448289
WideCharToMultiByte.KERNEL32(00000000,00000000,0047279C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448301
WideCharToMultiByte.KERNEL32(00000000,00000000,004727F0,000000FF,?,0000003F,00000000,?), ref: 0044832E
_free.LIBCMT ref: 00448277

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 00448443

Strings

xE, xrefs: 00448232, 00448238

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID: xE
API String ID: 1286116820-407097786
Opcode ID: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction ID: 82a604bb7294b81f3f73b5ad664ce4632eb81d562d18d3de5c52697f85b56542
Opcode Fuzzy Hash: 1f630aa574f8f032912558e332746922b811222e22d4e5e5c8fa9a473f36de46
Instruction Fuzzy Hash: 43510871900219ABEB14EF698D819AE77BCEF44B14F1002AFF854A3291EF788D418B5C

Function 0044A2D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044AA48,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A315
__fassign.LIBCMT ref: 0044A390
__fassign.LIBCMT ref: 0044A3AB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A3D1
WriteFile.KERNEL32(?,00000000,00000000,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A3F0
WriteFile.KERNEL32(?,?,00000001,0044AA48,00000000,?,?,?,?,?,?,?,?,?,0044AA48,?), ref: 0044A429

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction ID: 781c03a50f1c813746d4e14bf3c61566c92396d5579059589c4d950ed669b936
Opcode Fuzzy Hash: 19793b4b6baa09b5fac30a83039e1f9c1b1fc09f5707b87a30c95e6118fc2717
Instruction Fuzzy Hash: 6551C474E002499FDB10CFA8D845AEEBBF4EF09300F14412BE955E7291E774A951CB6A

Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON

Download Yara Rule

APIs

ExitThread.KERNEL32 ref: 004017F4

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401902

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

__Init_thread_footer.LIBCMT ref: 004017BC

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Strings

NG, xrefs: 0040180B
NG, xrefs: 0040188E
XMG, xrefs: 00401800

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: XMG$NG$NG
API String ID: 1596592924-1283814050
Opcode ID: 1d427ad3c8646c7af8f92f397ae04b57ed9a744fd571dcf8e9b2171af239d2c3
Instruction ID: a5e0bc9ac4bbc073a85812dd1d3adb1d2a3c84d0b98f0a89840e4e641ba94373
Opcode Fuzzy Hash: 1d427ad3c8646c7af8f92f397ae04b57ed9a744fd571dcf8e9b2171af239d2c3
Instruction Fuzzy Hash: 5341B4712042008BC329FB65DD96AAE7395EB94318F10453FF54AA31F2DF389986CB5E

Function 00412D60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412D99

Part of subcall function 00412A82: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
Part of subcall function 00412A82: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

RegCloseKey.ADVAPI32(TeFTeF,00466554,00466554,00466900,00466900,00000071), ref: 00412F09

Strings

TeFTeF, xrefs: 00412F05
NG, xrefs: 00412DC8
TG, xrefs: 00412DD0
TG, xrefs: 00412ED7

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: TeFTeF$NG$TG$TG
API String ID: 3114080316-826076573
Opcode ID: 6c1db13cde9a772bdcef3daeeb83b5efafd3d4bad46828ca18ea53aaf252cc2e
Instruction ID: 217e792c851e8857c64f97df11b7492b8bc11e7bd79a931969a0b124146415da
Opcode Fuzzy Hash: 6c1db13cde9a772bdcef3daeeb83b5efafd3d4bad46828ca18ea53aaf252cc2e
Instruction Fuzzy Hash: ED41A1316042005BD224F725D8A2AEF7395AFD0308F50843FF94A671E2EF7C5D4986AE

Function 00437C90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00437CBB
___except_validate_context_record.LIBVCRUNTIME ref: 00437CC3
_ValidateLocalCookies.LIBCMT ref: 00437D51
__IsNonwritableInCurrentImage.LIBCMT ref: 00437D7C
_ValidateLocalCookies.LIBCMT ref: 00437DD1

Strings

csm, xrefs: 00437D66

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
Instruction ID: 1103995f59bc857a00dd0af833384e4a9f5f4a2e3f3cb1d3a3c35a3a433dd29e
Opcode Fuzzy Hash: e20e4e91601e7da6f84b85b393d4409c90c36ea595a33a74ae9b4edf16c34eae
Instruction Fuzzy Hash: 4E410674A042099BCF20DF29C844AAE7BA5AF4C328F14905AEC55AB392D739DD45CF98

Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004125EB: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 0041260F
Part of subcall function 004125EB: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 0041262C
Part of subcall function 004125EB: RegCloseKey.KERNEL32(?), ref: 00412637

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
PathFileExistsA.SHLWAPI(?), ref: 0040B779

Strings

[IE cookies cleared!], xrefs: 0040B7C6, 0040B7E6
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040B703
[IE cookies not found], xrefs: 0040B741
Cookies, xrefs: 0040B6FE

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 798b700cde0c1926405b4a04a5924c1096cb72e5c493937ed5f3ed64600f93a0
Instruction ID: 7ed93d3ebd4d115a7197ccd8f2df160251767479400bef64a6787df62d4369c8
Opcode Fuzzy Hash: 798b700cde0c1926405b4a04a5924c1096cb72e5c493937ed5f3ed64600f93a0
Instruction Fuzzy Hash: 29215C31A1410966CB04F7B2CCA69EE7764AE94318F40013FA902771D2EF789A4986DE

Function 00455B13 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
Instruction ID: 890753aa9dfb888b2a1585f98a5e225511b13b718af609ae416a1884f745cca0
Opcode Fuzzy Hash: cfbae8f3dcd2e5f3bdf3bcee8d3106cebccc1d81cd58107c476234e6777acd1f
Instruction Fuzzy Hash: 3A112472504A15BFDB206F729C08D3B3AACEB82736F20016EFC15D7282DE38C800C669

Function 0040FCC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FCD4
int.LIBCPMT ref: 0040FCE7

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 0040FD23
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FD49
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FD65

Strings

xkG, xrefs: 0040FD6C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: xkG
API String ID: 2536120697-3406988965
Opcode ID: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
Instruction ID: 7cf641d0f45d7e480cf6c67891cb53e845b1d2cd586d61112ae60f6436568b55
Opcode Fuzzy Hash: 4b6f72b1e0d08092fd2688f9826419a51511b3482868562e895aff95ac9ad519
Instruction Fuzzy Hash: 3B11F032900119A7CB14FBA5D8429DEB7689E55358F10013BF809B72D1EB3CAF49C7D9

Function 0044FEEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044FC32: _free.LIBCMT ref: 0044FC5B

_free.LIBCMT ref: 0044FF39

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 0044FF44
_free.LIBCMT ref: 0044FF4F
_free.LIBCMT ref: 0044FFA3
_free.LIBCMT ref: 0044FFAE
_free.LIBCMT ref: 0044FFB9
_free.LIBCMT ref: 0044FFC4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction ID: 7d3bb130547cbd64d3bc6acdbb054c191a8682768e3bc5df2cfa43195c7f437f
Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
Instruction Fuzzy Hash: 3611603158175CAAE930B7B2CC87FCB779CFF01744F804C2EB69B66052DA2CB90A5655

Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe), ref: 00406835

Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004669B0,00000000), ref: 004067E9

CoUninitialize.OLE32 ref: 0040688E

Strings

C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 00406815, 00406818, 0040686A
[+] before ShellExec, xrefs: 00406856
[+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
[+] ShellExec success, xrefs: 00406873

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-895824092
Opcode ID: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction ID: bf5204b976fdd256b066cceb308157ad377b3c08e3874fea13dbf5f4dff6080c
Opcode Fuzzy Hash: f62f8ea22737c4132ff5b3dac93a03cf3a5d885852b0606909ed978fbfad8032
Instruction Fuzzy Hash: F20180722023117FE2287B21DC0EF7B6658DB4176AF12413FF946A71C1EAA9AC014679

Function 0040FFAA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FFB7
int.LIBCPMT ref: 0040FFCA

Part of subcall function 0040CFB3: std::_Lockit::_Lockit.LIBCPMT ref: 0040CFC4
Part of subcall function 0040CFB3: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CFDE

std::_Facet_Register.LIBCPMT ref: 00410006
std::_Lockit::~_Lockit.LIBCPMT ref: 0041002C
__CxxThrowException@8.LIBVCRUNTIME ref: 00410048

Strings

pmG, xrefs: 0040FFC2

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: pmG
API String ID: 2536120697-2472243355
Opcode ID: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
Instruction ID: 7757f8b08a06b45aa46d7f93aac2e311949306114fe400d1b3bff67def6a62fd
Opcode Fuzzy Hash: 49ddf8ddb094ef95c775291761389dec69e80ba720e56a3ba1433f00512a79dc
Instruction Fuzzy Hash: D911B231900419EBCB14FBA5D9429DD7B689E58358F10016FF40567191EB78AF86C789

Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
GetLastError.KERNEL32 ref: 0040B2EE

Strings

UserProfile, xrefs: 0040B2B4
[Chrome Cookies found, cleared!], xrefs: 0040B314
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
[Chrome Cookies not found], xrefs: 0040B308

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: d40c76f0172b5f629c93352544436a109877037e88603abf99357d2e74e673d4
Instruction ID: 9d7a183bab8cffc7e176200adf3036985cfece21d6991fc3b8afe8d0fe8b9813
Opcode Fuzzy Hash: d40c76f0172b5f629c93352544436a109877037e88603abf99357d2e74e673d4
Instruction Fuzzy Hash: AB01623565010557CB0477B6DD6B9AF3628ED51718B60013FF802771E2FE3A990586DE

Function 0041C0BB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(004750FC), ref: 0041C0C4
ShowWindow.USER32(00000000,00000000), ref: 0041C0DD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041C102

Strings

CONOUT$, xrefs: 0041C0F0
6.0.0 Pro, xrefs: 0041C12B
Remcos v, xrefs: 0041C11D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$6.0.0 Pro$CONOUT$
API String ID: 2425139147-3561919337
Opcode ID: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction ID: 9cd6404a4583bb7861016a5e8077681a34a6ce6b29b6da971a73374578d830bb
Opcode Fuzzy Hash: 51f71f4df576cdb042b408fdcee2c306aad9b55f4cf694b49fe88f2f6d88a06c
Instruction Fuzzy Hash: 750121B1A80304BADA10F7F19D4BF9976AC6B14B09F500426BA05A70C2EEB8A554462D

Function 0043980C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00439999
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399B5
__allrem.LIBCMT ref: 004399CC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004399EA
__allrem.LIBCMT ref: 00439A01
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439A1F

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
Instruction ID: 5399b0f9a6461ae69e9bde9777a653eaf6085cdcce353b40ae7049a42401d5b7
Opcode Fuzzy Hash: b56df2ec526ecb605ad204b00dc5db07d06cb4bbbde3923a820af03cd63327b9
Instruction Fuzzy Hash: 15810B72A00706ABE724BA79CC41B6B73E89F89768F24522FF411D7781E7B8DD008758

Function 00444D4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00444D79
__cftoe.LIBCMT ref: 00444DAB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
Instruction ID: 890c16c57639ce4616fdae23c1b2cf08611ffd87950db76db0bf4773250d0152
Opcode Fuzzy Hash: 59a84199312040bebd3b7080c8be9dd535ae7880d2ee6b6a8de25d9cd02a2692
Instruction Fuzzy Hash: 2C512972900205ABFB249BA98C41FAF77A9EFC8324F24411FF815D6292DB3DDD11966C

Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00403E8A

Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2

Strings

GetFrame, xrefs: 00403F65
HNG, xrefs: 00403FAC
CloseCamera, xrefs: 00403F54
FreeFrame, xrefs: 00403F76
OpenCamera, xrefs: 00403F48

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 010587e62b3dbee68a1d40af84174acf88dcfbf5514f605d81dee2fe658d14e6
Instruction ID: 0fabaa65846f565374d927adde4572b2cc1454b627dc53539f04e4ca1ee376cc
Opcode Fuzzy Hash: 010587e62b3dbee68a1d40af84174acf88dcfbf5514f605d81dee2fe658d14e6
Instruction Fuzzy Hash: 4641B031A0420196C614FF75C956AAD3BA59B81708F00453FF809A72E6DF7C9A85C7CF

Function 00419FE2 Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 00419FF2
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A006
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A013
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,004196FD), ref: 0041A048
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05A
CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,004196FD,00000000,00000000), ref: 0041A05D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: b1d06779e49364f5efd1e1156e42b495588f4c67c2645d9207e201a63b841c04
Instruction ID: 3721d8981427c9c50277447f2eb78ca90bee9705940f35750f03ddb94c099399
Opcode Fuzzy Hash: b1d06779e49364f5efd1e1156e42b495588f4c67c2645d9207e201a63b841c04
Instruction Fuzzy Hash: 28016D315062107ED2111F349C0EEBF3E1CDF567B1F00022FF522A22D2DE69CE8981AA

Function 00438016 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043800D,004379C1), ref: 00438024
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438032
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043804B
SetLastError.KERNEL32(00000000,?,0043800D,004379C1), ref: 0043809D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
Instruction ID: c897193d57ecee64636fe05851fbd3cadc70b6e754ca2b2668497838eaebe06c
Opcode Fuzzy Hash: 3d2ceef5274e4dce0ae2caf7dfaf84fccaef2f9a96c7b33c4be4e75810a8a5f0
Instruction Fuzzy Hash: DC0190321083416DFB2823756C465377B68E709378F21123FF328515F1EF994C44514C

Function 004470CF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043952C,?,00000000,?,0043BB65,00000000,00000000), ref: 004470D3
_free.LIBCMT ref: 00447106
_free.LIBCMT ref: 0044712E
SetLastError.KERNEL32(00000000,00000000,00000000), ref: 0044713B
SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00447147
_abort.LIBCMT ref: 0044714D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction ID: 03a1e9305cc52ab1e573739f72da4c843e3c1f7cd4612cbd08a2c6f68691a865
Opcode Fuzzy Hash: ae40a63e46beb22daa4956e078090859b5f7183b7e2bf3c5c9b8e84b2b7f2479
Instruction Fuzzy Hash: F2F0F931508B1027F612777A6C46E1B15269BC17B6B26002FF509A6392EF2C8C07911D

Function 00419E16 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E25
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E39
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E46
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E55
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E67
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419991,00000000,00000000), ref: 00419E6A

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f39116070f43c8ef762b87d05958f062f452bea97bf42776bddf3ff77cc24258
Instruction ID: 47980c42e9b022aba05d73d81e1ae7aa31c0ed05cef52b60765f03c540efa169
Opcode Fuzzy Hash: f39116070f43c8ef762b87d05958f062f452bea97bf42776bddf3ff77cc24258
Instruction Fuzzy Hash: 44F062319003186BD611AB65DC89EBF3B6CDB45BA1F01002AF906A21D2DF78DD4A95F5

Function 00419F7D Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419F8C
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FA0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FAD
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FBC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FCE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041988D,00000000,00000000), ref: 00419FD1

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 7777fcf707120254506fa4e92061de2525c9cf476e2c623219f1f225c16140d8
Instruction ID: cbb6f8d25e78bf3f904679f952f169c6c08018e661e4ba535c0ca8fa304c3d8e
Opcode Fuzzy Hash: 7777fcf707120254506fa4e92061de2525c9cf476e2c623219f1f225c16140d8
Instruction Fuzzy Hash: 68F0C2315002147BD2116B24DC49EBF3A6CDB45BA1B01002AFA06A2192DF78CE4A85B8

Function 00419F18 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F27
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F3B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F48
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F57
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F69
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041990F,00000000,00000000), ref: 00419F6C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c477b1fb9180f2e7e4f1d3c6d81281581987cb622c6cefb8769b920387ec4a4b
Instruction ID: 95d7f5aa039a93820bb4883d7663946178ed8a5ec9cf590f88e81ba893971d89
Opcode Fuzzy Hash: c477b1fb9180f2e7e4f1d3c6d81281581987cb622c6cefb8769b920387ec4a4b
Instruction Fuzzy Hash: 7EF062715003147BD2116B65DC4AEBF3B6CDB45BA1B01002AFA06B2192DF78DD4A96B9

Function 00412A82 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412AF5
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412B24
RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412BC5

Strings

TG, xrefs: 00412C07
[regsplt], xrefs: 00412C5D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$TG
API String ID: 3554306468-170812940
Opcode ID: 552d9661e2012087ec903fbf914702d6585a55026011734f2d78172ad3ed553d
Instruction ID: eeb20da9b05a32976bf12a6402f5e40020a9f6991e42d7db5c0f7bae6a1218cc
Opcode Fuzzy Hash: 552d9661e2012087ec903fbf914702d6585a55026011734f2d78172ad3ed553d
Instruction Fuzzy Hash: C5511E72108345AED310EF61D985DEFB7ECEF84704F00492EB585D2191EB74EA088BAA

Function 0041AA28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 0041265C: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 0041267E
Part of subcall function 0041265C: RegQueryValueExW.ADVAPI32(?,0040E18D,00000000,00000000,?,00000400), ref: 0041269D
Part of subcall function 0041265C: RegCloseKey.ADVAPI32(?), ref: 004126A6

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

_wcslen.LIBCMT ref: 0041AB01

Strings

http\shell\open\command, xrefs: 0041AA38
program files\, xrefs: 0041AAE7, 0041AAEE, 0041AB00
program files (x86)\, xrefs: 0041AAFB
.exe, xrefs: 0041AA53

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-4246244872
Opcode ID: f96227f50e5d78c7b5b45e1ee0af5fe3d836a00b2a4c6991fda99104d0e8455f
Instruction ID: 944f249e3467cd2310196e71108a033bc811508d99a3a404dc4e3305fa2889c9
Opcode Fuzzy Hash: f96227f50e5d78c7b5b45e1ee0af5fe3d836a00b2a4c6991fda99104d0e8455f
Instruction Fuzzy Hash: 8621A772B001042BDB04B6B58C96EFE366D9B84318B10087FF452B71D3EE3C9D554269

Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00433724: EnterCriticalSection.KERNEL32(00471D18,?,00476D54,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043372F
Part of subcall function 00433724: LeaveCriticalSection.KERNEL32(00471D18,?,0040AE8B,00476D54,?,00000000,00000000), ref: 0043376C

Part of subcall function 00433AB0: __onexit.LIBCMT ref: 00433AB6

__Init_thread_footer.LIBCMT ref: 0040AEA7

Part of subcall function 004336DA: EnterCriticalSection.KERNEL32(00471D18,00476D54,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 004336E4
Part of subcall function 004336DA: LeaveCriticalSection.KERNEL32(00471D18,?,0040AEAC,00476D54,00456FA7,?,00000000,00000000), ref: 00433717

Strings

[End of clipboard], xrefs: 0040AEE9
[Text copied to clipboard], xrefs: 0040AEF6
TmG, xrefs: 0040AE80
XmG, xrefs: 0040AE70

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]$TmG$XmG
API String ID: 2974294136-1855599884
Opcode ID: a655278a6fff3861fa5d9868fc884946ffe2fcef33f4f6cd05f1e75e6ddf1962
Instruction ID: 2623299308dd9d50029d580546b1e3590cd03a5acc49d0be8ee118f943746456
Opcode Fuzzy Hash: a655278a6fff3861fa5d9868fc884946ffe2fcef33f4f6cd05f1e75e6ddf1962
Instruction Fuzzy Hash: FB216131A102155ACB24FB65D8929EE7775AF54318F10403FF506772E2EF3C6E4A868D

Function 0041CC2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041CC77
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CC92
GetLastError.KERNEL32 ref: 0041CC9C

Strings

0, xrefs: 0041CC38
MsgWindowClass, xrefs: 0041CC33

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction ID: c9edb97a89f7ec8dfbaa779d36c224b53f51aa00da94833f787b12e8c600820c
Opcode Fuzzy Hash: 2bfcb1dee2ed81dd37ad325623522de50802513b554cdfc95296743f6fff5b81
Instruction Fuzzy Hash: 2001E9B1D1021DAF8B00DF9ADCC49EFFBBDBE49355B50452AE414B6100EB708A458AA5

Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
CloseHandle.KERNEL32(?), ref: 00406A0F
CloseHandle.KERNEL32(?), ref: 00406A14

Strings

C:\Windows\System32\cmd.exe, xrefs: 004069FB
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction ID: 0865c4136dfbb59e32125d892e445ee09242962a1e3dc4bc305b740a121ed375
Opcode Fuzzy Hash: 76fab65495b0fd8f7af94722782b38f5ec20939b495d63d65361185c7f15ad50
Instruction Fuzzy Hash: 68F090B690029D7ACB20ABD69C0EECF7F3CEBC5B11F01046ABA04A2051DA706104CAB8

Function 004064D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

8SG, xrefs: 0040693F
C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 00406927

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: 8SG$C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
API String ID: 0-257871050
Opcode ID: 440f994380ae97e7c47f4173536c55f38e93d9cb79c908ea235c8484f88855d2
Instruction ID: ac3f053366391772af188fc274efb03f25e4c049f181d6a95d7665767018bac5
Opcode Fuzzy Hash: 440f994380ae97e7c47f4173536c55f38e93d9cb79c908ea235c8484f88855d2
Instruction Fuzzy Hash: 4FF0F6B17022109BDB103B34AD1966A3A45DB40346F01807BF98BFA6E2DF7C8851C68C

Function 004427E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002), ref: 00442809
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044281C
FreeLibrary.KERNEL32(00000000,?,?,?,0044279A,?,?,0044273A,?,0046EAF0,0000000C,00442891,?,00000002,00000000), ref: 0044283F

Strings

mscoree.dll, xrefs: 00442802
CorExitProcess, xrefs: 00442814

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction ID: e557d05a47d06e8d32a7f66c2c4e22cdfb14d47a79db446b90f8ad9ee3cbc836
Opcode Fuzzy Hash: 263cd25904221f4c100099ecbb428eb8354416072efb1e7fc04c1483da550fa7
Instruction Fuzzy Hash: 8CF0A430900309FBDB119F94DD09B9EBFB4EB08753F4041B9F805A2261DF789D44CA98

Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0040483F,00000001,?,00000000,?,0040466D,00000000,?), ref: 00404AED
SetEvent.KERNEL32(?,?,00000000,?,0040466D,00000000,?), ref: 00404AF9
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,0040466D,00000000,?), ref: 00404B04
CloseHandle.KERNEL32(00000000,?,00000000,?,0040466D,00000000,?), ref: 00404B0D

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

KeepAlive | Disabled, xrefs: 00404AC6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 3ad55c3dc5f6f3fe6add9deac0dab9812a85fcbbdc7a8e47626d343f98173556
Instruction ID: 7c4d48bbaa8a7164c3353f7df4ad5523490a6ea0f3ebe4e46dcacb08dafaa92a
Opcode Fuzzy Hash: 3ad55c3dc5f6f3fe6add9deac0dab9812a85fcbbdc7a8e47626d343f98173556
Instruction Fuzzy Hash: 31F096B19047007BDB1137759D0B66B7F58AB46325F00096FF492A26F2DE39D8508B5E

Function 0041A128 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041A15A
PlaySoundW.WINMM(00000000,00000000), ref: 0041A168
Sleep.KERNEL32(00002710), ref: 0041A16F
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041A178

Strings

Alarm triggered, xrefs: 0041A131

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 859fac31fcb8157fef4fccd01110b6d68f3f64b9bd70d3344d64368d38890a6d
Instruction ID: 198adcd2ac8b5b4b9acde76a755fda1533c143b191b85f9fe5233f4cbfc21951
Opcode Fuzzy Hash: 859fac31fcb8157fef4fccd01110b6d68f3f64b9bd70d3344d64368d38890a6d
Instruction Fuzzy Hash: 79E01A22A04261379520337B7D0FD6F3D28EAC7B65741006FF905A6192EE580811C6FB

Function 0041C07A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041C10D), ref: 0041C084
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C091
SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041C10D), ref: 0041C09E
SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041C10D), ref: 0041C0B1

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041C0A4

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction ID: f27d36e20d2a67c690befc106ea5cafab99e09d075a2dfca7d32a9b7008c9529
Opcode Fuzzy Hash: 1559ced9db44309d12e9096fc874ef99716f3117c459c374921cc59209bdbdc6
Instruction Fuzzy Hash: 57E04F62604348BBD30037F6AC4EDAB3B7CE784617B10092AF612A01D3ED7484468B79

Function 004403AA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
Instruction ID: 7c1105064789ab48ae90d42f937b6a9cbc34ac1ed42c20d541c6d1c3f1a57216
Opcode Fuzzy Hash: 2a796732182faefe73add1043189caf6ca4f606f7631d49291716b08cb320153
Instruction Fuzzy Hash: 7671D371900216AFEF20CF54C884ABFBB75EF45310F14422BEA15A7281DB788C61CFA9

Function 00410BF1 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410691: SetLastError.KERNEL32(0000000D,00410C10,?,00000000), ref: 00410697

GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410C9C
GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410D02
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410D09
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410E17
SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410BED), ref: 00410E41

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
String ID:
API String ID: 3525466593-0
Opcode ID: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction ID: e2f64966b18619331c3eea81ef564f6afd9e4387f8ea08f62d3b86939114ae32
Opcode Fuzzy Hash: 5b761030cf84cfef50a77e8f1fc708b710696a941d42968a3fbf92de24ca1f36
Instruction Fuzzy Hash: 8E61E570200305ABD710AF56C981BA77BA5BF84308F04451EF909CB382DBF8E8D5CB99

Function 0040E77B Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B366: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B377

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E799
Process32FirstW.KERNEL32(00000000,?), ref: 0040E7BD
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E7CC
CloseHandle.KERNEL32(00000000), ref: 0040E983

Part of subcall function 0041B392: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E5A8,00000000,?,?,004750FC), ref: 0041B3A7

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E974

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 3366b4ead4964822d51a377a6cc07ead533fc4a33b6b1b1c4321a9046ca66678
Instruction ID: eccf11dc20c1a31a83cdfd33956dcb3d749eb3f266b118f2c15681f5292a9231
Opcode Fuzzy Hash: 3366b4ead4964822d51a377a6cc07ead533fc4a33b6b1b1c4321a9046ca66678
Instruction Fuzzy Hash: F741CF311083455BC225FB61D891AEFB7E5AFA4304F50453EF849531E1EF389A49C65A

Function 004432A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044331A
_free.LIBCMT ref: 0044333A

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction ID: 036c3dfb054a6f01566e3cd8d28730a68c174e79056a6e67996f15c63748089b
Opcode Fuzzy Hash: c6d5326bb826bef7d4312f682f8fd03de73532d4ef60da68ba97a8c78ea7af64
Instruction Fuzzy Hash: F341D636A002049FEB20DF79C881A5EB7B5FF88718F1545AEE915EB351DA35EE01CB84

Function 004500E3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E5FD,?,00000000,?,00000001,?,?,00000001,0043E5FD,?), ref: 00450130
__alloca_probe_16.LIBCMT ref: 00450168
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004501B9
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00439BCF,?), ref: 004501CB
__freea.LIBCMT ref: 004501D4

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
Instruction ID: d7464a72994917abc30d80f71ec8451e4cba9cf5435b4dea42e63c5c2bdc5daf
Opcode Fuzzy Hash: daed02162d7f278869bfaea3c7a8f88d5c2a2d3218cc1490f903801f97ac0c2c
Instruction Fuzzy Hash: 9631E132A0060AABDF249F65DC41DAF7BA5EB00311F05416AFC04E7252EB3ACD54CBA5

Function 0044E34B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044E354
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E377

Part of subcall function 00446D0F: RtlAllocateHeap.NTDLL(00000000,00434613,?,?,00437437,?,?,?,?,?,0040CD5A,00434613,?,?,?,?), ref: 00446D41

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E39D
_free.LIBCMT ref: 0044E3B0
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E3BF

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
Instruction ID: 5f1b7bba735f2dc00ee4e6ee14e94985e19ed078b50b1d1b699098eccd63c47a
Opcode Fuzzy Hash: 1d4758ed0160ac471983c8ffd3a0470c3cf8fd4ea00c3cafbe93e28275fbbba9
Instruction Fuzzy Hash: D50171726017157F73221A776C88C7B6A6DEAC2F65315012EFD05D3241DE698C0291B9

Function 0044F9AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F9C5

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 0044F9D7
_free.LIBCMT ref: 0044F9E9
_free.LIBCMT ref: 0044F9FB
_free.LIBCMT ref: 0044FA0D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction ID: 2de1f51a18cc7960585f1cc37bbb46b0208bdbaa703fd0d38dd13c161260ee8b
Opcode Fuzzy Hash: 8a0a0e5e94a0327d1776c165067cf9b9603f8d21362122b3839296c578ae3d6e
Instruction Fuzzy Hash: B5F012725042107BA620DF59FAC6D1773E9EA457247A5482BF18DEBA51C738FCC0865C

Function 004434F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443515

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

_free.LIBCMT ref: 00443527
_free.LIBCMT ref: 0044353A
_free.LIBCMT ref: 0044354B
_free.LIBCMT ref: 0044355C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction ID: bf08c2b723e6da78e2f9a692d3f9dcffc94df7bb1312aea5ebb3a1bf48e2a6b8
Opcode Fuzzy Hash: 5455ce8706e3ca66a7bad791c73c4693f29d9b457f563819123ce72749b06e66
Instruction Fuzzy Hash: 4EF0FEB08011219FD726AF69BE414063BA0F709764346113BF45E66B71E7790982EB8E

Function 00416937 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 0041694E
GetWindowTextW.USER32(?,?,0000012C), ref: 00416980
IsWindowVisible.USER32(?), ref: 00416987

Part of subcall function 0041B588: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
Part of subcall function 0041B588: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3

Strings

0VG, xrefs: 00416B10

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ProcessWindow$Open$TextThreadVisible
String ID: 0VG
API String ID: 3142014140-3748860515
Opcode ID: 5f5be7a680c77d9aba54e705b4bd1eceedbb58bf7c1a937234ed4b99e2641d2f
Instruction ID: a92d2c2722018a5f2df8734f3a85bf91d45912e01cb50305def5a483f7f9536a
Opcode Fuzzy Hash: 5f5be7a680c77d9aba54e705b4bd1eceedbb58bf7c1a937234ed4b99e2641d2f
Instruction Fuzzy Hash: FE71C3311082415AC335FB61D8A5ADFB3E4EFD4308F50493EB58A530E1EF74AA49CB9A

Function 0044D669 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044D6B8
_free.LIBCMT ref: 0044D7D5

Part of subcall function 0043AA64: IsProcessorFeaturePresent.KERNEL32(00000017,0043AA36,00000000,0000000A,0000000A,00000000,0041AF72,00000022,?,?,0043AA43,00000000,00000000,00000000,00000000,00000000), ref: 0043AA66
Part of subcall function 0043AA64: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043AA88
Part of subcall function 0043AA64: TerminateProcess.KERNEL32(00000000), ref: 0043AA8F

Strings

*?, xrefs: 0044D6AC
., xrefs: 0044D98C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
Instruction ID: 04f9c45711fae47bd805a28d6c684d852fff3551aaaea8338e0504d4b1d9eb7e
Opcode Fuzzy Hash: a944b580e8880c8e130e00bdfc146e92b9e44dab990486ab21efc68c0a65a633
Instruction Fuzzy Hash: C251B175E00209AFEF14DFA9C881AAEBBB5EF58314F25416FE854E7301E6399E01CB54

Function 004428E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe,00000104), ref: 00442924
_free.LIBCMT ref: 004429EF
_free.LIBCMT ref: 004429F9

Strings

C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe, xrefs: 0044291B, 00442922, 00442951, 00442989

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\P87unxnF4t4DSrTt43.exe
API String ID: 2506810119-198340475
Opcode ID: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
Instruction ID: 08a660f2d8e46f51ee0862092f41265a48d7a3eaa7bec75f040af8368b354bfd
Opcode Fuzzy Hash: e43589620df6d0a02bbe9fe69612e96b807286bf84d647a6e2c91bfdc5f7fdb4
Instruction Fuzzy Hash: E53193B1A00258AFEB21DF999E8199EBBBCEB85314F50406BF805A7311D6F84A41CB59

Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A

Part of subcall function 0041AD43: GetCurrentProcessId.KERNEL32(00000000,771B3530,00000000,?,?,?,?,00466900,0040C07B,.vbs,?,?,?,?,?,00475308), ref: 0041AD6A

Part of subcall function 0041789C: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00466324), ref: 004178B2
Part of subcall function 0041789C: CloseHandle.KERNEL32($cF,?,?,00403AB9,00466324), ref: 004178BB

Part of subcall function 0041B825: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E

Sleep.KERNEL32(000000FA,00466324), ref: 00403AFC

Strings

/sort "Visit Time" /stext ", xrefs: 00403A76
0NG, xrefs: 00403A5B

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 5e8ae3cd725a241a357b3bc659f6e93b21b3cbb6c2d909dfabbc6bc7442c3c9c
Instruction ID: 03df4c4d2d4284c33795d9a7a6d048d6c9d09091ba23d5cef523323604a75e49
Opcode Fuzzy Hash: 5e8ae3cd725a241a357b3bc659f6e93b21b3cbb6c2d909dfabbc6bc7442c3c9c
Instruction Fuzzy Hash: 88319531A0011456CB14FB76DC969EE7779AF80318F00007FF906B31D2EF385A4AC699

Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
wsprintfW.USER32 ref: 0040A905

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A88D
], xrefs: 0040A892

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: ea11600db4f77dcee9ebc1c4f234068d00857ef660b0d65a2ac97eac66832df2
Instruction ID: eacaba0d290b76b22f399a57737f65b18f8a023abca8575ba11697f47f6457b1
Opcode Fuzzy Hash: ea11600db4f77dcee9ebc1c4f234068d00857ef660b0d65a2ac97eac66832df2
Instruction Fuzzy Hash: F1115172500118AACB18FB96EC56CFF77B8AE48715B00013FF542621D1EF7C5A86C6E9

Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9

Strings

Online Keylogger Started, xrefs: 0040A626, 0040A62F, 0040A659

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: b46e5d37908519541b081ac4b2a6a4ba4f2a1b6db6acf437ea430ac4df0ede66
Instruction ID: 13545b77b67cc4507d33d8d8c8ff512a749ba16b8a43449315e0da64450a8124
Opcode Fuzzy Hash: b46e5d37908519541b081ac4b2a6a4ba4f2a1b6db6acf437ea430ac4df0ede66
Instruction Fuzzy Hash: E80161A1A003193AE62076768C86DBF7A6DCA813A8F41043EF541662C3EA7D5D5582FA

Function 0044AC83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,8@,?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACD9
GetLastError.KERNEL32(?,0044ABA1,8@,0046ED38,0000000C), ref: 0044ACE3
__dosmaperr.LIBCMT ref: 0044AD0E

Strings

8@, xrefs: 0044AC88

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 8@
API String ID: 2583163307-819625340
Opcode ID: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction ID: 727ae4bd5dc399200e14d16721253afac520870d53d00e52bc8525c117eb1139
Opcode Fuzzy Hash: f11388ad4d481d826d75519938a9a20661ac3afaecb278e3b0e3570ed3326013
Instruction Fuzzy Hash: 6F018836640A100BF3212634688573F67498B91B39F29022FF804872D2CE2D8CC1919F

Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7

Strings

Connection Timeout, xrefs: 00404B66

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: e36cad49dc7765ade8417d7905e932bd8320e26522cf496d5ff7469c4126d777
Instruction ID: 3c9b6871d48b6b3111a672927d5bafc1cfd46058a166b60e959a8cf6be3f516d
Opcode Fuzzy Hash: e36cad49dc7765ade8417d7905e932bd8320e26522cf496d5ff7469c4126d777
Instruction Fuzzy Hash: 1601F5B1900B41AFD325BB3A8C4255ABFE4AB45315740053FE293A2BA2DE38E440CB5E

Function 0041284C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752F0), ref: 00412857
RegSetValueExW.ADVAPI32(004752F0,?,00000000,00000001,00000000,00000000,00475308,?,0040E6A3,pth_unenc,004752F0), ref: 00412885
RegCloseKey.ADVAPI32(004752F0,?,0040E6A3,pth_unenc,004752F0), ref: 00412890

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 2b72839c34b3cecad4a9efae9834add99ea03f9564e8004151796020c5cf8ad5
Instruction ID: ab464752906d06cf6e422ab9fb9c42b8cedad3247386a7cb387aa37f92243dc4
Opcode Fuzzy Hash: 2b72839c34b3cecad4a9efae9834add99ea03f9564e8004151796020c5cf8ad5
Instruction Fuzzy Hash: 2DF09071500218BBDF50AFA0EE46FEE376CEF40B55F10452AF902B60A1EF75DA08DA94

Function 0040CE91 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040CE9C
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CEDB

Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 004349EC
Part of subcall function 004349CD: _Yarn.LIBCPMT ref: 00434A10

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CEFF

Strings

bad locale name, xrefs: 0040CEE9

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
Instruction ID: d3fe92e39fe1a76843bdcbebe92e6b3b15f8dcb0f99b50ce5c9cc2ba4b618b17
Opcode Fuzzy Hash: 010949cb006bc602daa897d098c336462d98aae1940c118575e4f0b09407aa79
Instruction Fuzzy Hash: FEF03171004214AAC768FB62D853ADE77A4AF14758F504B3FF046224D2AF7CB619C688

Function 0041534A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041538C

Strings

open, xrefs: 00415386
cmd.exe, xrefs: 00415381
/C , xrefs: 0041536A

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: b799db65b19b64ea83398d7d6a480beb53c0bbc67eac42254a732b9a5fcca3ea
Instruction ID: 200bce0b0309f38ec9064e519a9a4578f5a600b3ca3b701a036ea6d1077247ba
Opcode Fuzzy Hash: b799db65b19b64ea83398d7d6a480beb53c0bbc67eac42254a732b9a5fcca3ea
Instruction Fuzzy Hash: F1E0C0B11043406AC708FB65DC96DBF77AC9A90749F10483FB582621E2EE78A949865E

Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(004099A9,00000000,00475308,pth_unenc,0040BF26,004752F0,00475308,?,pth_unenc), ref: 0040AFC9
UnhookWindowsHookEx.USER32(00475108), ref: 0040AFD5
TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3

Strings

pth_unenc, xrefs: 0040AFBA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
Instruction ID: 19faee7e247875c6ed4f8509c992ad96cda0262a64c11258bcf204109443e34b
Opcode Fuzzy Hash: 5ce168509fd4f53ac483e5472d8910f69c83d539265d002f33f874c0df2e9344
Instruction Fuzzy Hash: BEE01DB1245715DFD3101F545C94825BB99EB44746324087FF6C165252CD798C14C759

Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
GetProcAddress.KERNEL32(00000000), ref: 00401441

Strings

GetCursorInfo, xrefs: 00401430
User32.dll, xrefs: 00401435

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction ID: d22651b824a9dcc27ed8a3983426188770e59c2792dec55b339c490717ece8d0
Opcode Fuzzy Hash: 0df56b3ea47fb749bec4bd55cc4ccf0acac8e18c0c6121f5027aebd44438a81f
Instruction Fuzzy Hash: 54B09B705457459BC600DBE15C4D7143D14A544703B104069F04791151DE7450008F1E

Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
GetProcAddress.KERNEL32(00000000), ref: 004014E6

Strings

GetLastInputInfo, xrefs: 004014D5
User32.dll, xrefs: 004014DA

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction ID: 0ec815453ed4bd5b2a0753acad69ff197eebc14e76dec883dd33c8fab126b773
Opcode Fuzzy Hash: dda8da8e992a33b18976b493c6326eaa7f3d62003a83836ab2f58572c3d9c97a
Instruction Fuzzy Hash: EDB092B19827449FC7006BE0AD8DA263A64B654B43729006BF04BE51A1EEB890009A1F

Function 00448F1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448FA6
__alldvrm.LIBCMT ref: 004491A7
__alldvrm.LIBCMT ref: 004491C9

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
Instruction ID: 0b1f6a9dfc50a2d3a5cef35921af3bd2f2baba9a31ad448e356136b6fbdd55d0
Opcode Fuzzy Hash: af13233f64bff1d952fd16752439a8415c6481e4108584e155c4282d62de78f9
Instruction Fuzzy Hash: 3AA14532A042869FFB258E18C8817AFBBA1EF15354F1841AFE8859B382C67C8D41D758

Function 00455BDA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00455D09

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
Instruction ID: 0bd1fcef5d7791e57e96aa6a4775832058b0444fd7bffa6098b49987863132bf
Opcode Fuzzy Hash: 74ece5ab94bf9e1454a637eee9e3d981c9d933d52cb43566ce5b815ebd6edde4
Instruction Fuzzy Hash: 64415D31900F00ABEF227AB98C9667F3A75DF01775F14411FFC1896293D63C890986AA

Function 00441C91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
Instruction ID: 88518833c1d7008d36d723bd78668d328a40e80baed6ee8e3f57c0ed0377fbed
Opcode Fuzzy Hash: 06f5741e10c63ae8bf02417847894b944428abddfdd2a378d9b946abe0f64cd5
Instruction Fuzzy Hash: FE413AB1A00704BFE7249F39CC41BAABBA8EB84718F10412FF405DB291D379A9418788

Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040B81B
Sleep.KERNEL32(00001388), ref: 0040B8A3

Strings

Cleared browsers logins and cookies., xrefs: 0040B8EF
[Cleared browsers logins and cookies.], xrefs: 0040B8DE

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: d9707e60554bfc1585fd29d1d0c4259e84f5b786bd47530d29b1ffdd516c0e4d
Instruction ID: 247d09dce9e3c977c7e86e48a76dae703d52755688f8fe644b587970fcea700c
Opcode Fuzzy Hash: d9707e60554bfc1585fd29d1d0c4259e84f5b786bd47530d29b1ffdd516c0e4d
Instruction Fuzzy Hash: FE31A81124C38069CA117B7514167AB6F958A93754F08847FE8C4273E3DB7A480883EF

Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B8F1: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B901
Part of subcall function 0041B8F1: GetWindowTextLengthW.USER32(00000000), ref: 0041B90A
Part of subcall function 0041B8F1: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B934

Sleep.KERNEL32(000001F4), ref: 00409C95
Sleep.KERNEL32(00000064), ref: 00409D1F

Strings

[ , xrefs: 00409CB1
], xrefs: 00409C9D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
Instruction ID: 7bed66d096a43dd94c2219bc8d3cdd3a5a7df98386a17a5ae9bf36b343ab91a8
Opcode Fuzzy Hash: a49d20d3ecb8acddbd4132256805943c56c930b2d695a3c4727dac55219dcbc1
Instruction Fuzzy Hash: AF119F315042009BD218BB26DC17AAEBBA8AF41708F40047FF542621D3EF79AA1986DE

Function 00442EE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction ID: b58c8eca075ef28bddc965f0bc4d2171c3ec1f8ef65ef5096018edf4bb449d44
Opcode Fuzzy Hash: 0179cd47eff8c75336d676f059f6bc7958f0419c29ca715f1c911511461a8d64
Instruction Fuzzy Hash: 2501F2B26093163EF61016796CC1F27671CEF417B8BB1032BB626612D2EEA88C46606D

Function 00442F61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction ID: 7fe3e8edc5bbc175eb6928fc2517c3e9b6b95ea9c4057c88a91cd5d3c4beb3ed
Opcode Fuzzy Hash: 112e7316d96929b625426bf143e83baabee3255260599eba4999be5de9cde10c
Instruction Fuzzy Hash: F201F9B22096167EB61016796DC4D27676DEF813B83F1033BF421612D1EEA8CC44A179

Function 00438305 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043831F

Part of subcall function 0043826C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043829B
Part of subcall function 0043826C: ___AdjustPointer.LIBCMT ref: 004382B6

_UnwindNestedFrames.LIBCMT ref: 00438334
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438345
CallCatchBlock.LIBVCRUNTIME ref: 0043836D

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction ID: 0bcd00d322a0ad7a372b2cc4a74953bc209b0d499cbe7a3061e5fba3b10c2df3
Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
Instruction Fuzzy Hash: 3E014072100248BBDF126E96CC41DEF7B69EF4C758F04501DFE4866221D73AE861DBA4

Function 00447420 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue), ref: 00447452
GetLastError.KERNEL32(?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000,00000364,?,004471A1), ref: 0044745E
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004473C7,00000000,00000000,00000000,00000000,?,004476F3,00000006,FlsSetValue,0045E328,FlsSetValue,00000000), ref: 0044746C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction ID: 55721a836d87515a1eea2a56d4c7bce34062b93f94d6470a2cb527c4f3a692dc
Opcode Fuzzy Hash: bca6965db1f65f3d9859255c05e5b0128703451981dee5a4eba808798ce175cf
Instruction Fuzzy Hash: 6D01FC326497366BD7314F789C44A777FD8AF047617114535F906E3241DF28D802C6E8

Function 0041B825 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B83E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041B852
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B877
CloseHandle.KERNEL32(00000000), ref: 0041B885

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 1a21255b847fbe2e331c6b2f646a75e08c9959ae533a89512b896340747af4bf
Instruction ID: 2a104a3335fe37b36386f9496d9e2b25d881a91c22a4f34d2042fa75e5cfbfce
Opcode Fuzzy Hash: 1a21255b847fbe2e331c6b2f646a75e08c9959ae533a89512b896340747af4bf
Instruction Fuzzy Hash: 47F0C2B12422047FE6102F25AC89FBF3A5CDB86BA9F10023EF801A2291DE258C0581B9

Function 00418702 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 0041870F
GetSystemMetrics.USER32(0000004D), ref: 00418715
GetSystemMetrics.USER32(0000004E), ref: 0041871B
GetSystemMetrics.USER32(0000004F), ref: 00418721

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction ID: 0d34e4fe417a410293abd419840fb627d3fd172a5f9f2d4f3f0ee0adad43daa0
Opcode Fuzzy Hash: 0409876626ed8831e64dc81abc3b09ac1b97839c455807a5cfaaf12ce600e90b
Instruction Fuzzy Hash: 26F0D672B043215BCB00AB754C4596EBB969FC03A4F25083FFA159B381EE78EC4687D9

Function 0041B588 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B5A0
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B5B3
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5DE
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B5E6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
Instruction ID: 5d23c8c1f4703883972a4236376900cac23e2486f01e1b2fafccabe2f4d6955e
Opcode Fuzzy Hash: ef8d0d82becda269430901369212c52b3606b15fcf963f3a122b886808132bbc
Instruction Fuzzy Hash: D5F049712003167BD31167558C4AFABB66ECF40B9AF01002BF611E21A2EF74DDC146BD

Function 004420ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0044217D

Strings

pow, xrefs: 00442155, 00442172

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction ID: 9e1bbc3390eeabea57be79b34f62796538476165ffe421cdb5ba0d05f4dc7be1
Opcode Fuzzy Hash: 520362507bef941fab5cffea9abde62870a3d8c74bbf2bfcbae46fc27f337450
Instruction Fuzzy Hash: 7251AF61A0A20297F7557B15CE8137B2B90EB50741F684D6BF085423E9EB7CCC819F4E

Function 00421179 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00421211

Strings

<kG, xrefs: 004211E7
<kG, xrefs: 004213DC

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: _memcmp
String ID: <kG$<kG
API String ID: 2931989736-383723866
Opcode ID: 58c4fa67fcc1ef55b25e11fe25224a60e8cc80dd1f406c27b0d1804dfa06d578
Instruction ID: 841d78c923fca9e627808cf77cab3bf97fcfd39527adbe47470f5cf9fadca134
Opcode Fuzzy Hash: 58c4fa67fcc1ef55b25e11fe25224a60e8cc80dd1f406c27b0d1804dfa06d578
Instruction Fuzzy Hash: 9F613471604B0A9ED710DF28D8806A6B7A5FF18304F440A3FEC5CCF656E3B8A955C7A9

Function 004095D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409601

Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212

Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5

Part of subcall function 0041B8B5: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041B8CA

Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD

Strings

NG, xrefs: 00409657
pQG, xrefs: 00409676

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsendsocket
String ID: pQG$NG
API String ID: 2334542088-921107917
Opcode ID: 982eeafb1624009b99b4778d687046f39171ec3ca1bbf21b26c504755b38db63
Instruction ID: 713adcd63a50277e86c853b9c7bd1a900ae8bd87492a3ad9f31fb308660c5d8e
Opcode Fuzzy Hash: 982eeafb1624009b99b4778d687046f39171ec3ca1bbf21b26c504755b38db63
Instruction Fuzzy Hash: BB5141321082405AC365F775D8A2AEF73E5AFD4308F50483FF84A671E2EE789949C69D

Function 0044DD44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DD69

Strings

vD, xrefs: 0044DD5B
, xrefs: 0044DDAE

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: Info
String ID: $vD
API String ID: 1807457897-3636070802
Opcode ID: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
Instruction ID: 6a53932102cf2f29093c464eb4c67803ff3648b28b3ba8b7d074bec3f8911faa
Opcode Fuzzy Hash: af2dbb740455362532db4c6e27cef1bba8ecc5757f530743f693fef6f10ca257
Instruction Fuzzy Hash: D0415DB0D047489BEF218E24CC84AF6BBF9DF55708F2404EEE58A87142D239AD45DF65

Function 00450AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450D49,?,00000050,?,?,?,?,?), ref: 00450BC9

Strings

OCP, xrefs: 00450B42
ACP, xrefs: 00450B0C

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction ID: d29bb87f3b47b124c8bd6c760bb86eb4cd4ec0f84f402c6b2e0ab732353f73f5
Opcode Fuzzy Hash: 6fd782f53c9633299fe98566c4ec68ed2bffd726811d49864d22e4fe4dac6dcd
Instruction Fuzzy Hash: 4021F72AA00105A6E7308FD48C82B977396AB50B1BF564467ED09D7303F73AFD09C358

Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 004049F1

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

GetLocalTime.KERNEL32(?,00474EE0,004755B0,?,?,?,?,?,?,?,00414F0F,?,00000001,0000004C,00000000), ref: 00404A4E

Strings

KeepAlive | Enabled | Timeout: , xrefs: 004049E5

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 34116a3e6a9dff68a72d528d343cbcc7b7b4a675a09f341a66012f2f47d65158
Instruction ID: 07f09c1926c096f578aeb4a964dedba27d52497869334d5e310e707c12b0f234
Opcode Fuzzy Hash: 34116a3e6a9dff68a72d528d343cbcc7b7b4a675a09f341a66012f2f47d65158
Instruction Fuzzy Hash: 932131B1A042806BD600F77A980635B7B9497C4314F84043FE90C562E2EEBD59898BAF

Function 0041A891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

Strings

| , xrefs: 0041A8DE
%02i:%02i:%02i:%03i , xrefs: 0041A8C0

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: b44bc12ebc0c8248c01ea024d65dd69e294d9470b820f52aacd038fd9b485a5a
Instruction ID: bea5c42f2d95e84a76b62dfc34e9438b8882b4e2d456746f57979f9b7964cbe7
Opcode Fuzzy Hash: b44bc12ebc0c8248c01ea024d65dd69e294d9470b820f52aacd038fd9b485a5a
Instruction Fuzzy Hash: 0F114C725082405BC704EBA5D8969BF77E8AB94708F10093FF885A31E1EF38DA44C69E

Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905

Part of subcall function 0041A891: GetLocalTime.KERNEL32(00000000), ref: 0041A8AB

CloseHandle.KERNEL32(?), ref: 0040A7CA
UnhookWindowsHookEx.USER32 ref: 0040A7DD

Strings

Online Keylogger Stopped, xrefs: 0040A777, 0040A77F, 0040A7A6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: db067009e978c816aec669a3f6746f2705b7ae1ea2e8a2529e59c65f3a42714d
Instruction ID: da65c2120251a34d34924486d515db36f90714a8cba0a7d82e96ebed52376b78
Opcode Fuzzy Hash: db067009e978c816aec669a3f6746f2705b7ae1ea2e8a2529e59c65f3a42714d
Instruction Fuzzy Hash: 5901F131A043019BCB25BB35C80B7AEBBB19B45314F40406EE441225D2EB7999A6C3DF

Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00476B98,00474EE0,?,00000000,00401913), ref: 00401747
waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D

Strings

XMG, xrefs: 004016F6

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: ddcf6375f784c1628b927c4ebd910bbcf649a7619fcf77736d7f3a05f195dab6
Instruction ID: 26799fbdff8c3ec01ad48014b311b0d3f370155dffc0330205344997a7b0d52a
Opcode Fuzzy Hash: ddcf6375f784c1628b927c4ebd910bbcf649a7619fcf77736d7f3a05f195dab6
Instruction Fuzzy Hash: 6501AD71300300AFD7209F39ED45A69BBB5EF89315B00413EB808E33A2EB74AC50CB98

Function 004479A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,z?D,00000000,00000001,?,?,00443F7A,?,?,?,?,00000004), ref: 004479EC

Strings

IsValidLocaleName, xrefs: 004479B1, 004479BB
z?D, xrefs: 004479E3, 004479D0

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$z?D
API String ID: 1901932003-2490211753
Opcode ID: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction ID: 892bc6e93789200f6c95030ba230210178196c8f1f686432b442ac7872abfc60
Opcode Fuzzy Hash: 030ca6b5b062e3e6eb463140e6e5805cf12db518d0019a9c378278714199a4d0
Instruction Fuzzy Hash: 06F0E930645218B7DB186F258C06F5E7B95CB05716F50807BFC047A293DE794E0295DD

Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401D96

Strings

XMG, xrefs: 00401DB7
XMG, xrefs: 00401DDB

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: XMG$XMG
API String ID: 3519838083-886261599
Opcode ID: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction ID: 0a877421dfc5135a28098138b17ad9f721677e320a6d1c8a6a2adbe775497da7
Opcode Fuzzy Hash: 94d942c2b9cd7cd452367b65107360caec8e392a141153fe325b9bee2a1bda9b
Instruction Fuzzy Hash: D4F0E9B1B00211ABC715BB65880569EB768EF41369F01827FB416772E1CFBD5D04975C

Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040AD5B

Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,00475108), ref: 00409B3F
Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,00475108), ref: 00409B67
Part of subcall function 00409B10: ToUnicodeEx.USER32(0047515C,?,?,?,00000010,00000000,00000000), ref: 00409B8A
Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3

Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84

Strings

[AltL], xrefs: 0040AD9D
[AltR], xrefs: 0040AD91

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 1deea0a1754c58beabcfa893467cad3df36da0ab1922093d88c83ef84dbcd496
Instruction ID: 4c389cf0edc94a27bb3bc0fddc987b72c0da48b50f0a0a77cbfc03dd010ffeca
Opcode Fuzzy Hash: 1deea0a1754c58beabcfa893467cad3df36da0ab1922093d88c83ef84dbcd496
Instruction Fuzzy Hash: 9AE09B2134032117C898323EA91B6EE3A218F82F65B80016FF8427BADADD7D4D5043CF

Function 00448A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448A35

Part of subcall function 00446CD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A), ref: 00446CEB
Part of subcall function 00446CD5: GetLastError.KERNEL32(0000000A,?,0044FC60,0000000A,00000000,0000000A,00000000,?,0044FF04,0000000A,00000007,0000000A,?,00450415,0000000A,0000000A), ref: 00446CFD

Strings

8@, xrefs: 00448A18
8@, xrefs: 00448A19

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: 8@$8@
API String ID: 1353095263-3408345419
Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction ID: 8fe4af4b93ebf6b2b13329648f525de20a5552277f2be9521e73d3219e6c2dc0
Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
Instruction Fuzzy Hash: 01E092361003059F8720CF6DD400A86B7F4EF95720720852FE89EE3710D731E812CB40

Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040ADB5

Strings

[CtrlL], xrefs: 0040ADE3
[CtrlR], xrefs: 0040ADD2

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: f1664d460506ce6a307028f778898136177a0e582b30a514b3a67480cfc74d29
Instruction ID: c178b64a75e50e2fccb38c9379e001e6e5e0f6b670105b82eaba8ba361dc1658
Opcode Fuzzy Hash: f1664d460506ce6a307028f778898136177a0e582b30a514b3a67480cfc74d29
Instruction Fuzzy Hash: 59E0866170031517C514363DD61B67F39128F41B66F80012FF842A7AC6ED7E8D6423CB

Function 00412A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004752F0,00475308,?,pth_unenc), ref: 00412A60
RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412A70

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412A5E

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction ID: 27182704b7fa20b5ed2a2764b3d23dc9a6b68b829b0f6622ee10c7d45645f89b
Opcode Fuzzy Hash: 3a238ae8f5602ce2402de7cae663a0db3b4178bc362611f3100633d001d48757
Instruction Fuzzy Hash: F1E01270200308BAEF204FA19E06FEB37ACAB40BC9F004169F601F5191EAB6DD54A658

Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF

Strings

pth_unenc, xrefs: 0040AF77

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: dec08f300a5f428fa5c47b7bc45a3e83a5999c060828e280beeb3790875544bf
Instruction ID: b030a41f26c3d5f2e51690188d4bb45887e11e7cc62b1c698fc8f7347c957287
Opcode Fuzzy Hash: dec08f300a5f428fa5c47b7bc45a3e83a5999c060828e280beeb3790875544bf
Instruction Fuzzy Hash: 12E046715116104BC610AB32E845AEBB798AB05306F00446FE8D3B36A1DE38A948CA98

Function 00411771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040E748), ref: 00411781
WaitForSingleObject.KERNEL32(000000FF), ref: 00411794

Strings

pth_unenc, xrefs: 00411771

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
Instruction ID: eef26e02e81300ba4c8cf7f61278c3f59c29627b67378ac59a4e73c1cb1fd9d7
Opcode Fuzzy Hash: 5bb4d910bf534706ca5f2b5d32154bdbdc32722f36a2c9cc9993c004b7262cc3
Instruction Fuzzy Hash: 24D01234145351AFD7610B60AD19F953F68E705323F108365F428512F1CFB58494AA1C

Function 0043FCA1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FD37
GetLastError.KERNEL32 ref: 0043FD45
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FDA0

Memory Dump Source

Source File: 00000006.00000002.3779879332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_P87unxnF4t4DSrTt43.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
Instruction ID: a8021b2984f9c2011c4d4eba480f75da6e6c35d7fa760b83b06315d7a0ea6bca
Opcode Fuzzy Hash: da5cee2afb3fc4b5b183086853f31dabd9e5fae04dd03cb90eeff65bb8952867
Instruction Fuzzy Hash: E1410A30E00246AFCF218F65C84867B7BA5EF09310F14517EFC5A9B2A2DB398D05C759

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P87unxnF4t4DSrTt43.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\edefdefffff\logs.dat

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P87unxnF4t4DSrTt43.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpvoot1b.eeu.psm1

Windows Analysis Report
P87unxnF4t4DSrTt43.exe

Function 05776F48 Relevance: 3.4, Strings: 1, Instructions: 2164
COMMON

Function 05776F38 Relevance: 3.4, Strings: 1, Instructions: 2150
COMMON

Function 0184D368 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Function 0184D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 03068C9C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 03068CA8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 05771B84 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre